Commit Graph

8512 Commits

Author SHA1 Message Date
Michał Kępień
5cc841fa53 Reset dig exit code after a TCP connection is established
The "exitcode" variable is set to 9 if a TCP connection fails, but is
not reset to 0 if a subsequent TCP connection succeeds.  This causes dig
to return a non-zero exit code if it succeeds in getting a TCP response
after a retry.  Fix by resetting "exitcode" to 0 if connect_done()
receives an event with the "result" field set to ISC_R_SUCCESS.

(cherry picked from commit deb3b85cb2)
2018-08-27 14:30:06 +10:00
Ondřej Surý
791663dd60 Whitespace fixes
(cherry picked from commit 31b5360943)
2018-08-24 08:34:44 -04:00
Michał Kępień
e0b9bb1d2c Log a message when "ixfr-from-differences" is set for an inline-signed zone
For inline-signed zones, the value of "ixfr-from-differences" is
hardcoded to:

  - "yes" for the raw version of the zone,
  - "no" for the signed version of the zone.

In other words, any user-provided "ixfr-from-differences" setting is
effectively ignored for an inline-signed zone.  Ensure the user is aware
of that by adding a note to the ARM and logging a message when an
"ixfr-from-differences" option is found at the zone level.

(cherry picked from commit 087157d14f)
2018-08-24 10:21:27 +02:00
Michał Kępień
c12388f5e8 Do not call bin/tools/genrandom unconditionally in system tests
$RANDFILE, i.e. bin/tests/system/random.data, should only be written to
if a system test requires support for cryptography and that file does
not already exist.  Otherwise, when multiple system tests are run in
parallel, that file might get truncated due to bin/tools/genrandom.c
using fopen() with mode "w" when writing the destination file.  With
unfortunate timing, this may cause system tests employing BIND tools
which need entropy (e.g. dnssec-keygen) to fail.

Make sure bin/tests/system/metadata/tests.sh no longer calls
bin/tools/genrandom since $RANDFILE is guaranteed to already be created
by the time bin/tools/genrandom is currently called because
bin/tests/system/metadata/prereq.sh uses bin/tests/system/testcrypto.sh.

Make sure bin/tests/system/sfcache/prereq.sh only writes to $RANDFILE if
it does not already exist.
2018-08-24 09:57:15 +02:00
Michał Kępień
56da51da7b Prevent a race in the "inline" system test
A short time window exists between logging the addition of an NSEC3PARAM
record to a zone and committing it to the current version of the zone
database.  If a query arrives during such a time window, an unsigned
response will be returned.  One of the checks in the "inline" system
test requires NSEC3 records to be present in an answer - that check
would fail in the case described above.  Use rndc instead of log
watching for checking whether zone signing and NSEC3 chain modifications
are complete in order to prevent intermittent "inline" system test
failures.

(cherry picked from commit e36c869e85)
2018-08-24 09:38:22 +02:00
Mark Andrews
68138381b4 when filter-aaaa and dns64 are both configured a assertion failure could occur
(cherry picked from commit 1056376d10)
2018-08-24 09:47:17 +10:00
Michał Kępień
7680c7d1cf Fix reloading inline-signed zones
While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage.  This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version.  This in
turn prevents zone maintenance from happening for the signed version of
the zone.

Until commit 7c64547d95, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs).  This behavior caused other issues [1] and thus had to be
changed.

Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes.  Take care not to clear it prematurely during initial zone
load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem.  Add comments aiming to
help explain code flow.

[1] see RT #47076

(cherry picked from commit 5431583971)
2018-08-22 11:45:24 +02:00
Michał Kępień
8d468a4f60 Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone
When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh.  Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.

Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.

(cherry picked from commit 8db550c42f)
2018-08-22 10:51:42 +02:00
Michał Kępień
367b973835 Do not treat a referral with a non-empty ANSWER section as an error
As part of resquery_response() refactoring [1], a goto statement was
replaced [2] with a call to a new function - originally called
rctx_delegation(), now folded into rctx_answer_none() - extracted from
existing code.  However, one call site of that refactored function does
not reset the "result" variable, causing a referral with a non-empty
ANSWER section to be inadvertently treated as an error, which prevents
resolution of names reliant on servers sending such responses.  Fix by
resetting the "result" variable to ISC_R_SUCCESS when a response
containing a non-empty ANSWER section can be treated as a delegation.

[1] see RT #45362

[2] see commit e1380a16741a3b4a57e54d7a9ce09dd12691522f

(cherry picked from commit 24b9ec555a)
2018-08-22 10:16:08 +02:00
Michał Kępień
a0dbee8418 Make the "inline" system test more lightweight
Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test.  Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test.  Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.

(cherry picked from commit 24dd865b97)
2018-08-14 10:16:30 +02:00
Michał Kępień
cb5f86d99e Queue "rndc signing -nsec3param ..." requests if needed
If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading.  Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.

(cherry picked from commit cb40c5229a)
2018-08-14 09:26:38 +02:00
Ondřej Surý
d87c1a120d Fix missing config.h in win32/socket.c and replace config.h with <config.h> 2018-08-11 04:45:37 -04:00
Ondřej Surý
884929400c Replace custom isc_boolean_t with C standard bool type
(cherry picked from commit 994e656977)
2018-08-10 11:17:51 +02:00
Ondřej Surý
d61e6a3111 Replace custom isc_u?intNN_t types with C99 u?intNN_t types
(cherry picked from commit cb6a185c69)
2018-08-09 18:30:20 +02:00
Ondřej Surý
c863a076ae Replace ISC_PRINT_QUADFORMAT with inttypes.h format constants
(cherry picked from commit 64fe6bbaf2)
2018-08-09 18:30:20 +02:00
Evan Hunt
d97001a37c caclulate nlabels and set *chainingp correctly 2018-08-08 14:24:15 -07:00
Evan Hunt
7c50ab65fc test case
(cherry picked from commit 73486c13f743407a50d5bbadde90c949a696506f)
2018-08-08 14:23:26 -07:00
Ondřej Surý
ad09426b99 Modify the rrsetorder test to cope with the rrset order randomization (only four orders are now possible)
(cherry picked from commit afddc2781e)
2018-08-06 13:03:28 +02:00
Ondřej Surý
e552ea1275 Revert "Use make automatic variables to install updated manuals"
This reverts commit 85deed805b.
2018-08-06 12:51:07 +02:00
Mark Andrews
092b739535 only check the bit map
(cherry picked from commit a94db46631)
2018-08-03 08:50:56 +10:00
Mark Andrews
3f12f4d4ec turn off ixfr-from-differences on signed instance of in-line zone
(cherry picked from commit cfccd8d246)
2018-08-02 14:27:21 +10:00
Mark Andrews
252aa79fe4 rename zone to mayberaw
(cherry picked from commit 3ea9861e7a)
2018-08-02 14:27:20 +10:00
Mark Andrews
eb506cf14e use guard values for testing unixtime serial
(cherry picked from commit abe41ba011)
2018-08-02 11:29:04 +10:00
Mark Andrews
8e12e6f7ce save SOA values
(cherry picked from commit 6b30bc73c0)
2018-08-02 11:29:04 +10:00
Mark Andrews
3d40bc4e1a test mdig '+ednsopt=:' handling
(cherry picked from commit 2e688488f7)
2018-08-02 09:42:13 +10:00
Mark Andrews
3f7a651d3a fix handling of '+ednsopt=:'; support 100 ednsopts per query rather than 100 total
(cherry picked from commit d2943440a0)
2018-08-02 09:42:09 +10:00
Petr Menšík
85deed805b Use make automatic variables to install updated manuals
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.

(cherry picked from commit 88f913ac81)
2018-08-01 16:22:01 +10:00
Mark Andrews
ab5c03c507 named_server_servestale could leave the server in exclusive mode if a error occurs.
(cherry picked from commit c8b07932e4)
2018-07-26 22:58:03 -07:00
Michał Kępień
f4b403e8b2 Fix handling of TAT sending failures
dns_view_zonecut() may associate the dns_rdataset_t structure passed to
it even if it returns a result different then ISC_R_SUCCESS.  Not
handling this properly may cause a reference leak.  Fix by ensuring
'nameservers' is cleaned up in all relevant failure modes.

(cherry picked from commit 8666f8d28f)
2018-07-19 18:04:01 +02:00
Michał Kępień
f8ff854888 Do not replace lo0 address on Solaris
lo0 and lo0:0 are the same interface on Solaris.  Make sure
bin/tests/system/ifconfig.sh does not touch lo0:0 in order to prevent it
from changing the address of the loopback interface on Solaris.

(cherry picked from commit 618921902a)
2018-07-17 08:19:58 +02:00
Michał Kępień
e56a528c70 Do not spam console if "git status --ignored" fails during tests
The "git status" command in Git versions before 1.7.2 does not support
the "--ignored" option.  Prevent spamming the console when running
system tests from a Git repository on a host with an ancient Git version
installed.

(cherry picked from commit 2be97feb46)
2018-07-13 12:14:46 +02:00
Michał Kępień
106b56d7c9 Remove IDN subtest from the "digdelv" system test
The output of certain "dig +idnout" invocations may be locale-dependent.
Remove the "dig +idnout" subtest from the "digdelv" system test as IDN
support is already thoroughly tested by the "idna" system test.

(cherry picked from commit fd30a03f2b)
2018-07-13 12:14:46 +02:00
Michał Kępień
7fe0f00a3b Improve error handling in idn_ace_to_locale()
While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.

The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed.  The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding.  In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.

Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.

Update the "idna" system test accordingly.  Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name.  Fix invalid subtest description.

(cherry picked from commit b896fc4972)
2018-07-13 12:14:14 +02:00
Michał Kępień
4c7eea4437 Include conf.sh from all prereq.sh scripts
Every prereq.sh script must include bin/tests/system/conf.sh, otherwise
if some prerequisite is not met, errors about echo_i not being found
will be printed instead of actual error messages.

(cherry picked from commit cc0e8cda71)
2018-07-13 08:23:15 +02:00
Mark Andrews
9f126bac32 add test for bad dig option '+ednsopt=:' being handled gracefully
(cherry picked from commit ad86878d61)
2018-07-11 11:58:52 -07:00
Bill Parker
62d047658a check code is non NULL
(cherry picked from commit 408bcf9c07)
2018-07-11 11:58:49 -07:00
Mukund Sivaraman
d54a38d733 Add system tests for "tcp-self" update-policy
(cherry picked from commit a7e6a584ea)
2018-07-11 11:05:37 -07:00
Michał Kępień
873c091408 Send upstream TAT queries for locally served zones
Trying to resolve a trust anchor telemetry query for a locally served
zone does not cause upstream queries to be sent as the response is
determined just by consulting local data.  Work around this issue by
calling dns_view_findzonecut() first in order to determine the NS RRset
for a given domain name and then passing the zone cut found to
dns_resolver_createfetch().

Note that this change only applies to TAT queries generated by the
resolver itself, not to ones received from downstream resolvers.

(cherry picked from commit a7657dc150)
2018-07-11 08:59:29 +02:00
Michał Kępień
2e7dd0d61f Extract TAT QNAME preparation to a separate function
Extract the part of dotat() reponsible for preparing the QNAME for a TAT
query to a separate function in order to limit the number of local
variables used by each function and improve code readability.

Rename 'name' to 'origin' to better convey the purpose of that variable.
Also mark it with the const qualifier.

(cherry picked from commit 127810e512)
2018-07-11 08:59:29 +02:00
Ondřej Surý
bbd82796bd Add .gitignore for PKCS#11 test files
(cherry picked from commit 96907d636d)
2018-07-11 08:11:21 +02:00
Bill Parker
05669a987a check param_template[i].pValue is non NULL
(cherry picked from commit 8ac0152651)
2018-07-10 14:38:23 -07:00
Michał Kępień
77929046ec Do not use Net::DNS::Nameserver in the "serve-stale" system test
Net::DNS versions older than 0.67 respond to queries sent to a
Net::DNS::Nameserver even if its ReplyHandler returns undef.  This makes
the "serve-stale" system test fail as it takes advantage of the newer
behavior.  Since the latest Net::DNS version available with stock
RHEL/CentOS 6 packages is 0.65 and we officially support that operating
system, bin/tests/system/serve-stale/ans2/ans.pl should behave
consistently for various Net::DNS versions.  Ensure that by reworking it
so that it does not use Net::DNS::Nameserver.

(cherry picked from commit c4209418a5)
2018-07-10 15:15:18 +02:00
Michał Kępień
655dccf4ea Fix a Net::DNS version quirk in the "resolver" system test
Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty.  Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions.  Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.

(cherry picked from commit 6c3c6aea37)
2018-07-10 15:07:38 +02:00
Witold Kręcicki
e263fe91c0 Don't synthesize NXDOMAIN from NSEC for records under a DNAME
(cherry picked from commit 7f60bb39df)
2018-07-10 09:50:30 +02:00
Mark Andrews
22327b4cdf free rbuf
(cherry picked from commit ecb2f20324)
2018-07-10 14:37:52 +10:00
Tinderbox User
bbf35634c0 prep 9.12.2rc2 2018-06-28 04:42:37 +00:00
Mukund Sivaraman
ed29b84e16 return FORMERR when question section is empty if COOKIE is not present
(cherry picked from commit 06d3106002)
2018-06-26 14:36:34 -07:00
Mark Andrews
7f31e67c16 CHANGES, copyright
(cherry picked from commit f7d346357e)
2018-06-26 09:04:48 -07:00
Mark Andrews
665f9093d2 construct a symtab of valid in-view targets then check that the target exists
(cherry picked from commit e01a4bcb20)
2018-06-26 09:03:47 -07:00
Michał Kępień
8c66f32e53 Only request permitted capabilities in non-libcap builds
While libcap-enabled builds check whether any capability named requests
is within the permitted capability set, non-libcap builds just try
requesting them, which potentially causes a misleading error message to
be output ("Operation not permitted: please ensure that the capset
kernel module is loaded").  Ensure non-libcap builds also check whether
any requested capability is within the permitted capability set.
2018-06-26 13:18:00 +02:00