Commit Graph

12121 Commits

Author SHA1 Message Date
Michal Nowak
369bbd9dad Remove unused sbytes, stime, n, response, and rtime variables
(cherry picked from commit 4857da271d)
2024-10-15 18:49:29 +00:00
Michal Nowak
b5118a7e70 Rewrite tools system test to pytest
(cherry picked from commit 3f8e59330d)
2024-10-15 17:28:37 +00:00
Nicki Křížek
1dbeee61f8 Support dnspython 2.7.0
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.

(cherry picked from commit 0d90b13646)
2024-10-15 10:29:57 +00:00
Mark Andrews
fd2f1bdf02 Test that the correct NSEC3 closest encloser is returned
(cherry picked from commit b457f64d4a)
2024-10-14 23:55:09 +00:00
Matthijs Mekking
25f39228e0 Test removing DNSKEYs from other providers
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.

(cherry picked from commit 5f552293d7)
2024-10-14 10:03:59 +02:00
Matthijs Mekking
80d5b3877a Add additional test case with purged key
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.

In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.

(cherry picked from commit a2317425bc)
2024-10-14 10:03:19 +02:00
Matthijs Mekking
24e8e4294a Fix some system test cases
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.

These are:

1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
   in the zone, but not yet its own keys. Pregenerate signing keys and
   add them to the unsigned zone as well.

2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
   and added in the raw version of the zone. But the key file is stored
   outside the key-directory for the given zone. Add '-K keys' to the
   dnssec-keygen command.

(cherry picked from commit d1e263ef13)
2024-10-14 10:03:12 +02:00
Matthijs Mekking
2494275a8e Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 10:03:00 +02:00
Matthijs Mekking
04ae34cff6 Add test for missing key files, don't roll
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.

(cherry picked from commit a3afbd9d6f)
2024-10-14 07:19:37 +00:00
Artem Boldariev
3585a004b9 dig: always set the default port when doing a UDP query
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.

(cherry picked from commit e390ed4421)
2024-10-10 22:13:55 +03:00
Matthijs Mekking
d768dd1f5d Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436

(cherry picked from commit 0396bf98ee)
2024-10-10 09:29:52 +00:00
Aram Sargsyan
ca966c396a Don't ignore the local port number in dns_dispatch_add() for TCP
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.

Set the 'resp->port' to the given local port value extracted from
'disp->local'.

(cherry picked from commit d49a8f518a)
2024-10-02 09:53:45 +00:00
Michal Nowak
8252f8cbc4 Replace dns.query module with isctest.query
(cherry picked from commit dfec69b4a2)
2024-10-01 12:06:40 +00:00
Michal Nowak
b5bdc3ff30 Add isctest.check.notimp()
(cherry picked from commit a2d2d9c0d3)
2024-10-01 12:06:40 +00:00
Michal Nowak
8f5fcf6441 Report expected and last returned rcode on query timeout
Sometimes it's useful to see what was the server returning that did not
match the expected rcode.

(cherry picked from commit 4cb52f072e)
2024-10-01 12:06:40 +00:00
Mark Andrews
39afab41f0 Check responselog behaviour
Extends the resolver system test to to check whether responses are
logged to the query log in addition to the queries.

(cherry picked from commit 61415432ec)
2024-09-30 00:10:47 +00:00
Evan Hunt
b9f4a1b029 Reduce code duplication
combined named_server_togglequerylog() and
named_server_toggleresponselog() into named_server_setortoggle().

(cherry picked from commit c4b7dce376)
2024-09-30 00:10:47 +00:00
Mark Andrews
3968813724 Log the rcode returned to for a query
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.

(cherry picked from commit 5fad79c92f)
2024-09-30 00:10:47 +00:00
Mark Andrews
00287db8ed Add examples of WALLET records
(cherry picked from commit 9b358e6e8b)
2024-09-25 12:07:52 +00:00
Mark Andrews
c6045acc41 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:52 +00:00
Aram Sargsyan
cc038054e1 Test 'rndc dumpdb' with an unwritable dump-file
Check that with a preexisting dump file without a write permission
no actual dump happens, and rndc returns an error result.

Also add a couple of missing entries in the cleaning script.

(cherry picked from commit 63bddd7192)
2024-09-25 09:11:49 +00:00
Aram Sargsyan
782a570052 Do not ignore named_server_dumpdb() result code
The named_server_dumpdb() function, which is called when a 'rndc dumpdb'
command is issued, returns a 'isc_result_t' result code and it has been
always ignored since its introduction in
eb8713ed94, where it was still called
ns_server_dumpdb(). The orignal reasoning is not preserved, but it could
have been also a simple copy-paste mistake, as there are commands, which
return 'void' and require manually setting 'result = ISC_R_SUCCESS;', as
it was done here. Anyway, named will now return the actual result, and
'rndc' will report an error, when the 'dumpdb' command fails.

(cherry picked from commit 8b866ba8a0)
2024-09-25 09:11:49 +00:00
Mark Andrews
2952f8339d Check read value in upforwd/ans4
The ans4 server wasn't shutting down cleanly sometimes.  Check that
read returns the expected value for the message length or exit read
loop.

(cherry picked from commit 21baad0a8f)
2024-09-24 07:29:29 +00:00
Michal Nowak
e7dd232320 Print correct udp/tcp function name in generic_query()
(cherry picked from commit 1c637e96d1)
2024-09-23 15:40:40 +00:00
Michal Nowak
69b116b788 Downgrade "timeout" and "attempts" arguments in shutdown
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.

(cherry picked from commit 463ab2f3f5)
2024-09-23 15:40:39 +00:00
Aram Sargsyan
80dad234ba Add a statistics channel check in the forward system test
Check that the fix in the previous commit works and that the
'ServerQuota' counter in the statistics channel is still unset
after a SERVFAIL result in a 'forward only' zone.

(cherry picked from commit 81b3c5d908)
2024-09-16 09:31:38 +00:00
Mark Andrews
b33727a202 Remove 'statslock' from dnssec-signzone
Silence Coverity CID 468757 and 468767 (DATA RACE read not locked)
by converting dnssec-signzone to use atomics for statistics counters
rather than using a lock.  This should be marginally faster than
using the lock as well when statistics are requested.

(cherry picked from commit 473cbd4e87)
2024-09-16 02:52:38 +00:00
Michal Nowak
944fc02f83 Extract dns.rcode compatibility code to isctest.compat
(cherry picked from commit 8b55d0709d)
2024-09-12 11:17:52 +00:00
Michal Nowak
c8c8b36e44 Turn off deadline for wildcard tests
Tests that query BIND need much longer deadline to account for retries,
the default 200ms won't work.

(cherry picked from commit d2e0043ec3)
2024-09-12 11:17:52 +00:00
Michal Nowak
937d7f30eb Extract "custom" named instances support to isctest.run module
(cherry picked from commit 2cec1de43b)
2024-09-12 11:17:52 +00:00
Michal Nowak
531567b0a1 Rework query functions to retry by default
(cherry picked from commit 5929ba0f54)
2024-09-12 11:17:52 +00:00
Michal Nowak
555f42754e Replace dns.resolver module in system tests
(cherry picked from commit bfe338b965)
2024-09-12 11:17:52 +00:00
Mark Andrews
c52a9a5731 Only configure statistics-channels if supported
(cherry picked from commit d0c8c6d7ef)
2024-09-12 03:27:38 +00:00
Mark Andrews
b3c0eb9bac Don't create the HTTP server if libxml and libjson-c are unavailable
(cherry picked from commit 31650d9440)
2024-09-12 03:27:38 +00:00
Mark Andrews
592ca7dc19 Don't return the style sheet unless libxml2 is supported
If not statistics are available we don't want the style sheet
returned.

(cherry picked from commit ed81b3ae93)
2024-09-12 03:27:38 +00:00
Mark Andrews
bacc945989 Properly detect when libxml2 or json-c is not available
(cherry picked from commit 7de939609b)
2024-09-11 23:06:55 +00:00
JINMEI Tatuya
33dd3fbca2 allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.

This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.

This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.

(cherry picked from commit 7289090683)
2024-09-10 12:39:36 +00:00
Ondřej Surý
5255843f9b Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
2024-09-03 13:52:10 +00:00
Mark Andrews
b30bff7dee Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.

(cherry picked from commit d42ea08f16)
2024-08-29 21:40:16 +00:00
Evan Hunt
93729a294a Delay release of root privileges until after configuring controls
On systems where root access is needed to configure privileged
ports, we don't want to fully relinquish root privileges until
after the control channel (which typically runs on port 953) has
been established.

named_os_changeuser() now takes a boolean argument 'permanent'.
This allows us to switch the effective userid temporarily with
named_os_changeuser(false) and restore it with named_os_restoreuser(),
before permanently dropping privileges with named_os_changeuser(true).

(cherry picked from commit d57fa148af)
2024-08-29 18:11:58 +00:00
Michal Nowak
f3b54c6688 Bump max-recursion-queries to 100 in resolver system test
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.

(cherry picked from commit 8e0244d300)
2024-08-29 14:41:48 +00:00
Mark Andrews
20632b9f44 Add bad dnssec-policy range variants test examples
(cherry picked from commit bb653d37e0)
2024-08-23 08:05:16 +10:00
Mark Andrews
fab6d0e021 Add a multi-signer where the key tag range changes
(cherry picked from commit 62469afe71)
2024-08-23 08:05:16 +10:00
Mark Andrews
3ec77a2f92 Use key tag ranges when generating multisigner keys
(cherry picked from commit 266530d473)
2024-08-23 08:05:16 +10:00
Mark Andrews
6e51d5b04b Check that dnssec-keygen honours key tag ranges
(cherry picked from commit d165466125)
2024-08-23 08:05:16 +10:00
Mark Andrews
4c980c2a51 Add good dnssec-policy tag-range variants test examples
(cherry picked from commit e7decd7a65)
2024-08-23 08:05:16 +10:00
Mark Andrews
e3dedfb981 Add optional range directive to keys in dnssec-policy
(cherry picked from commit c5bc0a1805)
2024-08-23 08:05:16 +10:00
Mark Andrews
57c7c5452a Document -M tag_min:tag_max
A new argument has been added to dnssec-keygen and dnssec-keyfromlabel
to restrict the tag value of key generated / imported to a particular
range.  This is intended to be used by multi-signers.

Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
(cherry picked from commit 0c347fb321)
2024-08-23 07:44:11 +10:00
Mark Andrews
79f9a10eb6 Add restrict key tag range support
to dnssec-keygen and dnssec-keyfromlabel.

(cherry picked from commit 329e5eee9b)
2024-08-23 07:42:21 +10:00
Matthijs Mekking
b7bc6abdfe Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.

(cherry picked from commit 7bb6d82505)
2024-08-22 12:58:00 +00:00