Commit Graph

12084 Commits

Author SHA1 Message Date
Ondřej Surý
5255843f9b Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
2024-09-03 13:52:10 +00:00
Mark Andrews
b30bff7dee Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.

(cherry picked from commit d42ea08f16)
2024-08-29 21:40:16 +00:00
Evan Hunt
93729a294a Delay release of root privileges until after configuring controls
On systems where root access is needed to configure privileged
ports, we don't want to fully relinquish root privileges until
after the control channel (which typically runs on port 953) has
been established.

named_os_changeuser() now takes a boolean argument 'permanent'.
This allows us to switch the effective userid temporarily with
named_os_changeuser(false) and restore it with named_os_restoreuser(),
before permanently dropping privileges with named_os_changeuser(true).

(cherry picked from commit d57fa148af)
2024-08-29 18:11:58 +00:00
Michal Nowak
f3b54c6688 Bump max-recursion-queries to 100 in resolver system test
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.

(cherry picked from commit 8e0244d300)
2024-08-29 14:41:48 +00:00
Mark Andrews
20632b9f44 Add bad dnssec-policy range variants test examples
(cherry picked from commit bb653d37e0)
2024-08-23 08:05:16 +10:00
Mark Andrews
fab6d0e021 Add a multi-signer where the key tag range changes
(cherry picked from commit 62469afe71)
2024-08-23 08:05:16 +10:00
Mark Andrews
3ec77a2f92 Use key tag ranges when generating multisigner keys
(cherry picked from commit 266530d473)
2024-08-23 08:05:16 +10:00
Mark Andrews
6e51d5b04b Check that dnssec-keygen honours key tag ranges
(cherry picked from commit d165466125)
2024-08-23 08:05:16 +10:00
Mark Andrews
4c980c2a51 Add good dnssec-policy tag-range variants test examples
(cherry picked from commit e7decd7a65)
2024-08-23 08:05:16 +10:00
Mark Andrews
e3dedfb981 Add optional range directive to keys in dnssec-policy
(cherry picked from commit c5bc0a1805)
2024-08-23 08:05:16 +10:00
Mark Andrews
57c7c5452a Document -M tag_min:tag_max
A new argument has been added to dnssec-keygen and dnssec-keyfromlabel
to restrict the tag value of key generated / imported to a particular
range.  This is intended to be used by multi-signers.

Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
(cherry picked from commit 0c347fb321)
2024-08-23 07:44:11 +10:00
Mark Andrews
79f9a10eb6 Add restrict key tag range support
to dnssec-keygen and dnssec-keyfromlabel.

(cherry picked from commit 329e5eee9b)
2024-08-23 07:42:21 +10:00
Matthijs Mekking
b7bc6abdfe Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.

(cherry picked from commit 7bb6d82505)
2024-08-22 12:58:00 +00:00
Matthijs Mekking
f516e461fd Implement SKR import
When 'rndc skr import' is called, read the file contents and store the
data in the zone's skr structure.

(cherry picked from commit 037382c4a5)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
908bf753f9 Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.

(cherry picked from commit afe093258c)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
0fd246ac26 Add option to kasp.sh check_keys to retain found keys
This will come in handy when we are testing offline-ksk where first
we check for ZSKs and then the KSK.

(cherry picked from commit ecd2b79106)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
07de3d8466 Implement dummy 'rndc skr -import' command
Add the code and documentation required to provide KSR import using
rndc.  This is just the command, and the feature is at this point in
time still not implemented.

(cherry picked from commit edbb219fda)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
1813b7877c Add a common setup script for ksr
The previous setup.sh has been moved to ns1/setup.sh, we need a common
setup script to invoke ns1/setup.sh.

(cherry picked from commit 748d98e387)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
ad7366853e Update ksr system test to include server
Prepare the system test for tests that require a server to import
created SKR files. This means the test script needs adjustments to
take into account the directory test files are located.

In addition, the check_keys function is renamed to ksr_check_keys
because the name clashes with check_keys from kasp.sh. It also has an
extra parameter added, offset, that can be used to check ksr files that
are created in the past or future.

(cherry picked from commit 367154c1de)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
40bd74b182 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.

(cherry picked from commit 0598381236)
2024-08-22 10:17:08 +00:00
Ondřej Surý
46069fe5c7 Use clang-format-19 to update formatting
This is purely result of running:

    git-clang-format-19 --binary clang-format-19 origin/main

(cherry picked from commit 7b756350f5)
2024-08-22 08:16:03 +00:00
Nicki Křížek
ac11357466 Merge tag 'v9.20.1' into bind-9.20 2024-08-21 16:32:33 +02:00
Aram Sargsyan
3fc322f07c Print the full path of the working directory in startup log messages
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.

(cherry picked from commit fd8e1d161f)
2024-08-21 08:23:48 +00:00
Ondřej Surý
1a657766c3 Use seteuid()/setegid() instead of setreseuid()/setresgid()
It looks like that all supported systems now have support for
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
those will not change saved used/group IDs.

(cherry picked from commit ab517fc6e4)
2024-08-20 17:36:27 +00:00
Ondřej Surý
6d59dcf167 Fix the resesuid() shim implementation for NetBSD
The shim implementation of setresuid() was wrong - there was a copy and
paste error and it was calling setresgid() instead.  This only affects
NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
setresgid() implementation available from the system library.

(cherry picked from commit 5567407a82)
2024-08-20 10:24:32 +00:00
Nicki Křížek
441209dd91 Allow rerun of unstable statschannel tests under TSAN
The test_traffic_json and test_traffic_xml occasionally fail when
running under TSAN. This happens in CI and is most likely a result of
some instability that doesn't seem to be easily reproduced.

(cherry picked from commit ec2fc7680a)
2024-08-19 14:14:47 +00:00
Ondřej Surý
f1405af84c Add missing fclose() when applying updates failed (rpz/testlib)
In rpz system tests, we could leak file if the applying the updates has
failed.  Add the missing fclose() before returning.

(cherry picked from commit 2855ec8f5f)
2024-08-19 11:51:28 +00:00
Ondřej Surý
27a7647559 Change the NS_PER_SEC (and friends) from enum to static const
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums.  In this case, we used enum {}
as C17 doesn't have constexpr yet.  Change the time conversion constants
to be static const unsigned int instead of enum values.

(cherry picked from commit b03e90e0d4)
2024-08-19 09:10:04 +00:00
Ondřej Surý
2f1205443e Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config.  This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this.  Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.

(cherry picked from commit 86f1ec34dc)
2024-08-15 12:10:02 +00:00
Nicki Křížek
1706c571b3 Use python3 in shebang lines for util scripts
Some distributions (notably, debian bookworm) have deprecated the
`python` interpreter in favor of `python3`. Since our scripts are
python3 anyway, use the proper numbered version in shebang to make
scripts easily executable.

(cherry picked from commit 480dcdef9a)
2024-08-14 15:43:34 +00:00
Aram Sargsyan
27ec6f8561 Non empty 'catalog-zones' implies that 'allow-new-zones' is true
This condition in catalog zone processing functions is checked only
for sanity, so there is no meaning for a log message that normally
shouldn't be ever logged.

(cherry picked from commit 0b3c8ee55e6cda1f2de35aa15f6a4d82d072c309)
2024-08-13 16:57:50 +02:00
Aram Sargsyan
db1162cffe Reconfigure catz member zones during named reconfiguration
During a reconfiguration named doesn't reconfigure catalog zones
member zones. Implement the necessary code to reconfigure catz
member zones.

(cherry picked from commit fd71ed5d73ae2dc968e8782ce652fb8ef257c25e)
2024-08-13 16:57:50 +02:00
Aram Sargsyan
0cdbdeaeb2 Test that 'rndc reconfig' reconfigures catz member zones
Catalog zone member zones should be reconfigured as all the other
zones during a reconfiguration. Test it by checking whether the newly
added allow-query setting affects a member zone.

(cherry picked from commit cd04b89dba85781c194f22ce6fe358c972a14758)
2024-08-13 16:57:50 +02:00
Ondřej Surý
85d9311afe Add fetches-per-zone 40 to qmin/ns5 configuration
The simple change causes assertion failure fixed in the previous commit.

(cherry picked from commit c2c9d8f01b)
2024-08-13 16:08:12 +02:00
Evan Hunt
9c292299c0 add +restarts and +maxqueries options to delv
max-query-restarts and max-recursion-queries values can now be set
on the command line in delv for testing purposes.

(cherry picked from commit 0d010ddebe)
2024-08-07 21:12:34 +00:00
Evan Hunt
053e01b9f0 implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb)
2024-08-07 21:12:34 +00:00
Evan Hunt
5e1e33da6f reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 21:12:34 +00:00
Evan Hunt
74d94707cd make "max_restarts" a configurable value
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.

(cherry picked from commit c5588babaf)
2024-08-07 21:12:34 +00:00
Evan Hunt
be3b660e54 reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)

(cherry picked from commit 05d78671bb)
2024-08-07 21:12:34 +00:00
Nicki Křížek
4d2239d169 Make hypothesis optional for system tests
Ensure that system tests can be executed without Python hypothesis
package.

(cherry picked from commit e6a7695600)
2024-08-07 12:10:35 +00:00
Mark Andrews
813b8e9b12 Dig now reports a missing question section
The question section should be present in the first AXFR/IXFR
response and in other QUERY responses unless no question was sent.
Issue a warning if the question section is not present.

(cherry picked from commit 327e890910)
2024-08-07 13:20:27 +02:00
Nicki Křížek
dbe059c545 Initialize all environment variables when running isctest
Ensure all the variables are initialized when running the main function
of isctest module. This enables proper environment variables during test
script development when only conf.sh is sourced, rather than the script
being executed by the pytest runner.

(cherry picked from commit d7ace928b5)
2024-08-05 17:54:11 +02:00
Tom Krizek
257730f30b Replace testcrypto.sh invocations in tests
Use the provided environment variables instead.

(cherry picked from commit fc84bf80e4)
2024-08-05 17:54:11 +02:00
Tom Krizek
87a45f4646 Rewrite testcrypto.sh into python
Run the crypto support checks when initializing the isctest package and
save those results in environment variable. This removes the need to
repeatedly check for crypto operation support, as it's not something
that would change at test runtime.

(cherry picked from commit 25cb39b7fc)
2024-08-05 17:54:10 +02:00
Tom Krizek
9f97452b5d Move test algorithm configuration to isctest
Instead of invoking get_algorithms.py script repeatedly (which may yield
different results), move the algorithm configuration to an isctest
module. This ensures the variables are consistent across the entire test
run.

(cherry picked from commit 8302db407c)
2024-08-05 17:54:09 +02:00
Ondřej Surý
3cb97454cc Fix assertion failure when checking named-checkconf version
The dst_lib_destroy() should be called only if dst_lib_init() was called
before.  In named-checkconf, that is guarded by dst_cleanup variable
that was erroneously set to true by default.  Set the dst_cleanup to
'false' by default.

(cherry picked from commit c54880e3fa)
2024-08-05 11:12:05 +00:00
Ondřej Surý
ac170e8c5b Add a system test that sends TSIG with bad time
Add a system test that sets TSIG fudge to 0, waits three seconds and
then sends signed message to the server.  This tests the path where the
time difference between the client and the server is outside of the TSIG
fudge value.

(cherry picked from commit 8def0c3b12)
2024-08-05 11:11:40 +00:00
Ondřej Surý
36265057f9 Don't open route socket if we don't need it
When automatic-interface-scan is disabled, the route socket was still
being opened.  Add new API to connect / disconnect from the route socket
only as needed.

Additionally, move the block that disables periodic interface rescans to
a place where it actually have access to the configuration values.
Previously, the values were being checked before the configuration was
loaded.

(cherry picked from commit b26079fdaf)
2024-08-05 10:17:08 +00:00
Ondřej Surý
cf77491a5d Use LC_ALL to override all system locales
The system tests were overriding the local locale by setting LANG to C.
This does not override the locale in case there are individual LC_<*>
variables like LC_CTYPE explicitly set.

Use LC_ALL=C instead which is the proper way of overriding all currently
set locales.

(cherry picked from commit 10147efc87)
2024-08-05 07:34:20 +00:00
Yedaya Katsman
e258727739 Remove newlines from dighost errors calls
Not all invocations had it, and this makes it more consistent with
dighost_warning. Also remove the conditional newline when not outputting
yaml

(cherry picked from commit 1dd76fe780)
2024-08-05 03:40:36 +00:00