Commit Graph

3840 Commits

Author SHA1 Message Date
Evan Hunt
7de12aaa34 add a search for GeoIP2 libraries in configure
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
  (libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
  is an error.
- an attempt is made to determine the default GeoIP2 database path at
  compile time if pkg-config is able to report the module prefix. if
  this fails, it will be necessary to set the path in named.conf with
  geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
  added for the eventual GeoIP2 search implementation.

(cherry picked from commit fea6b5bf10)
(cherry picked from commit 6a7e805796)
2019-07-02 12:28:14 -07:00
Michał Kępień
621f8aa90a Add and use keyfile_to_key_id() helper function
When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros.  This breaks tests when
keys with ID 0 are generated.  Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.

(cherry picked from commit 7d6eaad1bd)
2019-06-28 14:09:36 +02:00
Michał Kępień
511f3c3601 dnstap-read: clear buffer before expanding it
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed.  Clear the output buffer before expanding it to prevent
this issue from occurring.

(cherry picked from commit 3549abe81d)
2019-06-28 12:45:44 +02:00
Mark Andrews
53543c1ecc check xsl vs xml
(cherry picked from commit d5c795942f)
2019-06-27 13:40:52 +10:00
Evan Hunt
f608f9335d x 2019-06-26 09:38:59 -07:00
Evan Hunt
2fd9e88405 add system test to confirm glue is returned in priming queries
(cherry picked from commit 9a1f0ea873)
2019-06-26 09:27:26 -07:00
Evan Hunt
59dc713fc3 add a test that reloading errors are not ignored
(cherry picked from commit e48b3f1a00)
2019-06-26 08:56:14 -07:00
Michał Kępień
d48ba3ce12 Prevent "idna" test failures with libidn2 2.2.0+
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.

We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:

  - this change in behavior is considered a libidn2 bug fix [1],
  - we want to make sure dig behaves as expected, not libidn2,
  - implementing that would require additional configure.ac cruft.

Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.

[1] see upstream commit 241e8f486134793cb0f4a5b0e5817a97883401f5

(cherry picked from commit 60ce0ed411)
2019-06-26 14:41:10 +02:00
Mark Andrews
8802a3a901 wait for zones to load
(cherry picked from commit b62e6418b5)
2019-06-24 14:19:05 +10:00
Michał Kępień
29e31a6858 Always fail a system test if crashes are detected
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered.  This must never be the case.  Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).

(cherry picked from commit 7706f22924)
2019-06-18 09:26:40 +02:00
Michał Kępień
6c8546edc6 Fix key ID processing
If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:

    tkey-dhkey "server" ;

Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file.  Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.

(cherry picked from commit 0b7b1161c2)
2019-06-17 14:16:20 +02:00
Witold Kręcicki
171db1a22d Address GCC 8.3 -O3 compilation warning
Compiling with -O3 triggers the following warning with GCC 8.3:

    driver.c: In function ‘dlz_findzonedb’:
    driver.c:198:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                                 ^~
    driver.c:198:25: note: directive argument in the range [0, 65535]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                             ^~~~~~~
    driver.c:198:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
      snprintf(buffer, size, "%s#%u", addr_buf, port);
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Increase the size of the relevant array to prevent this warning from
being triggered.

(cherry picked from commit 44e6bb8b93)
2019-06-11 10:19:22 +02:00
Mark Andrews
174b6be987 capture named-checkconf output
(cherry picked from commit 36dd373ab4)
2019-06-06 18:48:57 +10:00
Michał Kępień
ed45b53cb7 Backport missing "legacy" system test checks
Backport "legacy" system test checks which are present in master and
v9_14 branches, but missing in the v9_11 branch, in order to improve the
consistency of this test across all maintained branches.  Note that the
"ednsnotimp" check is expected to succeed with 9.11 whereas it is
expected to fail with 9.14 and later versions.
2019-05-31 12:43:31 +02:00
Mark Andrews
ac4d3e8496 test Ed448 against test vectors
(cherry picked from commit 20f2d9b41b)
2019-05-30 23:06:09 +10:00
Michał Kępień
9016f78a0f Optimize dig parameters to decrease test run time
Performing server setup checks using "+tries=3 +time=5" is redundant as
a single query is arguably good enough for determining whether a given
named instance was set up properly.  Only use multiple queries with a
long timeout for resolution checks in the "legacy" system test, in order
to significantly reduce its run time (on a contemporary machine, from
about 1m45s to 0m40s).

(cherry picked from commit 47b850348c)
2019-05-29 11:11:49 +02:00
Michał Kępień
2cd5954745 Make "plain" server setup checks more similar
Send a test TCP query to the "plain" server during its setup check to
improve its consistency with the setup check for the "plain + no TCP"
server.

(cherry picked from commit bb939a03ff)
2019-05-29 11:11:46 +02:00
Michał Kępień
45d2833684 Add more EDNS checks for dig output files
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.

(cherry picked from commit 56ed1275c6)
2019-05-29 11:11:43 +02:00
Michał Kępień
c7f5ba42f8 Do not ignore dig exit codes
Make sure the "legacy" system test fails if any exit code returned by
dig does not match the expected one.

(cherry picked from commit 4dea5cb799)
2019-05-29 11:11:40 +02:00
Michał Kępień
abbe8c9649 Use helper functions for checking resolution
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.

(cherry picked from commit effd16ab25)
2019-05-29 11:11:37 +02:00
Michał Kępień
35cccf0729 Use +dnssec instead of separate TXT records
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size.  Doing this makes all resolution checks in the "legacy"
system test more similar.  Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.

(cherry picked from commit aaf81ca6ef)
2019-05-29 11:11:31 +02:00
Michał Kępień
551f796313 Fix the name of the file to inspect
One of the checks in the "legacy" system test inspects dig.out.1.test$n
instead of dig.out.2.test$n.  Fix the file name used in that check.

(cherry picked from commit 3e7fa15ca3)
2019-05-29 11:11:25 +02:00
Michał Kępień
fdc84ea63e Ensure queries expected to time out really do
Make sure that the "legacy" system test fails if queries which are
expected to time out do not really time out.

(cherry picked from commit 6283c1cc7e)
2019-05-29 11:11:21 +02:00
Michał Kępień
5094902487 Properly test servers with TCP support disabled
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets.  Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.

(cherry picked from commit 9491616e5c)
2019-05-29 11:11:03 +02:00
Evan Hunt
3b122f8d33 fix missing test counter 2019-05-18 21:14:33 -07:00
Witold Kręcicki
71d3823dab Remove UNSPEC rrtype
(cherry picked from commit a8e2ca6f7d)
2019-05-13 10:54:10 +07:00
Michał Kępień
f04f107b7e Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 21:05:50 -07:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
d72f659a35 add test for 'provide-ixfr no;' ; add forensics support
(cherry picked from commit d547465af5)
2019-05-07 14:34:00 +10:00
Evan Hunt
50dfe1aa2b enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit bbae24c140)
2019-05-06 18:38:34 -07:00
Evan Hunt
111c692efd RPZ test had spurious references to DNSRPS, which isn't in 9.11 2019-05-06 18:05:49 -07:00
Mark Andrews
c26a421aab check that delv -t any works
(cherry picked from commit 6999bee7ef)
2019-05-07 10:34:30 +10:00
Michał Kępień
72c7bc03c9 Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do.  When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems.  This environment variable is then used by system test scripts
for handling this discrepancy properly.

In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:

    dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.

To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.

(cherry picked from commit da2c1b74ad)
2019-04-26 20:50:55 +02:00
Matthijs Mekking
3c9a7ffac8 Wait for correct log message in dnssec/tests.sh
In 9.11 there are some log messages not existing, but the tests
rely on.  Adjust the grep call that gives confidence the rollover
step has occurred.
2019-04-24 09:41:22 +02:00
Matthijs Mekking
9c77cd8306 Harden grep key ID calls
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.

(cherry picked from commit 83473b9758)
2019-04-24 09:41:22 +02:00
Matthijs Mekking
d8de28610d Remove sleeps
Remove sleep calls from test, rely on wait_for_log().  Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.

Slightly adjust the echo_i() lines to print only the key ID (not the
key name).

(cherry picked from commit 67f0635f3c)
2019-04-24 09:41:22 +02:00
Michał Kępień
4e2cc911d2 Wait more than 1 second for NSEC3 chain changes
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete.  Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.

(cherry picked from commit f8746cddbc)
2019-04-23 14:59:30 +02:00
Michał Kępień
5d8147fa70 Remove redundant sleeps
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.

(cherry picked from commit 1c8e5ea333)
2019-04-23 14:59:29 +02:00
Michał Kępień
f78f6439b7 Update interface lists in ifconfig scripts
Make bin/tests/system/ifconfig.bat also configure addresses ending with
9 and 10, so that the script is in sync with its Unix counterpart.

Update comments listing the interfaces created by ifconfig.{bat,sh} so
that they do not include addresses whose last octet is zero (since an
address like 10.53.1.0/24 is not a valid host address and thus the
aforementioned scripts do not even attempt configuring them).

(cherry picked from commit b6c1cdfffe)
2019-04-19 11:30:32 +02:00
Michał Kępień
4f992ab35f Fix the "dnssec" system test on Windows
On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
contains carriage return characters at the end of each line.  Remove
them before passing the aforementioned file to the awk script extracting
key IDs so that the latter can work properly.

(cherry picked from commit e4280ed9f5)
2019-04-19 11:30:27 +02:00
Michał Kępień
d9688b58c8 Do not wait for lock file cleanup on Windows
As signals are currently not handled by named on Windows, instances
terminated using signals are not able to perform a clean shutdown, which
involves e.g. removing the lock file.  Thus, waiting for a given
instance's lock file to be removed beforing assuming it is shut down
is pointless on Windows, so do not even attempt it.

(cherry picked from commit 761ba4514f)
2019-04-19 11:29:44 +02:00
Matthijs Mekking
93f33cdd0f Add documentation
(cherry picked from commit a67dac5d21)
2019-04-19 08:45:12 +02:00
Matthijs Mekking
d07f643557 DLV tests unsupported/disabled algorithms
This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

(cherry picked from commit 3b7c849a3f)
2019-04-19 08:45:12 +02:00
Matthijs Mekking
a97061c939 Ignore unsupported trust anchors
(cherry picked from commit 1d45ad8f39)

Some adaptations were made to make the code compile and tests pass.
2019-04-19 08:45:12 +02:00
Matthijs Mekking
469ef284b3 Add inline test related to unsupported algorithms
(cherry picked from commit 924fdad0e5)
2019-04-18 15:12:04 +02:00
Matthijs Mekking
8cef3952b6 System tests for tools and unsupported algorithms
(cherry picked from commit dfcf9bb0ed)
2019-04-18 15:12:04 +02:00
Matthijs Mekking
ce3d35d950 Fix dnssec test
The following changes were needed:

* Remove dnskey-sig-validity option (added in 9.12)
* Replace rndccmd, dig_with_opts with export variables
* Remove tests for CDNSKEY and CDS (in 9.11 always signed with ZSK)
2019-04-12 15:57:31 +02:00
Matthijs Mekking
c5e1bfc6f9 Fix copyrights 2019-04-12 15:57:31 +02:00
Matthijs Mekking
944c2b5a74 Add detail on echo message in autosign test
(cherry picked from commit d330986374)
(cherry picked from commit d281d9ae99985772db13fb3dce0c0e7e2fb5f5b8)
2019-04-12 15:57:15 +02:00