Commit Graph

6212 Commits

Author SHA1 Message Date
Mark Andrews
3ec77a2f92 Use key tag ranges when generating multisigner keys
(cherry picked from commit 266530d473)
2024-08-23 08:05:16 +10:00
Mark Andrews
6e51d5b04b Check that dnssec-keygen honours key tag ranges
(cherry picked from commit d165466125)
2024-08-23 08:05:16 +10:00
Mark Andrews
4c980c2a51 Add good dnssec-policy tag-range variants test examples
(cherry picked from commit e7decd7a65)
2024-08-23 08:05:16 +10:00
Matthijs Mekking
b7bc6abdfe Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.

(cherry picked from commit 7bb6d82505)
2024-08-22 12:58:00 +00:00
Matthijs Mekking
908bf753f9 Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.

(cherry picked from commit afe093258c)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
0fd246ac26 Add option to kasp.sh check_keys to retain found keys
This will come in handy when we are testing offline-ksk where first
we check for ZSKs and then the KSK.

(cherry picked from commit ecd2b79106)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
1813b7877c Add a common setup script for ksr
The previous setup.sh has been moved to ns1/setup.sh, we need a common
setup script to invoke ns1/setup.sh.

(cherry picked from commit 748d98e387)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
ad7366853e Update ksr system test to include server
Prepare the system test for tests that require a server to import
created SKR files. This means the test script needs adjustments to
take into account the directory test files are located.

In addition, the check_keys function is renamed to ksr_check_keys
because the name clashes with check_keys from kasp.sh. It also has an
extra parameter added, offset, that can be used to check ksr files that
are created in the past or future.

(cherry picked from commit 367154c1de)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
40bd74b182 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.

(cherry picked from commit 0598381236)
2024-08-22 10:17:08 +00:00
Nicki Křížek
ac11357466 Merge tag 'v9.20.1' into bind-9.20 2024-08-21 16:32:33 +02:00
Nicki Křížek
441209dd91 Allow rerun of unstable statschannel tests under TSAN
The test_traffic_json and test_traffic_xml occasionally fail when
running under TSAN. This happens in CI and is most likely a result of
some instability that doesn't seem to be easily reproduced.

(cherry picked from commit ec2fc7680a)
2024-08-19 14:14:47 +00:00
Ondřej Surý
f1405af84c Add missing fclose() when applying updates failed (rpz/testlib)
In rpz system tests, we could leak file if the applying the updates has
failed.  Add the missing fclose() before returning.

(cherry picked from commit 2855ec8f5f)
2024-08-19 11:51:28 +00:00
Nicki Křížek
1706c571b3 Use python3 in shebang lines for util scripts
Some distributions (notably, debian bookworm) have deprecated the
`python` interpreter in favor of `python3`. Since our scripts are
python3 anyway, use the proper numbered version in shebang to make
scripts easily executable.

(cherry picked from commit 480dcdef9a)
2024-08-14 15:43:34 +00:00
Aram Sargsyan
0cdbdeaeb2 Test that 'rndc reconfig' reconfigures catz member zones
Catalog zone member zones should be reconfigured as all the other
zones during a reconfiguration. Test it by checking whether the newly
added allow-query setting affects a member zone.

(cherry picked from commit cd04b89dba85781c194f22ce6fe358c972a14758)
2024-08-13 16:57:50 +02:00
Ondřej Surý
85d9311afe Add fetches-per-zone 40 to qmin/ns5 configuration
The simple change causes assertion failure fixed in the previous commit.

(cherry picked from commit c2c9d8f01b)
2024-08-13 16:08:12 +02:00
Evan Hunt
053e01b9f0 implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb)
2024-08-07 21:12:34 +00:00
Evan Hunt
5e1e33da6f reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 21:12:34 +00:00
Evan Hunt
be3b660e54 reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)

(cherry picked from commit 05d78671bb)
2024-08-07 21:12:34 +00:00
Nicki Křížek
4d2239d169 Make hypothesis optional for system tests
Ensure that system tests can be executed without Python hypothesis
package.

(cherry picked from commit e6a7695600)
2024-08-07 12:10:35 +00:00
Nicki Křížek
dbe059c545 Initialize all environment variables when running isctest
Ensure all the variables are initialized when running the main function
of isctest module. This enables proper environment variables during test
script development when only conf.sh is sourced, rather than the script
being executed by the pytest runner.

(cherry picked from commit d7ace928b5)
2024-08-05 17:54:11 +02:00
Tom Krizek
257730f30b Replace testcrypto.sh invocations in tests
Use the provided environment variables instead.

(cherry picked from commit fc84bf80e4)
2024-08-05 17:54:11 +02:00
Tom Krizek
87a45f4646 Rewrite testcrypto.sh into python
Run the crypto support checks when initializing the isctest package and
save those results in environment variable. This removes the need to
repeatedly check for crypto operation support, as it's not something
that would change at test runtime.

(cherry picked from commit 25cb39b7fc)
2024-08-05 17:54:10 +02:00
Tom Krizek
9f97452b5d Move test algorithm configuration to isctest
Instead of invoking get_algorithms.py script repeatedly (which may yield
different results), move the algorithm configuration to an isctest
module. This ensures the variables are consistent across the entire test
run.

(cherry picked from commit 8302db407c)
2024-08-05 17:54:09 +02:00
Ondřej Surý
ac170e8c5b Add a system test that sends TSIG with bad time
Add a system test that sets TSIG fudge to 0, waits three seconds and
then sends signed message to the server.  This tests the path where the
time difference between the client and the server is outside of the TSIG
fudge value.

(cherry picked from commit 8def0c3b12)
2024-08-05 11:11:40 +00:00
Ondřej Surý
cf77491a5d Use LC_ALL to override all system locales
The system tests were overriding the local locale by setting LANG to C.
This does not override the locale in case there are individual LC_<*>
variables like LC_CTYPE explicitly set.

Use LC_ALL=C instead which is the proper way of overriding all currently
set locales.

(cherry picked from commit 10147efc87)
2024-08-05 07:34:20 +00:00
Mark Andrews
c2d2fffec2 Reset 'ret' to zero at start of tests
(cherry picked from commit 2dc2abd00d)
2024-08-02 03:01:43 +00:00
Aram Sargsyan
3e7689fc23 Test shorter resolver-query-timeout configuration
Add two new checks which test the shorter than usual
resolver-query-timeout configuration.

(cherry picked from commit d6a79cce53)
2024-08-01 19:23:06 +00:00
Aram Sargsyan
28cd7bc666 Test rndc retransfer -force
Use a big zone and the slow transfer mode. Initiate a retransfer, wait
several seconds, then initiate a retransfer using a '-force' argument,
which should cancel the previous transfer and start a new one.

(cherry picked from commit e48f4e8101)
2024-08-01 17:04:27 +00:00
Mark Andrews
c55d89f9d1 check 'update-policy 6to4-self' over IPv6
(cherry picked from commit 3b0de4773b)
2024-08-01 06:41:47 +00:00
Mark Andrews
c92b05c0e2 check 'update-policy 6to4-self' over IPv4
(cherry picked from commit b28e5ff721)
2024-08-01 06:41:47 +00:00
Mark Andrews
eb7d784544 Test that false positive "success resolving" is not logged
(cherry picked from commit 111e285214)
2024-08-01 05:24:00 +00:00
Mark Andrews
b91eb0e524 Test yaml output with yaml specials
(cherry picked from commit fadf461761)
2024-08-01 03:48:08 +00:00
Mark Andrews
dde9523b2b resolver system test didn't record all failures
(cherry picked from commit 5843b29f47)
2024-08-01 02:36:16 +00:00
Mark Andrews
99701a9a36 Check invalid alpn empty value
(cherry picked from commit fa35c67301)
2024-08-01 01:10:48 +00:00
Mark Andrews
3b35a18dac Check invalid alpn produced due to missing double escapes
(cherry picked from commit a49b2a3568)
2024-08-01 01:10:48 +00:00
Aram Sargsyan
b6372216ba Update the chain test
Update the CNAME chain test to correspond to the changed behavior,
because now named returns SERVFAIL when hitting the maximum query
restarts limit (e.g. happening when following a long CNAME chain).

In the current test auth will hit the limit and return partial data
with a SERVFAIL code, while the resolver will return no data with
a SERVFAIL code after auth returns SERVFAIL to it.

(cherry picked from commit 7751c7eca6)
2024-07-31 11:55:35 +00:00
Aram Sargsyan
21cdd8ed5b Test that a long CNAME chain causes SERVFAIL
Also check that the expected partial answer in returned too.

(cherry picked from commit 580f872fe1)
2024-07-31 11:55:35 +00:00
Mark Andrews
5b7134c9d5 Disable post zone verification for manykeys
As the expiration time is now+1 the RRSIG records may expire before
the verification step happens.

(cherry picked from commit 0d69afd764)
2024-07-31 04:47:33 +00:00
Matthijs Mekking
9be1126cd2 Fix intermittent test failure dnssec system test
The updatecheck-kskonly.secure zone is being used to test dynamic
updates while the KSK is offline. It ensures that the DNSKEY RRset
will retain the RRSIG record, while the updated data is being signed
with the currently active ZSK.

When walking through ZSK rollovers, ensure that the newest ZSK (ZSK3)
is published before doing the dynamic update, preventing timing
related test failures.

Also fix the test log line ($ZSK_ID3 was not yet created at the time
of logging).

(cherry picked from commit e874632488)
2024-07-30 12:06:16 +00:00
Matthijs Mekking
b489e267d4 No longer update key lifetime if key is retired
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.

(cherry picked from commit 129973ebb0)
2024-07-30 10:22:48 +00:00
Matthijs Mekking
671414ba42 Test updating dnssec-policy key lifetime
Check if the key lifetime is updated in the key files. Make sure the
inactive and removed timing metadata are adjusted accordingly.

(cherry picked from commit 2237895bb4)
2024-07-30 10:22:48 +00:00
Matthijs Mekking
1da982e6d0 Move dnssec-policy to kasp-fips.conf.in
All dnssec-policy configurations are here, so why not this one?

(cherry picked from commit 93326e3e18)
2024-07-30 10:22:48 +00:00
Ondřej Surý
4089f4e2c3 Add more tests for adding many RR types to the database
More reclimit tests that test various scenarios adding combinations of
priority and non-priority RR types into the database.
2024-07-01 12:49:02 +02:00
Ondřej Surý
58f660cf2b Make the resolver qtype ANY test order agnostic
Instead of relying on a specific order of the RR types in the databases
pick the first RR type as returned from the cache.
2024-07-01 12:47:30 +02:00
Aram Sargsyan
a2b61c0a65 Test that named checks maximum two keys for SIG(0)-signed messages
Send three updates with three different keys, and expect that one
of them should fail.

Also retain more artifacts for neighboring nsupdate calls.
2024-06-10 17:35:39 +02:00
Aram Sargsyan
c7f79a0353 Add a quota for SIG(0) signature checks
In order to protect from a malicious DNS client that sends many
queries with a SIG(0)-signed message, add a quota of simultaneously
running SIG(0) checks.

This protection can only help when named is using more than one worker
threads. For example, if named is running with the '-n 4' option, and
'sig0checks-quota 2;' is used, then named will make sure to not use
more than 2 workers for the SIG(0) signature checks in parallel, thus
leaving the other workers to serve the remaining clients which do not
use SIG(0)-signed messages.

That limitation is going to change when SIG(0) signature checks are
offloaded to "slow" threads in a future commit.

The 'sig0checks-quota-exempt' ACL option can be used to exempt certain
clients from the quota requirements using their IP or network addresses.

The 'sig0checks-quota-maxwait-ms' option is used to define a maximum
amount of time for named to wait for a quota to appear. If during that
time no new quota becomes available, named will answer to the client
with DNS_R_REFUSED.
2024-06-10 17:33:08 +02:00
Matthijs Mekking
4e46453035 Add new test cases with DNSSEC signing
kasp-max-types-per-name (named2.conf.in):
An unsigned zone with RR type count on a name right below the
configured limit. Then sign the zone using KASP. Adding a RRSIG would
push it over the RR type limit per name. Signing should fail, but
the server should not crash, nor end up in infinite resign-attempt loop.

kasp-max-records-per-type-dnskey (named1.conf.in):
Test with low max-record-per-rrset limit and a DNSSEC policy requiring
more than the limit. Signing should fail.

kasp-max-types-per-name (named1.conf.in):
Each RRSIG(covered type) is counted as an individual RR type. Test the
corner case where a signed zone, which is just below the limit-1,
adds a new type - doing so would trigger signing for the new type and
thus increase the number of "types" by 2, pushing it over the limit
again.
2024-06-10 16:55:11 +02:00
Matthijs Mekking
15ecd2cce6 Check if restart works 2024-06-10 16:55:11 +02:00
Matthijs Mekking
ef9d5cf552 Switch to inline-signing no 2024-06-10 16:55:11 +02:00
Matthijs Mekking
6297e0d7a9 Add test cases that use DNSSEC signing
Add two new masterformat tests that use signing. In the case of
'under-limit-kasp', the signing will keep the number of records in the
RRset under the limit. In the case of 'on-limit-kasp', the signing
will push the number of records in the RRset over the limit, because
of the added RRSIG record.
2024-06-10 16:55:11 +02:00