Commit Graph

41965 Commits

Author SHA1 Message Date
Ondřej Surý
9b346bc6f1 Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am.  Adjust the required automake files
as needed.

(cherry picked from commit 88103e72d5)
2024-11-15 14:03:44 +00:00
Petr Špaček
74028e3923 [9.20] chg: doc: Move Known Issues to BIND9 wiki
Merge branch 'nicki/move-known-issues-to-wiki-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9730
2024-11-15 13:02:23 +00:00
Nicki Křížek
81b641d59c Move Known Issues to BIND9 wiki
Keeping the Known Issues as part of the rendered docs has the issue that
the list can't be updated on the official docs website until the next
release. This is unpractical is a high-priority issue is discovered
shortly after a release. Keep the Known Issues in wiki and simply link
to the list from the rendered docs. The wiki article can be updated at
any time as needed.
2024-11-15 13:00:31 +00:00
Ondřej Surý
668ea24467 [9.20] fix: usr: Fix race condition when canceling ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock.  During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.
This has been fixed.

Closes #5024

Backport of MR !9722

Merge branch 'backport-5024-fix-crash-in-dns_adb_cancelfind-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9744
2024-11-13 08:52:08 +00:00
Ondřej Surý
d6f2dd79f6 Revalidate the adbname when canceling the ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock.  During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.

Recheck if the find->adbname is still valid after acquiring the lock
again and if not just skip the double removal.  Additionally, attach to
the adbname as in the worst case, the adbname might also cease to exist
if the scheduler would block this particular thread for a longer period
of time invalidating the lock we are going to acquire and release.

(cherry picked from commit 128e50e1ff)
2024-11-13 07:51:19 +00:00
Nicki Křížek
9487ab6ae5 [9.20] fix: test: minor fixes for extra_artifacts detection
Some omissions of !9426 discovered during the backports

Backport of MR !9739

Merge branch 'backport-nicki/extra-artifacts-fixups-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9741
2024-11-12 13:29:51 +00:00
Nicki Křížek
9ba60be870 Fix clean.sh removal omissions
- Ensure keyfromlabel token is cleaned up
- Remove forgotten clean.sh file
- Add missing enginepkcs11 test artifact

(cherry picked from commit 7dde34afac)
2024-11-12 11:21:15 +01:00
Nicki Křížek
0b9d3fbfea Ensure pytest runner get proper outcome from flaky reruns
When a test is re-run by the flaky plugin, the TestReport outcomes
collected in the pytest_runtest_makereport() hook should be overriden.
Each of the setup/call/teardown phases is reported again and since we
care about the overall outcome, their respective results should be
overriden so that only the outcome from the final test (re)run gets
reported.

Prior to this change, it lead to a situation where an extra_artifact
generated during the test might be ignored. This was caused because the
check was skipped, since the test was incorrectly considered as "failed"
in the case where the test would fail on the first run, but pass on a
subsequent flaky rerun.

(cherry picked from commit b66fb31dcb)
2024-11-12 10:20:27 +00:00
Nicki Křížek
e5fa109599 [9.20] chg: dev: Use lists of expected artifacts in system tests
``clean.sh`` scripts have been replaced by lists of expected artifacts for each system test module. The list is defined using the custom ``pytest.mark.extra_artifacts`` mark, which can use both filenames and globs.

Closes #4261

Backport of MR !9426

Merge branch 'backport-4261-add-pytest-fixture-checking-test-artifacts-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9734
2024-11-08 15:24:07 +00:00
Nicki Křížek
0ed39d76dc Remove invocations and mentions of clean.sh
(cherry picked from commit f2cb2e5723)
2024-11-08 15:39:50 +01:00
Nicki Křížek
c3a0af96ad Replace clean.sh files with extra_artifacts mark
The artifact lists in clean.sh and extra_artifacts might be slightly
different. The list was updated for each test to reflect the current
state.

(cherry picked from commit 7c259fe254)
2024-11-08 15:39:50 +01:00
Michał Kępień
95d3bbd5dc Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.

With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.

(cherry picked from commit 3a9f4edddc)
2024-11-08 15:39:50 +01:00
Mark Andrews
ee91ba9dd3 [9.20] rem: nil: Remove named_g_sessionkey and named_g_sessionkeyname
Remove named_g_sessionkey and named_g_sessionkeyname as they are declared and cleaned up but otherwise are unused.

Closes #5023

Backport of MR !9720

Merge branch 'backport-5023-remove-named_g_sessionkey-as-it-is-unused-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9725
2024-11-07 05:15:00 +00:00
Mark Andrews
e2746e86d9 Remove named_g_sessionkey and named_g_sessionkeyname
They are only declared and cleaned up but otherwise unused.

(cherry picked from commit f70ff727ec)
2024-11-07 02:18:48 +00:00
Mark Andrews
6cd001a68b [9.20] chg: usr: Print expire option in transfer summary.
The zone transfer summary will now print the expire option value in the zone transfer summary.

Closes #5013

Backport of MR !9694

Merge branch 'backport-5013-print-expire-option-in-transfer-summary-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9714
2024-11-05 02:06:11 +00:00
Mark Andrews
57e84efd67 Update zone transfer summary
Print the expire option in the zone transfer summary. This is
currently emitted in a DEBUG(1) message.

(cherry picked from commit 5253c75b7a)
2024-11-04 18:30:10 +00:00
Mark Andrews
834c04fc77 [9.20] chg: usr: dnssec-ksr now supports KSK rollovers
The tool 'dnssec-ksr' now allows for KSK generation, as well as planned KSK rollovers. When signing a bundle from a Key Signing Request (KSR), only the key that is active in that time frame is being used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time.

Closes #4697 

Closes #4705

Backport of MR !9452

Merge branch 'backport-4705-dnssec-ksr-only-sign-with-active-ksks-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9711
2024-11-04 02:16:52 +00:00
Matthijs Mekking
9a92cb4fbb Fix dnssec-ksr to support KSK rollovers
dnssec-ksr can now sign KSR files with multiple KSKs. A planned KSK
rollover is supported, meaning the KSR will first be signed with
one KSK and later with another. The timing metadata for CDS and
CDNSKEY records are also taken into account, so these records are
only published when the time is between "SyncPublish" and "SyncDelete".

(cherry picked from commit d7f2a2f437)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
1fcc346729 Add KSK roll test case
Add a test case for Offline KSK where during the lifespan of the Signed
Key Response a KSK rollover happens. Ensure that the correct DNSKEY,
CDNSKEY, and CDS records are published at the right times.

(cherry picked from commit 8cf5f972f4)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
2e5a2f4e81 Allow empty CDNSKEY/CDS RRset in ksr system test
When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.

(cherry picked from commit 708927e03d)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
a92fb659d3 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.

(cherry picked from commit 680aedb595)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
1adcb2945e Add -f option to dnssec-ksr documentation
This was previously left out by error.

(cherry picked from commit 01169b7ffc)
2024-11-04 01:10:34 +00:00
Mark Andrews
2d4d8382c8 [9.20] fix: nil: TLS notify checks fail on OL 8 FIPS
Add missing checks for `$FEATURETEST --have-fips-dh` in notify system test to match those in setup.sh.

Closes #5015

Backport of MR !9707

Merge branch 'backport-5015-tls-notify-checks-fail-on-ol-8-fips-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9712
2024-11-02 06:36:41 +00:00
Mark Andrews
f793b28de4 Add missing $FEATURETEST --have-fips-dh
Notify over TLS only works if FIPS DH is supported.  Skip the system
tests parts that depend on it.

(cherry picked from commit 4f7e3e29a7)
2024-11-02 06:02:51 +00:00
Matthijs Mekking
ba2e8fe5f9 [9.20] chg: test: Match algorithms when checking signatures
In the ksr system test, the 'test_ksr_twotone' case may fail if there are two keys with the same keytag (but different algorithms), because one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the search string.

Closes #5017

Backport of MR !9701

Merge branch 'backport-5017-unexpected-match-ksr-twotone-again-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9710
2024-11-01 14:51:01 +00:00
Matthijs Mekking
9621369524 Match algorithms when checking signatures
In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the
search string.

(cherry picked from commit 795fcc9f80)
2024-11-01 14:16:38 +00:00
Michal Nowak
b02f039d3a [9.20] chg: test: Rewrite rsabigexponent system test to pytest
Backport of MR !9157

Merge branch 'backport-mnowak/pytest_rewrite_rsabigexponent-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9705
2024-10-31 18:57:28 +00:00
Michal Nowak
ba1d4cc4db Rewrite rsabigexponent system test to pytest
(cherry picked from commit cacff68e78)
2024-10-31 18:15:14 +00:00
Michal Nowak
4f4a39e910 [9.20] fix: doc: Remove the CHANGES file
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.

Closes #5000

Backport of MR !9690

Merge branch 'backport-5000-provide-correct-changelog-on-ftp-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9703
2024-10-31 18:11:43 +00:00
Michal Nowak
daab2defe6 Fix changelog history header
(cherry picked from commit 9750f22e3a)
2024-10-31 16:46:58 +00:00
Michal Nowak
3ed3ace466 Remove the CHANGES file
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.

(cherry picked from commit e40bd273e4)
2024-10-31 16:46:57 +00:00
Nicki Křížek
4a9380835f [9.20] new: dev: Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.

Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.

New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.

Closes #4938

Backport of MR !9587

Merge branch 'backport-4938-use-jinja2-templates-in-system-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9699
2024-10-31 12:13:09 +00:00
Nicki Křížek
668544ec74 Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.

Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.

New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.

(cherry picked from commit 60e118c4fb)
2024-10-31 09:40:46 +00:00
Matthijs Mekking
efc790c715 chg: doc: Make inline-signing default value change more clear in documentation
Emphasize more that the `inline-signing` default value has changed in 9.20.0.

Merge branch 'matthijs-improve-release-notes-wrt-inline-signing-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9647
2024-10-30 16:11:01 +00:00
Matthijs Mekking
77d54c03dd Make inline-signing default value change more clear
Emphasize more that the inline-signing default value has changed in
9.20.0.
2024-10-30 15:57:36 +01:00
Nicki Křížek
b4c79bdcdf [9.20] chg: ci: Make changelog audience mandatory
Backport of MR !9628

Merge branch 'backport-nicki/harazd-enforce-mr-title-audience-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9696
2024-10-29 16:12:35 +00:00
Nicki Křížek
babdac49c8 Make changelog audience mandatory
Use a stricter hazard check which ensures the audience tag is present in
the MR title and is one of the known values. This prevents siuations
where incorrect audience is accidentally used, resulting in a missing
changelog entry or a release note.

(cherry picked from commit cdb93bcbd4)
2024-10-29 16:03:31 +00:00
Matthijs Mekking
7995ebf009 [9.20] fix: test: Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().

This popped up because previously we set 'retired' to 0 in case of unlimited lifetime, but we changed it to None.

It is actually a false positive, because if lifetime is unlimited there will be only one key in 'keys'.

However, the code would be better if we always initialized 'active' and if it is not the first key and retired is set, set the successor key's active time to the retire time of the predecessor key.

Closes #5004

Backport of MR !9687

Merge branch 'backport-5004-cid-510858-ksr-check-keys-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9693
2024-10-25 14:08:04 +00:00
Matthijs Mekking
5c724d4c25 Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There
is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().

This popped up because previously we set 'retired' to 0 in case of
unlimited lifetime, but we changed it to None.

It is actually a false positive, because if lifetime is unlimited
there will be only one key in 'keys'.

However, the code would be better if we always initialized 'active'
and if it is not the first key and retired is set, set the successor
key's active time to the retire time of the predecessor key.

(cherry picked from commit e777efb576)
2024-10-25 11:22:26 +00:00
Matthijs Mekking
c905bf1c71 [9.20] fix: test: Fix intermittent ksr test failure
A test may fail if the key id is shorter than 5 digits. Add a leading space to the expected strings which start with the key tag to avoid the issue.

Closes #5002

Backport of MR !9688

Merge branch 'backport-5002-unexpected-match-ksr-twotwone-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9692
2024-10-25 09:25:27 +00:00
Matthijs Mekking
8a598cb3bf Fix intermittent ksr test failure
The test_ksr_twotwone may fail if the key id is shorter than 5 digits.
Add a leading space to the expected strings which start with the key
tag to avoid the issue.

(cherry picked from commit d5f32f6990)
2024-10-25 07:47:01 +00:00
Nicki Křížek
401964d188 [9.20] fix: test: Make system tests compatible with pytest 8.0.0+
Make system tests symlinks and logged test names consistent across pytest versions.

Backport of MR !9071

Merge branch 'backport-nicki/pytest-v8-compat-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9685
2024-10-24 12:28:25 +00:00
Nicki Křížek
93356d6b3a Add legacy.run.sh to .gitignore
While this file is no longer created / used in the main branch, it may
linger around when switching from maintenance branches.

(cherry picked from commit 6262d002bf)
2024-10-24 11:55:18 +00:00
Nicki Křížek
04200e4025 Make system tests compatible with pytest 8.0.0+
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.

Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).

Related https://github.com/pytest-dev/pytest/issues/7777

(cherry picked from commit 7118cbed98)
2024-10-24 11:55:18 +00:00
Mark Andrews
c1b82c1fb8 [9.20] fix: usr: Use TLS for notifies if configured to do so
Notifies configured to use TLS will now be sent over TLS, instead of plaintext UDP or TCP.
Also, failing to load the TLS configuration for notify now also results in an error.

Closes #4821

Backport of MR !9407

Merge branch 'backport-4821-notify-over-tls-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9684
2024-10-24 06:01:40 +00:00
Timo Eisenmann
a9faeb86aa Use correct certificates for TLS notify tests
Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate
the expired certificate for tls-x6 to reflect the swap of ns2 and ns3.

(cherry picked from commit bbdc6b26aa)
2024-10-24 03:11:50 +00:00
Mark Andrews
08f12c70e6 swap ns2 and ns3 rolls in tls notify tests
Still need to regenerate the expired certificate as it has
the wrong IP address

(cherry picked from commit 87e287c984)
2024-10-24 03:11:50 +00:00
Timo Eisenmann
1b59467e82 Add system tests for notify over TLS
We use ns2 as the primary, and ns3 as the secondary server.

(cherry picked from commit e00beca8c5)
2024-10-24 03:11:50 +00:00
Timo Eisenmann
7a5b3c39fc Use TLS for notifies if configured to do so
(cherry picked from commit e9d54d798f)
2024-10-24 03:11:50 +00:00
Mark Andrews
09fb8e354a [9.20] fix: dev: Transport needs to be a selector when looking for an existing dispatch
This allows for dispatch to use existing TCP/HTTPS/TLS etc. streams without accidentally using an unexpected transport.

Closes #4989

Backport of MR !9633

Merge branch 'backport-4989-fix-transport-use-with-dispatch-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9682
2024-10-24 01:57:28 +00:00