Commit Graph

10168 Commits

Author SHA1 Message Date
Evan Hunt
43df2f3aba Make mdig use the OS-supplied ephemeral port range
mdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.

(cherry picked from commit 0fecb10c17)
2021-11-17 14:46:32 -08:00
Mark Andrews
1a94a31484 Embed NAMED_SYSCONFDIR contents in the bind.keys comment
(cherry picked from commit 1d7b1f74c9)
2021-11-17 08:46:07 +11:00
Mark Andrews
4ad84547c5 Update comments around built in trust anchors
The comments now say "# BEGIN TRUST ANCHORS" and "# END TRUST ANCHORS".

(cherry picked from commit 43a7f3f532)
2021-11-17 08:46:07 +11:00
Mark Andrews
c28478e0ee Replace incorrect sed expersion with awk
The sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.

(cherry picked from commit be879cda72)
2021-11-10 12:51:03 +11:00
Petr Špaček
f3838f76ac Fix system test .status file cleanup
(cherry picked from commit 6495e59a4c)
2021-11-09 13:13:56 +01:00
Petr Špaček
602683d081 Add new system test for wildcard expansion
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.

(cherry picked from commit 49da19c353)
2021-11-09 13:13:56 +01:00
Ondřej Surý
0ac270dff2 Disable lame-ttl cache
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
2021-10-28 12:22:33 +02:00
Evan Hunt
9c834a99a4 Fix statistics test error
The statistics system test sometimes needs a pause to wait for the
expected stats to be reported.

Also, the test for priming queries was ineffective; the result of
the grep was not being checked.

(cherry picked from commit c167feb1dc)
2021-10-27 12:56:51 -07:00
Evan Hunt
0085a8205f Fix cds test error
The margin of error (up to 2 seconds) allowed for the inception time
in the cds system test was a bit too small, and has been increased to 3
seconds.

(cherry picked from commit 3ecaccb961)
2021-10-27 12:08:19 -07:00
Evan Hunt
bf599c1649 Fix catz test error
The catz system test included a test case that was looking for a single
answer record after an update, when it should have been looking for two.
The test usually passed because of timing - the first dig usually got a
response before the update was completed - but occasionally the update
processed fast enough for the test to fail. On investigation, it turned
out to be the test that was wrong.

(cherry picked from commit 9b6060c6c4)
2021-10-27 12:08:19 -07:00
Evan Hunt
c2f7b2e7d2 Fix digdelv test error
The digdelv system test has a test case in which stderr was
included in the dig output. When trace logging was in use,
this confused the grep and caused a spurious test failure.

(cherry picked from commit 2143120636)
2021-10-27 12:08:12 -07:00
Mark Andrews
e1490496a6 Check that existing catalog zone entries are preserved
Update the 'catz' system test by adding tests that update an
catalog zone (catalog1.example) while preserving existing entries
(increase SOA serial) then check that catalog zone has transferred
and that the existing entries have not accidentally been removed
as a consequence (can return updated zone content).

(cherry picked from commit bf9c569852)
2021-10-28 00:04:44 +11:00
Evan Hunt
9456be2225 fix qmin system test
The qmin system test was printing spurious output.  On investigation,
the test case turned out to be both broken and ineffective: its
expectations were wrong, and it was printing the output because its
wrong expectations were not met, and those failed expectations were
not causing a test failure. All of this has been corrected.

(cherry picked from commit ac3eb921fc)
2021-10-20 01:36:53 -07:00
Mark Andrews
981643b19a Don't tests stats channels that haven't been configured
pytest was failing because it was testing features that had
not been configured.  test to see if those features have been
configured before running the tests.

(cherry picked from commit 10c01cba61)
2021-10-14 17:33:01 +11:00
Evan Hunt
6836e3c071 cleanup references to ancient named.conf options
some removed options were still referenced in config.c or the ARM.

(cherry picked from commit 69e25f41ae)
2021-10-12 23:52:39 -07:00
Ondřej Surý
093cd31ae2 Update the source code formatting using clang-format-13
clang-format-13 fixed some of the formatting that clang-format-12 got
wrong.  Update the formatting.

(cherry picked from commit ed95f9fba3)
2021-10-12 11:31:55 +02:00
Aram Sargsyan
311074f51e Handle a missing zone when reloading a catalog zone
Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.

This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.

(cherry picked from commit 94a5712801)
2021-09-30 20:15:19 +00:00
Mark Andrews
0a6ed417b5 Check that 'check-names {secondary|slave} ignore;' works
(cherry picked from commit 0b0d400d7c)
2021-09-29 19:51:53 +10:00
Mark Andrews
f72946794f Check that 'check-names master ignore;' works
(cherry picked from commit 9107c8caeb)
2021-09-29 19:51:53 +10:00
Mark Andrews
7aa30aae38 Fix "check-names master" and "check-names slave"
check for type "master" / "slave" at the same time as checking
for "primary" / "secondary" as we step through the maps.

Checking "primary" then "master" or "master" then "primary" does
not work as the synomym is not checked for to stop the search.
Similarly with "secondary" and "slave".

(cherry picked from commit a3c6516a75)
2021-09-29 19:51:53 +10:00
Mark Andrews
3295339391 Preserve dig results in case of test failure
(cherry picked from commit 96b7421f8c)
2021-09-24 13:37:43 +10:00
Ondřej Surý
4515523aa2 Add masterfile-format checkconf tests
Add tests that check that masterfile-format map generate deprecation
warning and mastefile-formats text and raw doesn't.

(cherry picked from commit f4e6348f29)
2021-09-17 09:16:10 +02:00
Ondřej Surý
f7adef5162 Mark the masterfile-format type 'map' as deprecated
The map masterfile-format is very fragile and it needs API bump every
time a RBTDB data structures changes.  Also while testing it, we found
out that files larger than 2GB weren't loading and nobody noticed, and
loading many map files were also failing (subject to kernel limits).

Thus we are marking the masterfile-format type 'map' as deprecated and
to be removed in the next stable BIND 9 release.

(cherry picked from commit 6b7a488cbc)
2021-09-17 09:10:29 +02:00
Evan Hunt
863dfed0b5 deprecate "cache-file"
this commit marks the "cache-file" option as deprecated.

(cherry picked from commit a67d008ba5)
2021-09-16 00:57:58 -07:00
Michał Kępień
7d6c2b9e48 Explicitly specify encoding for open() calls
Address the following warnings reported by PyLint 2.10.2:

    ************* Module tests-checkds
    bin/tests/system/checkds/tests-checkds.py:70:9: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
    bin/tests/system/checkds/tests-checkds.py:120:13: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
    bin/tests/system/checkds/tests-checkds.py:206:17: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
    ************* Module yamlget
    bin/tests/system/digdelv/yamlget.py:22:5: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)

(cherry picked from commit 6a4b8b1456)
2021-09-16 08:55:15 +02:00
Michał Kępień
f9c6951190 Remove redundant zone_keyid() function
The zone_keyid() helper function defined in
bin/tests/system/statschannel/helper.py is not used anywhere.  Remove
it.

(cherry picked from commit acb7e61409)
2021-09-16 08:55:15 +02:00
Mark Andrews
3c175b741d Fix closing brackets in help message
(cherry picked from commit 55fc57e244)
2021-09-15 23:09:17 +10:00
Evan Hunt
4d674b5c41 check port in *-source and *-source-v6 options in named.conf
- when transfer-source(-v6), query-source(-v6), notify-source(-v6)
  or parental-source(-v6) are specified with a port number, issue a
  warning.
- when the port specified is the same as the DNS listener port (i.e.,
  53, or whatever was specified as "port" in "options"), issue a fatal
  error.
- check that "port" is in range. (previously this was only checked
  by named, not by named-checkconf.)
- added checkconf tests.
- incidental fix: removed dead code in check.c:bind9_check_namedconf().

(note: if the DNS port is specified on the command line with "named -p",
that is not conveyed to libbind9, so these checks will not take it into
account.)

(cherry picked from commit 14c8d7dfb7)
2021-09-14 20:32:10 +02:00
Ondřej Surý
37cb2b0dea Adjust system forward test to also use IPv6 addresses
The ns3->ns2 forwarding is now done using the IPv6 addresses, so we also
test that the query-source-v6 address is still operational after removal
of interface adjustment.

(cherry picked from commit 8a4c44ca24)
2021-09-14 17:13:42 +02:00
Ondřej Surý
0807d8b058 Remove the code to adjust listening interfaces for *-source-v6
Previously, named would run with a configuration
where *-source-v6 (notify-source-v6, transfer-source-v6 and
query-source-v6) address and port could be simultaneously used for
listening.  This is no longer true for BIND 9.16+ and the code that
would do interface adjustments would unexpectedly disable listening on
TCP for such interfaces.

This commit removes the code that would adjust listening interfaces
for addresses/ports configured in *-source-v6 option.

(cherry picked from commit 8ac1d4e0da)
2021-09-14 16:59:18 +02:00
Aram Sargsyan
930f082027 Update the default IANA root zone primaries list
The default IANA root zone primaries list was outdated, this commit
updates it.
2021-09-08 10:39:17 +00:00
Evan Hunt
6773c1144f increase 1-second timeout in fetchlimit
when "checking lame server clients are dropped below the hard limit",
periodically a query is sent for a name for which the server is
authoritative, to verify that legitimate queries can still be
processed while the server is dealing with a flood of lame delegation
queries. those queries used the same dig options as elsewhere in the
fetchlimit test, including "+tries=1 +timeout=1". on slow systems, a
1-second timeout may be insufficient to get an answer even if the server
is behaving well. this commit increases the timeout for the check
queries to 2 seconds in hopes that will be enough to eliminate test
failures in CI.

(cherry picked from commit 45f330339c)
2021-09-02 23:24:57 -07:00
Evan Hunt
06b9fc8a7d add a test for large map files
- a test has been added to 'masterformat', but disabled by default,
  because it takes several minutes to run and uses a lot of disk.
2021-09-01 08:17:32 -07:00
Ondřej Surý
ec64f4492b Initialize the main thread trampoline for Windows Service process
When BIND is running as a Windows Service the ISC library's
initializations initiated by the DLLMain loading procedure are
happening under the Windows Service Manager thread instead of
BIND's main thread.

This commit will make sure that BIND's main thread trampoline has
been initialized before running the main() function.
2021-08-31 17:53:30 +00:00
Evan Hunt
fb88554bf0 switch to primary/secondary in config.c
some of the built-in configuration was still using outdated terms.

(cherry picked from commit ae8cfa4683)
2021-08-30 12:00:42 -07:00
Evan Hunt
255d092c40 change CFG_ZONE_MASTER and CFG_ZONE_SLAVE
these values have been renamed as CFG_ZONE_PRIMARY and
CFG_ZONE_SECONDARY.

(cherry picked from commit 679f1c0dad)
2021-08-30 12:00:39 -07:00
Evan Hunt
ddc677ae64 rename dns_zone_master and dns_zone_slave
dns_zone_master and dns_zone_slave are renamed as dns_zone_primary
and dns_zone_secondary.

(cherry picked from commit 916760ae46)
2021-08-30 11:58:29 -07:00
Petr Špaček
d1a5f4ee9f Lower loopback MTU size on other unix systems as well
This change should cover recent versions of:
Solaris, illumos, OpenBSD, FreeBSD, Dragonfly BSD, NetBSD.

(cherry picked from commit d8363845b6)
2021-08-30 17:31:48 +02:00
Evan Hunt
422c032151 Add a regression test in the RRL system test
This commit modifies the MTU of the loopback interface on
Linux systems to 1500, so that oversized UDP packets can
trigger EMSGSIZE errors, and tests that named handles
such errors correctly.

Note that the loopback MTU size has not yet been modified
for other platforms.

(cherry picked from commit cfd058d622)
2021-08-30 17:31:43 +02:00
Evan Hunt
e28f5e28c4 add a test of the keepalive timeout
test server now has tcp-idle-timeout set to 5 seconds and
tcp-keepalive-timeout set to 7, so queries that follow a 6-second sleep
should either succeed or fail depending on whether the keepalive option
was sent.

(cherry picked from commit 947e80066c)
2021-08-27 13:20:06 -07:00
Mark Andrews
a8413d5f0f wait for post 'rndc freeze' writes to complete
(cherry picked from commit 45b6b8199e)
2021-08-26 13:18:33 +10:00
Mark Andrews
706f5811c3 Check that primary key names are syntactically valid
(cherry picked from commit 4fa9d8389a)
2021-08-26 00:00:16 +00:00
Mark Andrews
c3db4acf61 Also delete journal file
(cherry picked from commit 0b83636648)
2021-08-25 15:17:51 +10:00
Mark Andrews
3e2a39dc7a check that journal files are also removed
(cherry picked from commit 1972300919)
2021-08-25 15:17:51 +10:00
Matthijs Mekking
229bc4ee95 Add statschannel test case for key removal
Add a statschannel test case to confirm that when keys are removed
(in this case because of a dnssec-policy change), the corresponding
dnssec-sign stats are cleared and are no longer shown in the
statistics.

(cherry picked from commit 1a3c82f765)
2021-08-24 09:51:45 +02:00
Matthijs Mekking
7e90ef8f8c Add back the statschannel manykeys test case
Add a test case that has more than four keys (the initial number of
key slots that are created for dnssec-sign statistics). We shouldn't
be expecting weird values.

This fixes some errors in the manykeys zone configuration (keys
were created for algorithm RSASHA256, but the policy expected RSASHA1,
and the zone was not allowing dynamic updates).

This also fixes an error in the calls to 'zones-json.pl': The perl
script excepts an index number where the zone can be found, rather
than the zone name.

(cherry picked from commit 019a52a184)
2021-08-24 09:51:45 +02:00
Matthijs Mekking
4822c2a618 Add a test case for non-SEP CSK migration
A zone with a single key without the SEP bit set must also be assumed
to be a CSK.

(cherry picked from commit a8d0d2feed)
2021-08-23 10:37:17 +02:00
Matthijs Mekking
073f11fcac Changes to kasp script to deal with non-SEP CSK
In order to test cases with non-SEP CSK keys, the Flags Field needs to
be determined differently to deal with such exceptional scenarios.

(cherry picked from commit 36ad0331e2)
2021-08-23 10:37:11 +02:00
Matthijs Mekking
9df0bf8f17 Test migrating CSK to dnssec-policy
Add a test case for migrating CSK to dnssec-policy. The keymgr has no
way of telling that the key is used as a CSK, but if there is only one
key to migrate it is going to assume it must be a CSK.

(cherry picked from commit 96ee323622)
2021-08-23 10:36:37 +02:00
Mark Andrews
9eb98e024d wait for each staged to complete
(cherry picked from commit 8e189840b1)
2021-08-19 11:44:38 +02:00