Commit Graph

6347 Commits

Author SHA1 Message Date
Ondřej Surý
8229d9cdfa Print the expiration time of the stale records (not ancient)
In #1870, the expiration time of ANCIENT records were printed, but
actually the ancient records are very short lived, and the information
carries a little value.

Instead of printing the expiration of ANCIENT records, print the
expiration time of STALE records.

(cherry picked from commit 355fc48472)
2025-02-04 18:07:59 +01:00
Michal Nowak
fb7d78a258 Rewrite stub system test to pytest
(cherry picked from commit 1069eb1969)
2025-02-04 13:24:54 +00:00
Michal Nowak
1047797100 Add isctest.check.notauth()
(cherry picked from commit b19fb37080)
2025-02-04 13:24:54 +00:00
Nicki Křížek
b5ecd7416c Allow to use an arbitrary numeric identifier for NamedInstance
In some cases, the numeric identifier doesn't correspond to the
directory name (i.e. `resolver` server in `shutdown` test, which is
supposed to be 10.53.0.3). These are typically servers that shouldn't be
auto-started by the runner, thus avoiding the typical `*ns<X>` name.

Support these server by allowing a fallback initialization with custom
numeric identifier in case it can't be parsed from the directory name.

(cherry picked from commit a24f71bae4)
2025-02-04 13:24:54 +00:00
Nicki Křížek
0e412834e9 Add start/stop wrappers to control NamedInstance
The start()/stop() functions can be used in the pytests in the same way
as start_server and stop_server functions were used in shell tests. Note
that the servers obtained through the servers fixture are still started
and stopped by the test runner at the start and end of the test. This
makes these functions mostly useful for restarting the server(s)
mid-test.

(cherry picked from commit 37699ad84b)
2025-02-04 13:24:54 +00:00
Nicki Křížek
184160ac36 Move shell and perl util functions to isctest.run
Previously, these functions have been provided as fixtures. This was
limiting re-use, because it wasn't possible to call these outside of
tests / other fixtures without passing these utility functions around.
Move them into isctest.run package instead.

(cherry picked from commit b6d645410c)
2025-02-04 13:24:54 +00:00
Mark Andrews
2a8bf4f6bb Fix gratuitious DNS protocol errors in the ANS servers
The ANS servers were not to written to handle NS queries at the
QNAME resulting in gratuitious protocol errors that will break tests
when NS requests are made for the QNAME.

(cherry picked from commit 0680eb6f64)
2025-02-04 02:37:34 +00:00
Ondřej Surý
b32512a232 In cache, set rdataset TTL to 0 when the header is not active
When the header has been marked as ANCIENT, but the ttl hasn't been
reset (this happens in couple of places), the rdataset TTL would be
set to the header timestamp instead to a reasonable TTL value.

Since this header has been already expired (ANCIENT is set), set the
rdataset TTL to 0 and don't reuse this field to print the expiration
time when dumping the cache.  Instead of printing the time, we now
just print 'expired (awaiting cleanup'.

(cherry picked from commit 1bbb57f81b)
2025-02-03 15:53:34 +01:00
Evan Hunt
1e818d368f fix the cache findzonecut implementation
the search for the deepest known zone cut in the cache could
improperly reject a node containing stale data, even if the
NS rdataset wasn't the data that was stale.

this change also improves the efficiency of the search by
stopping it when both NS and RRSIG(NS) have been found.

(cherry picked from commit 1f095b902c)
2025-02-02 20:01:52 +01:00
Colin Vidal
588924bbb5 update serve-stale test to support EDE 22
When EDE 3 (stale answer) was added the serve-stale tests were checking
for those exclusively, i.e. grepping for no "EDE" in the dig output when
no stale answer was expected.

However, some stale tests disable stale answers and make the
authoritative server unresponsive, effectively triggering a timed out
request thus an EDE 22. Update those tests so they still tests the
absence of EDE 3 error, but also the presence of EDE 22.

(cherry picked from commit 27f3b8950a)
2025-01-30 14:43:25 +00:00
Colin Vidal
edd6f0eb35 add new EDE 22 system tests
This re-do a previously existing EDE 22 system test as well as add
another one making sure the timed out flow detection works also on UDP
when the resolver is contacting the authoritative server. (the existing
test was using TCP to contact the authoritative servers).

(cherry picked from commit 7cb8a028fe)
2025-01-30 14:43:25 +00:00
Colin Vidal
b03cedc754 fix DNSSEC EDE system tests on FIPS platform
Changes !9948 introducing the support of extended DNS error code 1 and 2
uses SHA-1 digest for some tests which break FIPS platform. The digest
itself was irrelevant, another digest is used.

(cherry picked from commit d82262d293)
2025-01-30 13:32:38 +00:00
Andoni Duarte Pintado
2d0323e006 Merge tag 'v9.20.5' into bind-9.20 2025-01-29 17:21:44 +01:00
Colin Vidal
b61e1a5bcf add DNSSEC EDE test for unsupported digest and alg
A DNSSEC validation can fail in the case where multiple DNSKEY are
available for a zone and none of them are supported, but for different
reasons: one has a DS record in the parent zone using an unsupported
digest while the other one uses an unsupported encryption algorithm.

Add a specific test case covering this flow and making sure that two
extended DNS error are provided: code 1 and 2, each of them highlighting
unsupported algorithm and digest.

(cherry picked from commit 244923b9dc)
2025-01-24 14:27:17 +01:00
Colin Vidal
e133411451 tests for support for EDE 1 & 2
(cherry picked from commit 8b50d63fe1)
2025-01-24 14:27:17 +01:00
Michal Nowak
d2c8694930 Rename have_* marks to with_*
Marks starting with "with" or "without" make more sense linguistically
than those starting with "have" or "have_not".

(cherry picked from commit df7e9f4ac3)
2025-01-24 08:56:36 +00:00
Nicki Křížek
e7a469133c Test cipher-suites after zone transfers complete
Ensure the zone transfers have completed (successfully or not) before
running the test cases, because they assume zone transfers have been
done.

(cherry picked from commit 23fb615963)
2025-01-24 08:56:36 +00:00
Nicki Křížek
2eb5ce24fb Make servers fixture in pytest module-wide
The servers are setup and torn down once per each test module. All the
logs and server state persists between individual tests within the same
module. The servers fixture representing these servers should be
module-wide as well.

(cherry picked from commit a72ff9fd57)
2025-01-24 08:56:36 +00:00
Michal Nowak
f3f7667fc7 Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().

(cherry picked from commit 100b759863)
2025-01-24 08:56:36 +00:00
Michal Nowak
9f356962ec Add isctest.query.tls() function
When explicitly set to True, the "verify" argument lets dnspython verify
certificates used for the connection. As most certificates in the system
test will inevitably be self-signed, the "verify" argument defaults to
False.

The "verify" argument is present in dnspython since the version 2.5.0.

(cherry picked from commit df8c419058)
2025-01-24 08:56:36 +00:00
Michal Nowak
1a4fb0550b Add "without_fips" mark
The "without_fips" mark disables test function when BIND 9 was built
with the FIPS mode enabled as not everything works in FIPS-enabled
builds.

(cherry picked from commit feecbd8e77)
2025-01-24 08:56:36 +00:00
Matthijs Mekking
9d6302b32c dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

(cherry picked from commit 5e3aef364f)
2025-01-23 14:04:03 +00:00
Matthijs Mekking
cf73c9b1a9 Test dnssec-signzone with private key file missing
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

(cherry picked from commit 0a91321d78)
2025-01-23 14:04:03 +00:00
Mark Andrews
2225f96251 Check delv +yaml negative response output
(cherry picked from commit 9c04640def)
2025-01-22 23:58:49 +00:00
Ondřej Surý
1b531c17a5 Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA.  This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.

Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.

(cherry picked from commit a1982cf1bb)
2025-01-15 13:57:27 +01:00
Ondřej Surý
e7d4e27337 Isolate using the -T noaa flag only for part of the resolver test
Instead of running the whole resolver/ns4 server with -T noaa flag,
use it only for the part where it is actually needed.  The -T noaa
could interfere with other parts of the test because the answers don't
have the authoritative-answer bit set, and we could have false
positives (or false negatives) in the test because the authoritative
server doesn't follow the DNS protocol for all the tests in the resolver
system test.

(cherry picked from commit e51d4d3b88)
2025-01-15 13:57:16 +01:00
Matthijs Mekking
8c9d31edaf Revert "Test that the correct NSEC3 closest encloser is returned"
This reverts commit fd2f1bdf02.
2025-01-13 11:42:26 +01:00
Mark Andrews
40af61428e Adjust number of zones to those in FIPS mode
(cherry picked from commit 17804f5154)
2025-01-02 15:35:39 +00:00
Artem Boldariev
4f8ade0e1e TLS SNI - add low level support for SNI to the networking code
This commit adds support for setting SNI hostnames in outgoing
connections over TLS.

Most of the changes are related to either adapting the code to accept
and extra argument in *connect() functions and a couple of changes to
the TLS Stream to actually make use of the new SNI hostname
information.

(cherry picked from commit 6691a1530d)
2024-12-26 18:31:03 +02:00
Matthijs Mekking
aa744b5dd9 Add primaries, parental-agents as synonyms
Add back the top blocks 'parental-agents', 'primaries', and 'masters'
to the configuration. Do not document them as so many names for the
same clause is confusing.

This has a slight negative side effect that a top block 'primaries'
can be referred to with a zone statement 'parental-agents' for example,
but that shouldn't be a big issue.

(cherry picked from commit 1b2eadb197)
2024-12-13 11:23:03 +01:00
Matthijs Mekking
4555a31934 Unify parental-agents, primaries to remote-servers
Having zone statements that are also top blocks is confusing, and if
we want to add more in the future (which I suspect will be for
generalized notifications, multi-signer), we need to duplicate a lot
of code.

Remove top blocks 'parental-agents' and 'primaries' and just have one
top block 'remote-servers' that you can refer to with zone statements.

(cherry picked from commit b121f02eac)
2024-12-13 10:39:25 +01:00
Mark Andrews
e8ef8eddb8 Fix startup notify rate test
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition.  Additionally 20 samples lead to test
failures.  Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 40.

(cherry picked from commit 46388d07a2)
2024-12-13 00:07:52 +00:00
Michal Nowak
1bff2cd49c Wait for "all zones loaded" after rndc reload in "database" test
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.

(cherry picked from commit 0bdd03db66)
2024-12-12 12:09:30 +00:00
Michal Nowak
945dbad5ed Add rr-related common test artifacts
(cherry picked from commit c607237b77)
2024-12-11 00:38:56 +00:00
Mark Andrews
4bc7d505e8 Use a different burst name to identify test queries
This allows easier identification of which burst is which in
named.run.

(cherry picked from commit e02d66b279)
2024-12-10 21:55:31 +00:00
Colin Vidal
32f5b69703 Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries
Add a none parameter to named configuration option `query-source` (respectively `query-source-v6`) which forbid usage of IPv4 (respectively IPv6) addresses when named is doing an upstream query.

Closes #4981 Turning-off upstream IPv6 queries while still listening to downstream queries on IPv6.

Merge branch 'colin/querysource-none' into 'main'

See merge request isc-projects/bind9!9727

Backport of MR !9727

Some changes had to be done to the existing 9.20.x code in order to
make this backport compatible:

- first, the 9.20.x branches support the `port` parameter in
  query-source[-v6], where 9.21.x does not. The original changes
  depend on things that can't be backported because that would break
  `port` support.

- second, the changes remove the optional `address` parameter from the
  canonical form. So `query-source address <ip>` is now printed as
  `query-source <ip>`. This means that `named-checkconf -p` will now
  generate different output if users have `query-source address <ip>` or
  `query-source address <ip> port <port>`; it will now generate
  `query-source <ip>` or `query-source <ip> port <port>`. This is a
  non-breaking change, because the parser has been updated to support
  this form as well.
2024-12-10 11:58:20 +01:00
Mark Andrews
6177eb8c5b Fix static stub subtest description
(cherry picked from commit f173a01454)
2024-12-10 03:16:33 +00:00
Artem Boldariev
17dd30ec52 Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.

So, the files were regenerated on a FIPS compliant system using the
following stanza:

$ openssl dhparam -out <file> 3072

Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:

https://openssl-library.org/news/openssl-3.1-notes/
(cherry picked from commit 384c92880e)
2024-12-09 12:00:49 +00:00
Evan Hunt
f7d67710e2 preserve cache across reload when using attach-cache
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.

in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.

(cherry picked from commit f3af8a7dc3)
2024-12-06 18:19:54 -08:00
Matthijs Mekking
cc004b2b8f Add test case for nsupdate hangs on large update
This test case hangs, despite the update being performed on the
name server.

(cherry picked from commit 3adabb4f89)
2024-12-06 08:31:19 +00:00
Michal Nowak
dffcf1226c Use os.getenv() instead of os.environ
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.

(cherry picked from commit 1a5683b638)
2024-12-06 07:06:31 +00:00
Michal Nowak
85176a62ca Fix skipif decorators' conditions
The ECDSA256 and ECDSA384 check conditions were switched.

(cherry picked from commit 2a7b8d9795)
2024-12-06 07:06:31 +00:00
Matthijs Mekking
1d7ddb5ec4 Add a CAMP test case
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.

(cherry picked from commit 73eafaba14)
2024-12-06 06:20:33 +00:00
Matthijs Mekking
c233bb9de0 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.

(cherry picked from commit bbc16cc8e6)
2024-12-06 06:20:33 +00:00
Petr Menšík
5a1c39b1b7 Finalize removal of memory debug flags size and mctx
Commit 4b3d0c6600 has removed them, but
did not remove few traces in documentation and help. Remove them from
remaining places.

(cherry picked from commit 65b9eeb39a)
2024-12-06 03:13:14 +00:00
Mark Andrews
3eea26ba37 Check dnssec-signzone behaviour with revoked keys
Only DNSKEY records should be signed with a revoked key.

(cherry picked from commit 30ef6dde05)
2024-12-06 01:00:08 +00:00
Michal Nowak
e8d6be9c38 Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.

(cherry picked from commit e7d973bd00)
2024-12-05 10:08:34 +00:00
Colin Vidal
c586d9a658 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.

(cherry picked from commit d13e94b930)

Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)
2024-12-05 10:30:28 +01:00
Michal Nowak
211a0eafa9 Rewrite ecdsa system test to pytest
(cherry picked from commit 292e919156)
2024-12-05 07:46:17 +00:00
Ondřej Surý
6c3f1f09b2 Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.

(cherry picked from commit 2cb5a6210f)
2024-11-27 17:07:03 +00:00