Commit Graph

5034 Commits

Author SHA1 Message Date
Petr Špaček
b57241ddbb Allow system tests to run under root user when inside CI
https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
says variable CI_SERVER="yes" is available in all versions of Gitlab.

(cherry picked from commit ddf46056ca)

Adapted to v9_16's version of run.sh.
2022-10-18 15:18:13 +02:00
Michal Nowak
4be4deb740 Replace fgrep and egrep with grep -F/-E
GNU Grep 3.8 reports the following warnings:

    egrep: warning: egrep is obsolescent; using grep -E
    fgrep: warning: fgrep is obsolescent; using grep -F

(cherry picked from commit 212c4de043)
2022-10-17 09:12:02 +02:00
Michal Nowak
52b86104ca Remove stray backslashes
GNU Grep 3.8 reports several instances of stray backslashes in matching
patterns:

    grep: warning: stray \ before /
    grep: warning: stray \ before :

(cherry picked from commit 65e91ef5e6)
2022-10-17 09:11:20 +02:00
Tom Krizek
2637043f01 Remove system test delzone
There are multiple reasons to remove this test as obsolete:

- The test may not possibly work for over 2.5 years, since
  98b3b93791 removed the rndc.py python
  tool on which this test relies.
- It isn't part of the test suite either in CI or locally unless it is
  explicitly enabled. As a result, there are many issues which prevent
  the test from being executed caused by various refactoring efforts
  accumulated over time.
- Even if the test could be executed, it has no clear failure condition.
  If the python script(s) fail, the test still passes.

(cherry picked from commit 05180154d9)
2022-10-14 16:48:38 +02:00
Michał Kępień
e535dc2b59 Fix startup detection after restart in start.pl
The bin/tests/system/start.pl script waits until a "running" message is
logged by a given name server instance before attempting to send a
version.bind/CH/TXT query to it.  The idea behind this was to make the
script wait until named loads all the zones it is configured to serve
before telling the system test framework that a given server is ready to
use; this prevents the need to add boilerplate code that waits for a
specific zone to be loaded to each test expecting that.

The problem is that when it looks for "running" messages, the
bin/tests/system/start.pl script assumes that the existence of any such
message in the named.run file indicates that a given named instance has
already finished loading all zones.  Meanwhile, some system tests
restart all the named instances they use throughout their lifetime (some
even do that a few times), for example to run Python-based tests.  The
bin/tests/system/start.pl script handles such a scenario incorrectly: as
soon as it finds any "running" message in the named.run file it inspects
and it gets a response to a version.bind/CH/TXT query, it tells the
system test framework that a given server is ready to use, which might
not be true - it is possible that only the "version.bind" zone is loaded
at that point and the "running" message found was logged by a
previously-shutdown named instance. This triggers intermittent failures
for Python-based tests.

Fix by improving the logic that the bin/tests/system/start.pl script
uses to detect server startup: check how many "running" lines are
present in a given named.run file before attempting to start a named
instance and only proceed with version.bind/CH/TXT queries when the
number of "running" lines found in that named.run file increases after
the server is started.

(cherry picked from commit 18e20f95f6)
2022-10-11 11:59:02 +02:00
Michał Kępień
c11f286d34 Do not truncate ns2 logs in the "rrsetorder" test
In the "rrsetorder" system test, the ns2 named instance is restarted
without passing the --restart option to bin/tests/system/start.pl.  This
causes the log file for that named instance to be needlessly truncated.
Prevent this from happening by restarting the affected named instance
in the same way as all the other named instances used in system tests.

(cherry picked from commit 9146b956ae)
2022-10-11 11:59:02 +02:00
Petr Špaček
d63bc6af08 Clarify error message about missing inline-signing & dnssec-policy
(cherry picked from commit 058c1744ba)
2022-10-06 10:31:15 +02:00
Mark Andrews
03d363d0ee Add sleeps to ixfr system test
ensure that at least a second has passed since a zone was last loaded
to prevent it accidentally being skipped as up to date.

(cherry picked from commit 491a8cfe96)
2022-10-06 08:36:38 +11:00
Michal Nowak
9f27c3f95e Drop flake8 ignore lists
flake8 is not used in BIND 9 CI and inline ignore lists are not needed
anymore.

(cherry picked from commit f5d9fa6ea4)
2022-10-05 18:33:34 +02:00
Mark Andrews
e396d5d72d Add support for 'dohpath' to SVCB (and HTTPS)
dohpath is specfied in draft-ietf-add-svcb-dns and has a value
of 7.  It must be a relative path (start with a /), be encoded
as UTF8 and contain the variable dns ({?dns}).

(cherry picked from commit 6d561d3886)
2022-10-04 15:33:49 +11:00
Mark Andrews
47e8a98240 keymgr: use DEFAULT_ALGORITHM instead of {nsec3}rsasha1 2022-10-03 13:28:26 +02:00
Michal Nowak
f822943473 coverage: use $DEFAULT_ALGORITHM 2022-10-03 13:28:25 +02:00
Mark Andrews
21cd56b42b Fix mkeys to work with DEFAULT_ALGORITHM properly
Stop using a RSASHA1 fixed key in ns3's named.conf as the
trusted key and instead compute a broken digest from the
real digest to use in trusted-keys.

(cherry picked from commit be4cbe2b80)
2022-10-03 13:28:25 +02:00
Mark Andrews
42727aab9a kasp: stop using RSASHA1 unless necessary for the test
Moves tests from being RSASHA1 based to RSASHA256 based where possible
and split out the remaining RSASHA1 based tests so that they are not
run on OS's that don't support RSASHA1.

(cherry picked from commit db028684e5)
2022-10-03 13:28:25 +02:00
Mark Andrews
4daa3d6dae keymgr2kasp: use FIPS compliant algorithms and key sizes
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b015166)
2022-10-03 13:28:25 +02:00
Mark Andrews
3d642f46f2 dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.

(cherry picked from commit 9c6de6d12d)
2022-10-03 13:28:25 +02:00
Mark Andrews
77e0878444 autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.

Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.

(cherry picked from commit 99ad09975e)
2022-10-03 13:28:25 +02:00
Mark Andrews
e6d1117891 rsabigexponent: convert the test from RSASHA1 to RSASHA256
RSASHA1 is not supported on some platforms.

(cherry picked from commit 8c3c011860)
2022-10-03 13:28:25 +02:00
Mark Andrews
fe4d8ca7c7 mkeys: use $() instead of back quotes
(cherry picked from commit 0e45a2b02c)
2022-10-03 13:19:35 +02:00
Mark Andrews
4950ab72e8 Upgrade uses of hmac-sha1 to DEFAULT_HMAC
where the test is not hmac-sha1 specific

(cherry picked from commit c533e8bc5b)
2022-10-03 13:19:35 +02:00
Mark Andrews
e8545ad255 zonechecks: use $DEFAULT_ALGORITHM
(cherry picked from commit 459e6980e5)
2022-10-03 13:19:35 +02:00
Mark Andrews
864a2b127a wildcard: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f65c9cf85)
2022-10-03 13:19:34 +02:00
Mark Andrews
76a154d8b1 views: use $DEFAULT_ALGORITHM
(cherry picked from commit 86b29606c3)
2022-10-03 13:19:34 +02:00
Mark Andrews
16c6557aa2 verify: use $DEFAULT_ALGORITHM
(cherry picked from commit 93f7c7cdcd)
2022-10-03 13:19:34 +02:00
Mark Andrews
150ace9801 upforwd: use $DEFAULT_ALGORITHM
(cherry picked from commit 5585909904)
2022-10-03 13:19:34 +02:00
Mark Andrews
516694cd8c unknown: use $DEFAULT_ALGORITHM
(cherry picked from commit 9970d4317d)
2022-10-03 13:19:34 +02:00
Mark Andrews
b8645af516 synthfromdnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit 73fd49f8bb)
2022-10-03 13:19:34 +02:00
Mark Andrews
a2d8660485 staticstub: use $DEFAULT_ALGORITHM
(cherry picked from commit 32337b9dbf)
2022-10-03 13:19:34 +02:00
Mark Andrews
204811ae41 smartsign: use $DEFAULT_ALGORITHM
(cherry picked from commit 941b95edb0)
2022-10-03 13:19:34 +02:00
Mark Andrews
49d8978cb4 rpz: use $DEFAULT_ALGORITHM
(cherry picked from commit 1861c3e503)
2022-10-03 13:19:34 +02:00
Mark Andrews
b26a89df34 rootkeysentinel: use $DEFAULT_ALGORITHM
(cherry picked from commit b0e1d9b1b3)
2022-10-03 13:19:34 +02:00
Mark Andrews
e78c158ba6 resolver: use $DEFAULT_ALGORITHM
(cherry picked from commit 05ef8c81dd)
2022-10-03 13:19:34 +02:00
Mark Andrews
52ce408f0d redirect: use $DEFAULT_ALGORITHM
(cherry picked from commit e0e03602ba)
2022-10-03 13:19:33 +02:00
Mark Andrews
ce8cef8a4b pending: use $DEFAULT_ALGORITHM
(cherry picked from commit 6fd50b9fda)
2022-10-03 13:19:33 +02:00
Mark Andrews
1b94de8d1f nsupdate: use $DEFAULT_ALGORITHM
(cherry picked from commit c2d18567fc)
2022-10-03 13:19:33 +02:00
Mark Andrews
fd8bd94212 mkeys: use $DEFAULT_ALGORITHM
(cherry picked from commit 78fa082999)
2022-10-03 13:19:33 +02:00
Mark Andrews
61cfb9a68e mirror: use $DEFAULT_ALGORITHM
(cherry picked from commit ff95bafa39)
2022-10-03 13:19:33 +02:00
Mark Andrews
17a26bced4 metadata: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f1dc83bfb)
2022-10-03 13:19:33 +02:00
Mark Andrews
6843c764c6 inline: use $DEFAULT_ALGORITHM
(cherry picked from commit e3acddefd1)
2022-10-03 13:19:33 +02:00
Mark Andrews
45c21fd5af dsdigest: use $DEFAULT_ALGORITHM
(cherry picked from commit 49de14cb9e)
2022-10-03 13:19:33 +02:00
Mark Andrews
4ba58611c7 dnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit d0b0139c90)
2022-10-03 13:19:33 +02:00
Mark Andrews
53625cc639 dns64: use $DEFAULT_ALGORITHM
(cherry picked from commit 5cbf1e1598)
2022-10-03 13:19:33 +02:00
Mark Andrews
7cf9e28924 chain: use $DEFAULT_ALGORITHM
(cherry picked from commit 3419178bd2)
2022-10-03 13:19:33 +02:00
Mark Andrews
5f146c76bd cds: use $DEFAULT_ALGORITHM
(cherry picked from commit 6cf0b73ede)
2022-10-03 13:19:33 +02:00
Mark Andrews
1bd3c49454 autosign: use $DEFAULT_ALGORITHM
(cherry picked from commit bb810b0ac9)
2022-10-03 13:19:32 +02:00
Mark Andrews
7f2b46f4e5 Suffix may be used before it is assigned a value
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
        12. invalid_operation: Invalid operation on null-like value suffix.
    145        r.authority.append(
    146            dns.rrset.from_text(
    147                "icky.ptang.zoop.boing." + suffix,
    148                1,
    149                IN,
    150                NS,
    151                "a.bit.longer.ns.name." + suffix,
    152            )
    153        )

(cherry picked from commit 432064f63c)
2022-09-28 11:19:50 +10:00
Mark Andrews
4fc1975709 Check that changing the TSIG key is successful
Switch the primary to require 'next_key' for zone transfers then
update the catalog zone to say to use 'next_key'.  Next update the
zones contents then check that those changes are seen on the
secondary.

(cherry picked from commit 176e172210)
2022-09-27 23:58:22 +10:00
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00