Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate
the expired certificate for tls-x6 to reflect the swap of ns2 and ns3.
(cherry picked from commit bbdc6b26aa)
This allows for dispatch to use existing TCP/HTTPS/TLS etc. streams without accidentally using an unexpected transport.
Closes#4989
Backport of MR !9633
Merge branch 'backport-4989-fix-transport-use-with-dispatch-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9682
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused. Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.
(cherry picked from commit baab8a5d75)
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
Closes#4999
Backport of MR !9673
Merge branch 'backport-4999-pytest-kasp-use-utc-timezone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9679
Use a different timezone via the TZ variable in at least one of the
system test jobs in order to detect possible issues with timezone
handling in python.
(cherry picked from commit 46810be809)
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
(cherry picked from commit f840deba33)
Backport of MR !9626
Merge branch 'backport-nicki/pylint-disable-too-few-too-many-checks-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9656
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.
(cherry picked from commit 7639c58c48)
It is possible that the zone is not yet fully signed because it is
signed in batches. Retry the AXFR and verify command a couple of times.
(cherry picked from commit b8b3df0676)
If a function is expected to assert / raise on failure (rather than
return boolean), its name should start with "check_".
(cherry picked from commit 67957d1f54)
Move all test cases from tests.sh to tests_ksr.py. The only test that
is not moved is the check that key id's match expected keys. The
shell-based system test checks two earlier set environment variables
against each other that has become redundant in the pytest variant,
because we now check the signed key response against a list of keys
and for each key we take into account the timing metadata. So we
already ensure that each published key is in the correct key bundle.
(cherry picked from commit a15bf6704b)
Write initial pytest kasp library. This contains everything that is
required for testing Offline KSK functionality with pytest.
This includes:
- addtime: adding a value to a timing metadata
- get_timing_metdata: retrieve timing metadata from keyfile
- get_metadata/get_keystate: retrieve metadata from statefile
- get_keytag: retrieve keytag from base keyfile string
- get_keyrole: get key role from statefile
- dnskey_equals: compare DNSKEY record from file against a string
- cds_equals: compare CDS derived from file against a string
- zone_is_signed: wait until a zone is completely signed
- dnssec_verify: verify a DNSSEC signed zone with dnssec-verify
- check_dnssecstatus: check rndc dnssec -status output
- check_signatures: check that signatures for a given RRset are correct
- check_dnskeys: check that the published DNSKEY RRset is correct
- check_cds: check that the published CDS RRset is correct
- check_apex: check SOA, DNSKEY, CDNSKEY, and CDS RRset
- check_subdomain: check an RRset below the apex
(cherry picked from commit a3829990fd)
When DSCP support was removed, parsing of hostnames in rndc.conf was accidentally broken, resulting in an assertion failure. This has been fixed.
Closes#4991
Backport of MR !9669
Merge branch 'backport-4991-rndc-fix-parsing-hostnames-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9676
When DSCP was removed the parsing of hostnames was accidentally
broken resulting in an assertion failure. Call cfg_parse_tuple
rather than using custom code in parse_sockaddrnameport.
(cherry picked from commit 6c095f89f5)
See isc-projects/bind9#4996
Backport of MR !9662
Merge branch 'backport-mnowak/mark-upforwd-xfail-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9672
With Sphinx 8.1.0, footnotes can't stand on their own and have to be
referenced from somewhere, otherwise build fails, e.g.:
doc/dnssec-guide/signing.rst:1470: WARNING: Footnote [#] is not referenced. [ref.footnote]
Backport of MR !9663
Merge branch 'backport-mnowak/fix-dnssec-guide-footnote-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9670
With Sphinx 8.1.0, footnotes can't stand on their own and have to be
referenced from somewhere, otherwise build fails, e.g.:
doc/dnssec-guide/signing.rst:1470: WARNING: Footnote [#] is not referenced. [ref.footnote]
(cherry picked from commit bdf8859e2d)
Options of the form `[+-]option=<value>` failed to display the value on the printed command line. This has been fixed.
Closes#4993
Backport of MR !9653
Merge branch 'backport-4993-dig-restore-command-line-values-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9666
BIND 9.20.0 broke `recursive-clients 0;`. This has now been fixed.
Closes#4987
Backport of MR !9621
Merge branch 'backport-4987-fix-recursive-clients-0-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9654
HTTP URI of doc/arm/requirements.txt on the "main" branch is the source
of PyPI packages in CI base image. To make it consistent in all
maintained CI branches on RTD, use the HTTP URI as well.
This change is non-material on the "main" branch, but ensures the right
packages on stable branches where for RTD we currently leverage outdated
packages because we failed to update doc/arm/requirements.txt there.
Backport of MR !9630
Merge branch 'backport-mnowak/rtd-always-resource-requirements-txt-from-main-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9660
HTTP URI of doc/arm/requirements.txt on the "main" branch is the source
of PyPI packages in CI base image. To make it consistent in all
maintained CI branches on RTD, use the HTTP URI as well.
This change is non-material on the "main" branch, but ensures the right
packages on stable branches where for RTD we currently leverage outdated
packages because we failed to update doc/arm/requirements.txt there.
(cherry picked from commit 8fb6115492)
With Sphinx 8.1.0, footnotes can't stand on their own and have
referenced from somewhere:
/builds/isc-projects/bind9/doc/arm/general.rst:439: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:441: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:445: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:457: WARNING: Footnote [#] is not referenced. [ref.footnote]
(cherry picked from commit 54410e034f)