Commit Graph

8663 Commits

Author SHA1 Message Date
Mark Andrews
48fedfce69 send over and undersized cookie
(cherry picked from commit 0207199bb8)
2019-02-06 13:13:11 +11:00
Mark Andrews
bb3a5986bb the condition test for checking the client cookie value was wrong; don't call process_opt multiple times
(cherry picked from commit d9c368eee0)
2019-02-06 13:13:11 +11:00
Evan Hunt
cd0b538e90 disable the check for crash on shutdown when running under cygwin
(cherry picked from commit 449842e1ce)
2019-01-31 22:56:17 -08:00
Mark Andrews
5115d677de log RPZ type and class
(cherry picked from commit 28442f11f0)
2019-01-31 17:39:29 -08:00
Evan Hunt
47d1688078 silence a spurious dnssec-keygen warning in the dnssec system test
the occluded-key test creates both a KEY and a DNSKEY. the second
call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
a spurious warning to be printed when it sees the type KEY record.
this should be fixed in dnssec.c, but the meantime this change silences
the warning by reversing the order in which the keys are created.

(cherry picked from commit 6661db9564)
2019-01-31 14:00:14 -08:00
Matthijs Mekking
cf235900d7 Add tests for dumpdb stale ttl
This adds a test for rndc dumpdb to ensure the correct "stale
comment" is printed.  It also adds a test for non-stale data to
ensure no "stale comment" is printed for active RRsets.

In addition, the serve-stale tests are hardened with more accurate
grep calls.
2019-01-31 10:30:11 -08:00
Evan Hunt
ab5feb57ef detect crash on shutdown in stop.pl
(cherry picked from commit 9bf37f4e48)
2019-01-31 09:42:49 -08:00
Matthijs Mekking
b0b846a4bb Harden GSS-TSIG tests, verify signed TKEY response 2019-01-30 12:11:08 -08:00
Mark Andrews
e5cbb2e03c add 300 seconds of fudge
(cherry picked from commit acf0292da4)
2019-01-30 16:00:17 +11:00
Mark Andrews
cb2d79b456 only use a single policy file when testing.
(cherry picked from commit 36ea9b8181)
2019-01-30 16:00:14 +11:00
Evan Hunt
96bf857b65 also add -D options for transient named processes started in tests.sh
(cherry picked from commit dd45831acc)
2019-01-28 21:19:28 -08:00
Evan Hunt
e233f33fc3 add properly-formatted -D options to named.args files
this prevents servers that use arguments specified in named.args
from appearing different in 'ps' output from servers run with arguments
from start.pl

(cherry picked from commit 175d6e9bfb)
2019-01-28 21:19:25 -08:00
Evan Hunt
2a53564d08 reset SYSTEMTESTTOP when changing directories
(cherry picked from commit 70f36a25e4)
2019-01-28 20:40:48 -08:00
Evan Hunt
29e89d08f7 fix rrl test
strip CR characters before using awk/sed
2019-01-25 11:24:11 -08:00
Evan Hunt
9d1b0f314d fix rpz test
- work around a CR newline problem
- use rndc to stop servers
2019-01-25 11:24:11 -08:00
Evan Hunt
b322cc74ea fix rpzrecurse test
use rndc to stop servers
2019-01-25 11:24:11 -08:00
Evan Hunt
e37a32276e fix dnssec test
- work around CR issues
- use UTC for time comparisons
- use $DIFF instead of cmp
2019-01-25 11:24:11 -08:00
Evan Hunt
7658ba4216 fix legacy test
use rndc rather than signals to stop the server
2019-01-25 11:24:11 -08:00
Evan Hunt
1e1f1d4ef7 fix fetchlimit test
use TCP for the test queries in between UDP bursts; this avoids
congestion issues that interfered with the test on windows
2019-01-25 11:24:11 -08:00
Evan Hunt
678c3211af fix sfcache test
use a lame server configuration to force SERVFAILs instead of killing ns2.
this prevents test failures that occurred due to a different behavior of
the netowrking stack in windows.
2019-01-25 11:24:10 -08:00
Evan Hunt
d04e771dcf fix nsupdate test
rndc_reload was failing on windows
2019-01-25 11:24:10 -08:00
Evan Hunt
b282b4dd5e fix rndc test
use regex instead of exact string matching to deal with CR at end of line
2019-01-25 11:24:10 -08:00
Evan Hunt
28f8899e21 fix statistics test
the active sockets test is supposed to be commented out on win32, but
only part of it was
2019-01-25 11:24:10 -08:00
Evan Hunt
0b0c110577 fix redirect test
strip CR characters before using sed
2019-01-25 11:24:10 -08:00
Evan Hunt
75278f0f54 fix notify test
test the average delay between notifies instead of the minimum delay;
this helps avoid unnecessary test failures on systems with bursty
network performance.
2019-01-25 11:24:10 -08:00
Evan Hunt
bb256ea268 fix masterformat test
use stop.pl instead of rndc to stop server
2019-01-25 11:24:10 -08:00
Evan Hunt
95d2dff101 fix inline test
use regex instead of exact string matching, to deal with CR at end of ine
2019-01-25 11:24:10 -08:00
Evan Hunt
9dc3aac7a7 fix forward test
strip CR characters before using sed
2019-01-25 11:24:09 -08:00
Evan Hunt
659bc0d09d fix cookie test
strip CR characters before comparing files
2019-01-25 11:24:09 -08:00
Evan Hunt
0279793e03 fix cds test
- use $PERL instead of perl
- use $DIFF instead of cmp for windows portability; cmp doesn't
  handle CR characters properly
2019-01-25 11:24:09 -08:00
Evan Hunt
362eb56189 use $DIFF instead of diff 2019-01-25 11:24:09 -08:00
Evan Hunt
bd9ffedbcf set and use SYSTEMTESTTOP consistently 2019-01-25 11:24:09 -08:00
Evan Hunt
2189f00e63 complete the set of tools available in windows tests
- dnssec-cds wasn't being built for windows
- nsec3hash was available, but the NSEC3HASH variable wasn't
  set in conf.sh.win32
2019-01-25 11:24:09 -08:00
Evan Hunt
3cf4ecf177 more reliable method for killing "ans" servers on windows
as perl and python are both native to cygwin, we don't want to use
the "kill -f" option to terminate them.
2019-01-25 10:43:10 -08:00
Evan Hunt
b5f8d60565 update ifconfig.bat with current test interfaces
the addresses set up in ifconfig.bat were out of sync with the
ones in ifconfig.sh
2019-01-25 10:43:10 -08:00
Evan Hunt
47ef534511 update conf.sh.win32 test list
- the test lists in conf.sh.in and conf.sh.win32 were out of sync
2019-01-25 10:43:10 -08:00
Evan Hunt
4f06d65e38 improve handling of trailing dots in dnssec-keymgr and dnssec-coverage
- mishandling of trailing dots caused bad behavior with the
  root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
  wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
  system test

(cherry picked from commit 1ccf4e6c16)
2019-01-24 13:51:53 -08:00
Mark Andrews
15b4240764 introducing keymgr need to preserve functionality
(cherry picked from commit 083b730ec7)
2019-01-22 10:22:10 -08:00
Witold Kręcicki
f8963ad70e If possible don't use forwarders when priming the resolver.
If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.

This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.

Also added a test to confirm priming queries are not forwarded.

(cherry picked from commit b49310ac06)
2019-01-16 16:32:43 -08:00
Mark Andrews
22b77f45b7 add multi-view server and tests
(cherry picked from commit 7122b5786d)
2019-01-14 16:59:02 -08:00
Tony Finch
bc984ace12 Fix a few cosmetic issues with rndc managed-keys
The handling of class and view arguments was broken, because the code
didn't realise that next_token() would overwrite the class name when
it parsed the view name. The code was trying to implement a syntax
like `refresh [[class] view]`, but it was documented to have a syntax
like `refresh [class [view]]`. The latter is consistent with other rndc
commands, so that is how I have fixed it.

Before:

$ rndc managed-keys refresh in rec
rndc: 'managed-keys' failed: unknown class/type
unknown class 'rec'

After:

$ rndc managed-keys refresh in rec
refreshing managed keys for 'rec'

There were missing newlines in the output from `rndc managed-keys
refresh` and `rndc managed-keys destroy`.

Before:

$ rndc managed-keys refresh
refreshing managed keys for 'rec'refreshing managed keys for 'auth'

After:

$ rndc managed-keys refresh
refreshing managed keys for 'rec'
refreshing managed keys for 'auth'

(cherry picked from commit 6a3b851f72)
2019-01-14 16:16:29 -08:00
Evan Hunt
b241dc58ec b/t/s/dnssec/tests.sh: Cleanup showprivate() function 2019-01-14 12:30:49 -08:00
Evan Hunt
0b4dca553d fix testing errors
- the checkprivate function in the dnssec test set ret=0, erasing
  results from previous tests and making the test appear to have passed
  when it shouldn't have
- checkprivate needed a delay loop to ensure there was time for all
  private signing records to be updated before the test

(cherry picked from commit 82e83d5dc7)
2019-01-13 18:22:44 -08:00
Tony Finch
1ba69a02ff cleanup: alphabetize rndc command dispatch
(cherry picked from commit 66be4108bf)
2019-01-14 12:28:26 +11:00
Mark Andrews
0b8d530c84 Ensure base64/base32/hex fields in DNS records that should be non-empty are.
(cherry picked from commit 5e8b772ad1)
2019-01-09 18:53:29 +11:00
Mark Andrews
675d75e0bc wait longer for dump to complete
(cherry picked from commit 8a8d378def)
2019-01-08 20:17:06 -08:00
Michał Kępień
f63a1fca3e Fix cleanup upon an error before TCP socket creation
When a query times out after a socket is created and associated with a
given dig_query_t structure, calling isc_socket_cancel() causes
connect_done() to be run, which in turn takes care of all necessary
cleanups.  However, certain errors (e.g. get_address() returning
ISC_R_FAMILYNOSUPPORT) may prevent a TCP socket from being created in
the first place.  Since force_timeout() may be used in code handling
such errors, connect_timeout() needs to properly clean up a TCP query
which is not associated with any socket.  Call clear_query() from
connect_timeout() after attempting to send a TCP query to the next
available server if the timed out query does not have a socket
associated with it, in order to prevent dig from hanging indefinitely
due to the dig_query_t structure not being detached from its parent
dig_lookup_t structure.

(cherry picked from commit 13975b32c6)
2019-01-08 11:22:57 +01:00
Michał Kępień
c05c1f1b65 Refactor code sending a query to the next server upon a timeout
When a query times out and another server is available for querying
within the same lookup, the timeout handler - connect_timeout() - is
responsible for sending the query to the next server.  Extract the
relevant part of connect_timeout() to a separate function in order to
improve code readability.

(cherry picked from commit c108fc5c6e)
2019-01-08 11:22:57 +01:00
Michał Kępień
1d0319fd0c Remove dead code handling address family mismatches for TCP sockets
Before commit c2ec022f57, using the "-b"
command line switch for dig did not disable use of the other address
family than the one to which the address supplied to that option
belonged to.  Thus, bind9_getaddresses() could e.g. prepare an
isc_sockaddr_t structure for an IPv6 address when an IPv4 address has
been passed to the "-b" command line option.  To avoid attempting the
impossible (e.g. querying an IPv6 address from a socket bound to an IPv4
address), a certain code block in send_tcp_connect() checked whether the
address family of the server to be queried was the same as the address
family of the socket set up for sending that query; if there was a
mismatch, that particular server address was skipped.

Commit c2ec022f57 made
bind9_getaddresses() fail upon an address family mismatch between the
address the hostname passed to it resolved to and the address supplied
to the "-b" command line option.  Such failures were fatal to dig back
then.

Commit 7f65860391 made
bind9_getaddresses() failures non-fatal, but also ensured that a
get_address() failure in send_tcp_connect() still causes the given query
address to be skipped (and also made such failures trigger an early
return from send_tcp_connect()).

Summing up, the code block handling address family mismatches in
send_tcp_connect() has been redundant since commit
c2ec022f57.  Remove it.

(cherry picked from commit ef1da8731b)
2019-01-08 11:22:57 +01:00
Michał Kępień
82103796af Track forwarder timeouts in fetch contexts
Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed.  This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.

Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution.  Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.

(cherry picked from commit 33350626f9)
2019-01-08 08:31:16 +01:00