Now that the keymgr tracks the maximum TTL used in a zone, we no longer
need an artifical value when calculating key rollover timings. The
max-zone-ttl value can be set to 0 (unlimited) by default.
This means that the built-in "default" and "insecure" can now be used
on zones that have TTL values higher than 1 day (and no longer fail
to load the zone).
You can still set the max-zone-ttl value to ensure that the loaded
zone does not have a too high TTL (causing the zone fail to load, and
to limit the TTL on incoming updates).
Add test cases checking that the zone's maximum TTL is increased when
a higher TTL is encountered (when reading the zone, or when accepting
an update).
Reuse template2.db.in for the dynamic-inline.kasp test cases. To do
so, the SOA serial needs to be high enough to be accepted.
Update the kasp and keymgr2kasp system test to use TTLsig in the key
timing calculations, deriving it from the expected MAX_TTL.
Since the TTL used in most zones is much lower than kasp's
max-zone-ttl, most expected key timing metadata needs to be adjusted
as well.
Add code that can set the TTL to be used when doing key rollovers. We
should keep track of the maximum TTL that was used, with a heap. If
we load a zone with a lower maximum TTL, set an expire time on the
higher values.
The server was previously tolerant of out-of-date or otherwise bad
DNS SERVER COOKIES that where well formed unless require-cookie was
set. BADCOOKIE is now return for these conditions.
When a zone database update callback is called, the 'catzs' object,
extracted from the callback argument, might be already shutting down,
in which case the 'catzs->zones' can be NULL and cause an assertion
failure when calling isc_ht_find().
Add an early return from the callback if 'catzs->shuttingdown' is true.
Also check the validity of 'catzs->zones' after locking 'catzs' in
case there is a race with dns_catz_shutdown_catzs() running in another
thread.
Add this test scenario for a bug fixed a while ago. When a third key is
introduced while the previous rollover hasn't finished yet, the keymgr
could decide to remove the first two keys, because it was not checking
for an indirect dependency on the keys.
In other words, the previous bug behavior was that the first two keys
were removed from the zone too soon.
This test case checks that all three keys stay in the zone, and no keys
are removed premature after another new key has been introduced.
In the kasp script, if one expected key is not found, continue checking
the other key ids, even if there is no match for the first one. This
provides a bit more information which keys mismatch and makes for
easier debugging test failures.
in the past there was overlap between the fields used
as resolver fetch options and ADB addrinfo flags. this has
mostly been eliminated; now we can clean up the rest of
it and remove some confusing comments.
Pass 5 second timeout to the rndc status command(s) to avoid hitting the
hard 10 second timeout from subprocess.call, which would result in an
unwanted exception that would only mask the real issue: if the rndc
status times out in this test, it is likely due to the server not
stopping as it should.
The shutdown test attempts to shut down the server using two different
methods - rndc and sigterm. Use pytest.mark.parametrize to run these as
separate test cases for easier identification of failures.
fctx counters could be accessed without locking when
"rndc fetchlimit" is called; while this is probably harmless
in production, it triggered TSAN reports in system tests.
make the code flow clearer by enumerating the result codes that
are treated as success conditions for an intermediate minimized
query (ISC_R_SUCCESS, DNS_R_DELEGATION, DNS_R_NXRRSET, etc), rather
than just folding them all into the 'default' branch of a switch
statement.
Surround the variables which are checked whether they're executable in
double quotes. Without them, empty paths won't be properly interpreted
as not executable.
Since delv can occasionally hang in system tests when running with TSAN
(see GL#4119), disable these tests as a workaround. Otherwise, the hung
delv process will just waste CI resources and prevent any meaningful
output from the rest of the test suite.
tsig-keygen is now used to generate key files for TSIG. These have
a different format to those that were generated by dnssec-keygen.
Test that dig can still read these files.
tsig-keygen generates key files that are different to those that
where generated by dnssec-keygen. Check that nsupdate can still
read those old format files.