Commit Graph

8632 Commits

Author SHA1 Message Date
Evan Hunt
bd9ffedbcf set and use SYSTEMTESTTOP consistently 2019-01-25 11:24:09 -08:00
Evan Hunt
2189f00e63 complete the set of tools available in windows tests
- dnssec-cds wasn't being built for windows
- nsec3hash was available, but the NSEC3HASH variable wasn't
  set in conf.sh.win32
2019-01-25 11:24:09 -08:00
Evan Hunt
3cf4ecf177 more reliable method for killing "ans" servers on windows
as perl and python are both native to cygwin, we don't want to use
the "kill -f" option to terminate them.
2019-01-25 10:43:10 -08:00
Evan Hunt
b5f8d60565 update ifconfig.bat with current test interfaces
the addresses set up in ifconfig.bat were out of sync with the
ones in ifconfig.sh
2019-01-25 10:43:10 -08:00
Evan Hunt
47ef534511 update conf.sh.win32 test list
- the test lists in conf.sh.in and conf.sh.win32 were out of sync
2019-01-25 10:43:10 -08:00
Evan Hunt
4f06d65e38 improve handling of trailing dots in dnssec-keymgr and dnssec-coverage
- mishandling of trailing dots caused bad behavior with the
  root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
  wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
  system test

(cherry picked from commit 1ccf4e6c16)
2019-01-24 13:51:53 -08:00
Mark Andrews
15b4240764 introducing keymgr need to preserve functionality
(cherry picked from commit 083b730ec7)
2019-01-22 10:22:10 -08:00
Witold Kręcicki
f8963ad70e If possible don't use forwarders when priming the resolver.
If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.

This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.

Also added a test to confirm priming queries are not forwarded.

(cherry picked from commit b49310ac06)
2019-01-16 16:32:43 -08:00
Mark Andrews
22b77f45b7 add multi-view server and tests
(cherry picked from commit 7122b5786d)
2019-01-14 16:59:02 -08:00
Tony Finch
bc984ace12 Fix a few cosmetic issues with rndc managed-keys
The handling of class and view arguments was broken, because the code
didn't realise that next_token() would overwrite the class name when
it parsed the view name. The code was trying to implement a syntax
like `refresh [[class] view]`, but it was documented to have a syntax
like `refresh [class [view]]`. The latter is consistent with other rndc
commands, so that is how I have fixed it.

Before:

$ rndc managed-keys refresh in rec
rndc: 'managed-keys' failed: unknown class/type
unknown class 'rec'

After:

$ rndc managed-keys refresh in rec
refreshing managed keys for 'rec'

There were missing newlines in the output from `rndc managed-keys
refresh` and `rndc managed-keys destroy`.

Before:

$ rndc managed-keys refresh
refreshing managed keys for 'rec'refreshing managed keys for 'auth'

After:

$ rndc managed-keys refresh
refreshing managed keys for 'rec'
refreshing managed keys for 'auth'

(cherry picked from commit 6a3b851f72)
2019-01-14 16:16:29 -08:00
Evan Hunt
b241dc58ec b/t/s/dnssec/tests.sh: Cleanup showprivate() function 2019-01-14 12:30:49 -08:00
Evan Hunt
0b4dca553d fix testing errors
- the checkprivate function in the dnssec test set ret=0, erasing
  results from previous tests and making the test appear to have passed
  when it shouldn't have
- checkprivate needed a delay loop to ensure there was time for all
  private signing records to be updated before the test

(cherry picked from commit 82e83d5dc7)
2019-01-13 18:22:44 -08:00
Tony Finch
1ba69a02ff cleanup: alphabetize rndc command dispatch
(cherry picked from commit 66be4108bf)
2019-01-14 12:28:26 +11:00
Mark Andrews
0b8d530c84 Ensure base64/base32/hex fields in DNS records that should be non-empty are.
(cherry picked from commit 5e8b772ad1)
2019-01-09 18:53:29 +11:00
Mark Andrews
675d75e0bc wait longer for dump to complete
(cherry picked from commit 8a8d378def)
2019-01-08 20:17:06 -08:00
Michał Kępień
f63a1fca3e Fix cleanup upon an error before TCP socket creation
When a query times out after a socket is created and associated with a
given dig_query_t structure, calling isc_socket_cancel() causes
connect_done() to be run, which in turn takes care of all necessary
cleanups.  However, certain errors (e.g. get_address() returning
ISC_R_FAMILYNOSUPPORT) may prevent a TCP socket from being created in
the first place.  Since force_timeout() may be used in code handling
such errors, connect_timeout() needs to properly clean up a TCP query
which is not associated with any socket.  Call clear_query() from
connect_timeout() after attempting to send a TCP query to the next
available server if the timed out query does not have a socket
associated with it, in order to prevent dig from hanging indefinitely
due to the dig_query_t structure not being detached from its parent
dig_lookup_t structure.

(cherry picked from commit 13975b32c6)
2019-01-08 11:22:57 +01:00
Michał Kępień
c05c1f1b65 Refactor code sending a query to the next server upon a timeout
When a query times out and another server is available for querying
within the same lookup, the timeout handler - connect_timeout() - is
responsible for sending the query to the next server.  Extract the
relevant part of connect_timeout() to a separate function in order to
improve code readability.

(cherry picked from commit c108fc5c6e)
2019-01-08 11:22:57 +01:00
Michał Kępień
1d0319fd0c Remove dead code handling address family mismatches for TCP sockets
Before commit c2ec022f57, using the "-b"
command line switch for dig did not disable use of the other address
family than the one to which the address supplied to that option
belonged to.  Thus, bind9_getaddresses() could e.g. prepare an
isc_sockaddr_t structure for an IPv6 address when an IPv4 address has
been passed to the "-b" command line option.  To avoid attempting the
impossible (e.g. querying an IPv6 address from a socket bound to an IPv4
address), a certain code block in send_tcp_connect() checked whether the
address family of the server to be queried was the same as the address
family of the socket set up for sending that query; if there was a
mismatch, that particular server address was skipped.

Commit c2ec022f57 made
bind9_getaddresses() fail upon an address family mismatch between the
address the hostname passed to it resolved to and the address supplied
to the "-b" command line option.  Such failures were fatal to dig back
then.

Commit 7f65860391 made
bind9_getaddresses() failures non-fatal, but also ensured that a
get_address() failure in send_tcp_connect() still causes the given query
address to be skipped (and also made such failures trigger an early
return from send_tcp_connect()).

Summing up, the code block handling address family mismatches in
send_tcp_connect() has been redundant since commit
c2ec022f57.  Remove it.

(cherry picked from commit ef1da8731b)
2019-01-08 11:22:57 +01:00
Michał Kępień
82103796af Track forwarder timeouts in fetch contexts
Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed.  This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.

Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution.  Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.

(cherry picked from commit 33350626f9)
2019-01-08 08:31:16 +01:00
Mark Andrews
3ea05e59ce indenting
(cherry picked from commit c69ad95238)
2019-01-02 11:51:19 +11:00
Mark Andrews
ee0c468141 update copyrights 2019-01-02 10:25:47 +11:00
Matthijs Mekking
8a67d9d64a Remove dig_with_opts 2018-12-20 15:49:06 +01:00
Matthijs Mekking
25c0e3dde9 Replace DSA with Reserved algorithm
(cherry picked from commit 17cdde1e56)
2018-12-20 15:49:06 +01:00
Matthijs Mekking
82806d855c Add dnssec-signzone tests with unsupported alg
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.

(cherry picked from commit 6d976b37c1)
2018-12-20 15:49:06 +01:00
Ondřej Surý
39644e4d34 Properly detect msys/msys2 environment in the stop.pl script.
(cherry picked from commit 808dac0760)
2018-12-19 21:31:16 +01:00
Ondřej Surý
e055809c6f gcc defines __SANITIZE_ADDRESS__ and not __ADDRESS_SANITIZER__, use the correct #define
(cherry picked from commit 8903d68d69)
2018-12-19 12:44:51 +01:00
Ondřej Surý
aeb6b97dad Disable RTLD_DEEPBIND when compiled under AddressSanitizer
(cherry picked from commit cad6b39cab)
2018-12-19 10:49:56 +01:00
Ondřej Surý
2e81ab696a Revert "Merge branch '782-cygwin-grep-CRLF-issue-v9_12' into 'v9_12'"
This reverts commit f35df99f1d, reversing
changes made to ccc3be8156.
2018-12-17 12:41:14 +01:00
Mark Andrews
0c19967532 pass the correct object to cfg_obj_log
(cherry picked from commit 53a33f7365)
2018-12-16 19:21:47 -05:00
Curtis Blackburn
9599679d31 minor fixes to dns64 and rndc CRLF fix. rpzrecurse failure
will be addressed in a separate issue

(cherry picked from commit 2ec746dafe)
2018-12-14 19:00:15 -08:00
Curtis Blackburn
bb731398e0 more CRLF fixes (dns64, rndc, rpzrecurse)
(cherry picked from commit 9fc68285ef)
2018-12-14 19:00:15 -08:00
Curtis Blackburn
66fdedfd7b missed one in the digdelv test
(cherry picked from commit bdbf6ede3a)
2018-12-14 19:00:13 -08:00
Curtis Blackburn
06cae98368 digdelv test fixed for CRLF issue
(cherry picked from commit ba1b9ca4d4)
2018-12-14 18:59:32 -08:00
Curtis Blackburn
e0ab5603f7 windows CRLF issues fixed in builtin test
(cherry picked from commit 18e8835044)
2018-12-14 18:50:47 -08:00
Ondřej Surý
a69f38e478 Fix ECC algorithms unused constants in PKCS#11 build 2018-12-14 09:00:12 +01:00
Mark Andrews
1f404e35b6 check that DNSKEY and other occluded data are excluded from the delegating bitmap
(cherry picked from commit 7e4b82103b)
2018-12-14 14:27:50 +11:00
Mark Andrews
58f8ec2b36 check that the time between notify messages is not too small
(cherry picked from commit 47a4e0eeaa)
2018-12-12 10:23:16 +11:00
Mark Andrews
c955498688 allow a small about of time for the syncptr event to be processed
(cherry picked from commit 3bca52ca07)
2018-12-10 09:07:04 -08:00
Michał Kępień
4c23d84285 Check that DNAME is not treated as a delegation when signing
(cherry picked from commit adbca54079)
2018-12-10 17:49:38 +11:00
Mark Andrews
acc8b89720 verify that auto-dnssec maintain generates and signs NSEC3 records with DNAME at the apex
(cherry picked from commit 6b470bbf42)
2018-12-10 17:49:38 +11:00
Mark Andrews
da5d139973 verify that dnssec-signzone generates NSEC3 records with DNAME at the apex
(cherry picked from commit 06e218c421)
2018-12-10 17:12:09 +11:00
Mark Andrews
2a6a3aa0e7 Properly detect bottom of zone when sign_a_node() is not called
(cherry picked from commit 9eec02a81f)
2018-12-07 11:48:03 +11:00
Andreas Hasenack
54242e8e1f add -U to preparse and usage
(cherry picked from commit 665618698e)
2018-12-07 08:39:32 +11:00
Mark Andrews
5338d9d4b7 add more error logging; add event processing logging
(cherry picked from commit 6a5c8ec2ea)
2018-12-06 11:32:09 +11:00
Ondřej Surý
39b02e8538 Change the default algorithm to RSASHA256 and the alternative algorithm to RSASHA1 as those are always supported 2018-12-05 21:55:31 +01:00
Ondřej Surý
f99c69b435 Add DNSKEY and CDNSKEY with unknown algorithm number (PRIVATEDNS) and \0 as content
(cherry picked from commit 00cc0b236a)
2018-12-05 21:14:06 +01:00
Ondřej Surý
b86789ef27 Refactor masterformat to be shellcheck clean and don't use RSAMD5 algorithm in the tests
(cherry picked from commit b13c7ca402)
2018-12-05 21:14:05 +01:00
Ondřej Surý
c996dcfee1 Make the start.pl and stop.pl more Cygwin friendly
(cherry picked from commit 835bad2c5c)
2018-12-04 15:30:41 +01:00
Ondřej Surý
b7c79f6c0f Replace realpath with cd&pwd shell magic 2018-12-03 20:42:01 +01:00
Ondřej Surý
73e26ec1d6 Make calls to the stop.pl always use the test name instead of '.'
(cherry picked from commit e227815af5)
2018-12-03 17:11:15 +01:00