Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
Because we now use 'dnssec-policy', there is no need to create an
explicit key in the final test that adds multiple inline zones
followed by a reconfig.
Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
Because we now add a DNSKEY with dynamic update, the sign statistics
change. When adding signatures triggered by dynamic update, the
dnssec-refresh stats are not incremented (this is only incremented
when signing is triggered by resign in lib/dns/zone.c).
The mkeys system test configured 'auto-dnssec' on the root zone to do
smart signing and simulate root key changes that should be picked up
by the automated trust anchor management of BIND.
This does not require 'auto-dnssec' or 'dnssec-policy', so change the
tests to use manual smart signing with 'dnssec-signzone'.
This test uses key timing metadata to do rollovers, this is no longer
applicable with 'dnssec-policy'. Note that with 'dnssec-policy' key
timing metadata is still written, but it is not used for determining
what and when to do key rollovers.
Some 'rndc signing' commands can still be used in conjunction with
'dnssec-policy' because it shows the progress of signing and
private type records can be cleaned up. Allow these commands to be
executed.
However, setting NSEC3 parameters is incompatible with dnssec-policy.
The inline system test tests 'auto-dnssec' in conjunction with
'inline-signing'. Change the tests to make use of 'dnssec-policy'.
Remove some tests that no longer make sense:
- The 'retransfer3.' zone tests changing the parameters with
'rndc signing -nsec3param'. This command is going away and NSEC3
parameters now need to be configured with nsec3param within
'dnssec-policy'.
- The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take
over signing if the KSK is inactive, or vice versa. This fallback
mode longer makes sense when using a DNSSEC policy.
Some tests need to be adapted more than just changing 'auto-dnssec'
to 'dnssec-policy':
- The 'delayedkeys.' zone first needs to be configured as insecure,
then we can change it to start signing. Previously, no existing
keys means that you cannot sign the zone, with 'dnssec-policy'
new keys will be created.
- The 'updated.' zone needs to have key states in a specific state
so that the minimal journal check still works (otherwise CDS/
CDNSKEY and related records will be in the journal too).
- External keys are now added to the unsigned zone and no longer
are maintained with key files. Adjust the 'externalkey.' zone
accordingly.
- The 'nsec3-loop.' zone requires three signing keys. Since
'dnssec-policy' will ignore duplicates in the 'keys' section,
create RSASHA256 keys with different role and/or key length.
Finally, the 'externalkey.' zone checks for an expected number of
DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY
and 2 RRSIG records. Due to logic behavior changes (key timing
metadata is no longer authoritative, these expected values are
changed to 4 DNSKEY records (two signing keys and two external keys
per algorithm) and 1 RRSIG record (one active KSK per signing
algorithm).
The dnssec system test has some tests that use auto-dnssec. Update
these tests to make use of dnssec-policy.
Remove any 'rndc signing -nsec3param' commands because with
dnssec-policy you set the NSEC3 parameters in the configuration.
Remove now duplicate tests that checked if CDS and CDNSKEY RRsets
are signed with KSK only (the dnssec-dnskey-kskonly option worked
in combination with auto-dnssec).
Also remove the publish-inactive.example test case because such
use cases are no longer supported (only with manual signing).
The auto-nsec and auto-nsec3 zones need to use an alternative
algorithm because duplicate lines in dnssec-policy/keys are ignored.
The autosign system test mainly tests the auto-dnssec configuration
option. Since this option is going to be removed, update the system
test so that it uses dnssec-policy.
We could remove the complete system test, but keeping an altered
version of the system test may still be useful to detect unexpected
behavior after code changes.
Change the ns1 (test root server) to use manual signing. This zone
has some weird corner cases that do not fit the dnssec-policy model
very well.
The ns2 bar zone also needs to use manual signing, because it revokes
its key, and RFC 5011 key revocation is not supported with
dnssec-policy.
There are also a couple of weird corner test cases that can be removed:
- Inactive KSK or ZSK. With dnssec-policy there is no such thing as
ZSK taking over the role of a KSK when the KSK is deleted, or vice
versa.
- The CDS and CDNSKEY DELETE records are now automated with
dnssec-policy and so the tests for persistence are no longer required.
In tests.sh, bump the expected number of root DNSKEY records to 11,
because with manual signing the activation before publication is
actually honored.
Also remove any 'rndc signing -nsec3param' commands because with
dnssec-policy you set the NSEC3 parameters in the configuration.
Remove any check interval tests, these "next key event" times are
now calculated and tested in the kasp system test.
The "uname -o" command is harmful on OpenBSD because this platform does
not know about the "-o" option. It is a permanent failure since system
tests are started with "set -e".
We removed DNSSEC management via dynamic update (see issue #3686),
this means we also should no longer add signing records (of private
type) for DNSKEY records added via dynamic update.
to reduce the amount of common code that will need to be shared
between the separated cache and zone database implementations,
clean up unused portions of dns_db.
the methods dns_db_dump(), dns_db_isdnssec(), dns_db_printnode(),
dns_db_resigned(), dns_db_expirenode() and dns_db_overmem() were
either never called or were only implemented as nonoperational stub
functions: they have now been removed.
dns_db_nodefullname() was only used in one place, which turned out
to be unnecessary, so it has also been removed.
dns_db_ispersistent() and dns_db_transfernode() are used, but only
the default implementation in db.c was ever actually called. since
they were never overridden by database methods, there's no need to
retain methods for them.
in rbtdb.c, beginload() and endload() methods are no longer defined for
the cache database, because that was never used (except in a few unit
tests which can easily be modified to use the zone implementation
instead). issecure() is also no longer defined for the cache database,
as the cache is always insecure and the default implementation of
dns_db_issecure() returns false.
for similar reasons, hashsize() is no longer defined for zone databases.
implementation functions that are shared between zone and cache are now
prepended with 'dns__rbtdb_' so they can become nonstatic.
serve_stale_ttl is now a common member of dns_db.
BIND's rdataset structure is a view of some DNS records. It is
polymorphic, so the details of how the records are stored can vary.
For instance, the records can be held in an rdatalist, or in an
rdataslab in the rbtdb.
The dns_rdataset structure previously had a number of fields called
`private1` up to `private7`, which were used by the various rdataset
implementations. It was not at all clear what these fields were for,
without reading the code and working it out from context.
This change makes the rdataset inheritance hierarchy more clear. The
polymorphic part of a `struct dns_rdataset` is now a union of structs,
each of which is named for the class of implementation using it. The
fields of these structs replace the old `privateN` fields. (Note: the
term "inheritance hierarchy" refers to the fact that the builtin and
SDLZ implementations are based on and inherit from the rdatalist
implementation, which in turn inherits from the generic rdataset.
Most of this change is mechanical, but there are a few extras.
In keynode.c there were a number of REQUIRE()ments that were not
necessary: they had already been checked by the rdataset method
dispatch code. On the other hand, In ncache.c there was a public
function which needed to REQUIRE() that an rdataset was valid.
I have removed lots of "reset iterator state" comments, because it
should now be clear from `target->iter = NULL` where before
`target->private5 = NULL` could have been doing anything.
Initialization is a bit neater in a few places, using C structure
literals where appropriate.
The pointer arithmetic for translating between an rdataslab header and
its raw contents is now fractionally safer.
To improve the compatibility of the inline test with the `set -e`
option, ensure all commands which are expected to pass are explicitly
checked for return code and non-zero return codes are handled.
The changes were mostly done with sed:
find . -name '*.sh' | xargs sed -i 's/`\([^`]*\)`/$(\1)/g'
There have been a few manual changes where the regex wasn't sufficient
(e.g. backslashes inside the `...`) or wrong (`...` referring to docs or
in comments).
