mdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.
(cherry picked from commit 0fecb10c17)
The sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.
(cherry picked from commit be879cda72)
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.
(cherry picked from commit 49da19c353)
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
The statistics system test sometimes needs a pause to wait for the
expected stats to be reported.
Also, the test for priming queries was ineffective; the result of
the grep was not being checked.
(cherry picked from commit c167feb1dc)
The margin of error (up to 2 seconds) allowed for the inception time
in the cds system test was a bit too small, and has been increased to 3
seconds.
(cherry picked from commit 3ecaccb961)
The catz system test included a test case that was looking for a single
answer record after an update, when it should have been looking for two.
The test usually passed because of timing - the first dig usually got a
response before the update was completed - but occasionally the update
processed fast enough for the test to fail. On investigation, it turned
out to be the test that was wrong.
(cherry picked from commit 9b6060c6c4)
The digdelv system test has a test case in which stderr was
included in the dig output. When trace logging was in use,
this confused the grep and caused a spurious test failure.
(cherry picked from commit 2143120636)
Update the 'catz' system test by adding tests that update an
catalog zone (catalog1.example) while preserving existing entries
(increase SOA serial) then check that catalog zone has transferred
and that the existing entries have not accidentally been removed
as a consequence (can return updated zone content).
(cherry picked from commit bf9c569852)
The qmin system test was printing spurious output. On investigation,
the test case turned out to be both broken and ineffective: its
expectations were wrong, and it was printing the output because its
wrong expectations were not met, and those failed expectations were
not causing a test failure. All of this has been corrected.
(cherry picked from commit ac3eb921fc)
pytest was failing because it was testing features that had
not been configured. test to see if those features have been
configured before running the tests.
(cherry picked from commit 10c01cba61)
Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.
This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.
(cherry picked from commit 94a5712801)
check for type "master" / "slave" at the same time as checking
for "primary" / "secondary" as we step through the maps.
Checking "primary" then "master" or "master" then "primary" does
not work as the synomym is not checked for to stop the search.
Similarly with "secondary" and "slave".
(cherry picked from commit a3c6516a75)
Add tests that check that masterfile-format map generate deprecation
warning and mastefile-formats text and raw doesn't.
(cherry picked from commit f4e6348f29)
The map masterfile-format is very fragile and it needs API bump every
time a RBTDB data structures changes. Also while testing it, we found
out that files larger than 2GB weren't loading and nobody noticed, and
loading many map files were also failing (subject to kernel limits).
Thus we are marking the masterfile-format type 'map' as deprecated and
to be removed in the next stable BIND 9 release.
(cherry picked from commit 6b7a488cbc)
Address the following warnings reported by PyLint 2.10.2:
************* Module tests-checkds
bin/tests/system/checkds/tests-checkds.py:70:9: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
bin/tests/system/checkds/tests-checkds.py:120:13: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
bin/tests/system/checkds/tests-checkds.py:206:17: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
************* Module yamlget
bin/tests/system/digdelv/yamlget.py:22:5: W1514: Using open without explicitly specifying an encoding (unspecified-encoding)
(cherry picked from commit 6a4b8b1456)
The zone_keyid() helper function defined in
bin/tests/system/statschannel/helper.py is not used anywhere. Remove
it.
(cherry picked from commit acb7e61409)
- when transfer-source(-v6), query-source(-v6), notify-source(-v6)
or parental-source(-v6) are specified with a port number, issue a
warning.
- when the port specified is the same as the DNS listener port (i.e.,
53, or whatever was specified as "port" in "options"), issue a fatal
error.
- check that "port" is in range. (previously this was only checked
by named, not by named-checkconf.)
- added checkconf tests.
- incidental fix: removed dead code in check.c:bind9_check_namedconf().
(note: if the DNS port is specified on the command line with "named -p",
that is not conveyed to libbind9, so these checks will not take it into
account.)
(cherry picked from commit 14c8d7dfb7)
The ns3->ns2 forwarding is now done using the IPv6 addresses, so we also
test that the query-source-v6 address is still operational after removal
of interface adjustment.
(cherry picked from commit 8a4c44ca24)
Previously, named would run with a configuration
where *-source-v6 (notify-source-v6, transfer-source-v6 and
query-source-v6) address and port could be simultaneously used for
listening. This is no longer true for BIND 9.16+ and the code that
would do interface adjustments would unexpectedly disable listening on
TCP for such interfaces.
This commit removes the code that would adjust listening interfaces
for addresses/ports configured in *-source-v6 option.
(cherry picked from commit 8ac1d4e0da)
when "checking lame server clients are dropped below the hard limit",
periodically a query is sent for a name for which the server is
authoritative, to verify that legitimate queries can still be
processed while the server is dealing with a flood of lame delegation
queries. those queries used the same dig options as elsewhere in the
fetchlimit test, including "+tries=1 +timeout=1". on slow systems, a
1-second timeout may be insufficient to get an answer even if the server
is behaving well. this commit increases the timeout for the check
queries to 2 seconds in hopes that will be enough to eliminate test
failures in CI.
(cherry picked from commit 45f330339c)
When BIND is running as a Windows Service the ISC library's
initializations initiated by the DLLMain loading procedure are
happening under the Windows Service Manager thread instead of
BIND's main thread.
This commit will make sure that BIND's main thread trampoline has
been initialized before running the main() function.
This commit modifies the MTU of the loopback interface on
Linux systems to 1500, so that oversized UDP packets can
trigger EMSGSIZE errors, and tests that named handles
such errors correctly.
Note that the loopback MTU size has not yet been modified
for other platforms.
(cherry picked from commit cfd058d622)
test server now has tcp-idle-timeout set to 5 seconds and
tcp-keepalive-timeout set to 7, so queries that follow a 6-second sleep
should either succeed or fail depending on whether the keepalive option
was sent.
(cherry picked from commit 947e80066c)
Add a statschannel test case to confirm that when keys are removed
(in this case because of a dnssec-policy change), the corresponding
dnssec-sign stats are cleared and are no longer shown in the
statistics.
(cherry picked from commit 1a3c82f765)
Add a test case that has more than four keys (the initial number of
key slots that are created for dnssec-sign statistics). We shouldn't
be expecting weird values.
This fixes some errors in the manykeys zone configuration (keys
were created for algorithm RSASHA256, but the policy expected RSASHA1,
and the zone was not allowing dynamic updates).
This also fixes an error in the calls to 'zones-json.pl': The perl
script excepts an index number where the zone can be found, rather
than the zone name.
(cherry picked from commit 019a52a184)
In order to test cases with non-SEP CSK keys, the Flags Field needs to
be determined differently to deal with such exceptional scenarios.
(cherry picked from commit 36ad0331e2)
Add a test case for migrating CSK to dnssec-policy. The keymgr has no
way of telling that the key is used as a CSK, but if there is only one
key to migrate it is going to assume it must be a CSK.
(cherry picked from commit 96ee323622)