Commit Graph

12185 Commits

Author SHA1 Message Date
Mark Andrews
db19675ee9 Do not sign non DNSKEY RRset with revoked keys
It does not make sense to sign RRsets other than DNSKEY with revoked
keys.

(cherry picked from commit 23775c6006)
2024-12-06 01:00:08 +00:00
Michal Nowak
e8d6be9c38 Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.

(cherry picked from commit e7d973bd00)
2024-12-05 10:08:34 +00:00
Colin Vidal
c586d9a658 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.

(cherry picked from commit d13e94b930)

Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)
2024-12-05 10:30:28 +01:00
Michal Nowak
211a0eafa9 Rewrite ecdsa system test to pytest
(cherry picked from commit 292e919156)
2024-12-05 07:46:17 +00:00
Ondřej Surý
de7312ae5f Remove dns_badcache usage in the resolver (lame-ttl)
The lame-ttl processing was overriden to be disabled in the config,
but the code related to the lame-ttl was still kept in the resolver
code.  More importantly, the DNS_RESOLVER_BADCACHETTL() macro would
cause the entries in the resolver badcache to be always cached for at
least 30 seconds even if the lame-ttl would be set to 0.

Remove the dns_badcache code from the dns_resolver unit, so we save some
processing time and memory in the resolver code.

(cherry picked from commit b61739836d)
2024-11-27 17:07:03 +00:00
Ondřej Surý
6c3f1f09b2 Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.

(cherry picked from commit 2cb5a6210f)
2024-11-27 17:07:03 +00:00
Aram Sargsyan
bebdabc06c Fix the nslookup system test
The nslookup system test checks the count of resolved addresses in
the CNAME tests using a 'grep' match on the hostname, and ignoring
lines containing the 'canonical name' string. In order to protect
the check from intermittent failures like the 'address in use' warning
message, which then automatically resolves after a retry, edit the
'grep' matching string to also ignore the comments (as the mentioned
warning message is a comment which contains the hostname).

(cherry picked from commit 345b0f9e5c)
2024-11-27 13:35:25 +00:00
Aram Sargsyan
61d49b0731 Test trying of the next primary server
Add test cases which check that when a XoT primary server is
unreachable or is already marked as unreachble then the next
primary server in the list is used.

(cherry picked from commit 12225d125b)
2024-11-27 11:49:02 +00:00
Aram Sargsyan
375bd8ec75 xfrin: refactor and fix the ISC_R_CANCELED case handling
Previously a ISC_R_CANCELED result code switch-case has been added to
the zone.c:zone_xfrdone() function, which did two things:

1. Schedule a new zone transfer if there's a scheduled force reload of
   the zone.

2. Reset the primaries list.

This proved to be not a well-thought change and causes problems,
because the ISC_R_CANCELED code is used not only when the whole transfer
is canceled, but also when, for example, a particular primary server is
unreachable, and named still needs to continue the transfer process by
trying the next server, which it now no longer does in some cases. To
solve this issue, three changes are made:

1. Make sure dns_zone_refresh() runs on the zone's loop, so that the
   sequential calls of dns_zone_stopxfr() and dns_zone_forcexfr()
   functions (like done in 'rndc retransfer -force') run in intended
   order and don't race with each other.

2. Since starting the new transfer is now guaranteed to run after the
   previous transfer is shut down (see the previous change), remove the
   special handling of the ISC_R_CANCELED case, and let the default
   handler to handle it like before. This will bring back the ability to
   try the next primary if the current one was interrupted with a
   ISC_R_CANCELED result code.

3. Change the xfrin.c:xfrin_shutdown() function to pass the
   ISC_R_SHUTTINGDOWN result code instead of ISC_R_CANCELED, as it makes
   more sense.

(cherry picked from commit 3262ebd0f3)
2024-11-27 11:49:01 +00:00
JINMEI Tatuya
c862555b66 update system tests to confirm new log messages
(cherry picked from commit 000720fe14)
2024-11-27 11:17:34 +11:00
Michal Nowak
58316503b6 Rewrite emptyzones system test to pytest
(cherry picked from commit 3ace62472c)
2024-11-26 17:03:30 +00:00
Michal Nowak
a506a04c98 Add isctest.check.refused()
(cherry picked from commit 7bedd1c296)
2024-11-26 17:03:30 +00:00
Michal Nowak
5d28efecfc Rewrite database system test to pytest
(cherry picked from commit 8005ad0dcd)
2024-11-26 12:12:26 +00:00
Michal Nowak
3cb61b1252 Revert "xfail upforwd system test if DNSTAP is enabled"
This reverts commit 0579e0a429.

(cherry picked from commit e7e73da39a)
2024-11-26 10:50:15 +00:00
Nicki Křížek
d7cb6263a3 Ignore test artifacts in .libs
Some tests may leave artifacts in the .libs directory. Ignore this
directory when detecting expected artifacts.

(cherry picked from commit cf606a9ead)
2024-11-26 09:06:06 +00:00
Alessio Podda
0472494417 Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.

This effectively reverts half of e3892805d6

(cherry picked from commit 99b4f01b33)
2024-11-26 07:17:06 +00:00
Nicki Křížek
80967a2c66 Allow re-run of mkeys system test
On some slow systems, the test might intermittently fail due to inherent
timing issues. In our CI, this most often happens in the
system:gcc:8fips:amd64 jobs.

(cherry picked from commit a299650a6f)
2024-11-25 14:35:54 +00:00
Ondřej Surý
c22176c0f9 Remove redundant semicolons after the closing braces of functions
(cherry picked from commit 1a19ce39db)
2024-11-19 14:26:56 +01:00
Ondřej Surý
58a15d38c2 Remove redundant parentheses from the return statement
(cherry picked from commit 0258850f20)
2024-11-19 14:26:52 +01:00
Ondřej Surý
9b346bc6f1 Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am.  Adjust the required automake files
as needed.

(cherry picked from commit 88103e72d5)
2024-11-15 14:03:44 +00:00
Nicki Křížek
9ba60be870 Fix clean.sh removal omissions
- Ensure keyfromlabel token is cleaned up
- Remove forgotten clean.sh file
- Add missing enginepkcs11 test artifact

(cherry picked from commit 7dde34afac)
2024-11-12 11:21:15 +01:00
Nicki Křížek
0b9d3fbfea Ensure pytest runner get proper outcome from flaky reruns
When a test is re-run by the flaky plugin, the TestReport outcomes
collected in the pytest_runtest_makereport() hook should be overriden.
Each of the setup/call/teardown phases is reported again and since we
care about the overall outcome, their respective results should be
overriden so that only the outcome from the final test (re)run gets
reported.

Prior to this change, it lead to a situation where an extra_artifact
generated during the test might be ignored. This was caused because the
check was skipped, since the test was incorrectly considered as "failed"
in the case where the test would fail on the first run, but pass on a
subsequent flaky rerun.

(cherry picked from commit b66fb31dcb)
2024-11-12 10:20:27 +00:00
Nicki Křížek
0ed39d76dc Remove invocations and mentions of clean.sh
(cherry picked from commit f2cb2e5723)
2024-11-08 15:39:50 +01:00
Nicki Křížek
c3a0af96ad Replace clean.sh files with extra_artifacts mark
The artifact lists in clean.sh and extra_artifacts might be slightly
different. The list was updated for each test to reflect the current
state.

(cherry picked from commit 7c259fe254)
2024-11-08 15:39:50 +01:00
Michał Kępień
95d3bbd5dc Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.

With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.

(cherry picked from commit 3a9f4edddc)
2024-11-08 15:39:50 +01:00
Mark Andrews
e2746e86d9 Remove named_g_sessionkey and named_g_sessionkeyname
They are only declared and cleaned up but otherwise unused.

(cherry picked from commit f70ff727ec)
2024-11-07 02:18:48 +00:00
Matthijs Mekking
9a92cb4fbb Fix dnssec-ksr to support KSK rollovers
dnssec-ksr can now sign KSR files with multiple KSKs. A planned KSK
rollover is supported, meaning the KSR will first be signed with
one KSK and later with another. The timing metadata for CDS and
CDNSKEY records are also taken into account, so these records are
only published when the time is between "SyncPublish" and "SyncDelete".

(cherry picked from commit d7f2a2f437)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
1fcc346729 Add KSK roll test case
Add a test case for Offline KSK where during the lifespan of the Signed
Key Response a KSK rollover happens. Ensure that the correct DNSKEY,
CDNSKEY, and CDS records are published at the right times.

(cherry picked from commit 8cf5f972f4)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
2e5a2f4e81 Allow empty CDNSKEY/CDS RRset in ksr system test
When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.

(cherry picked from commit 708927e03d)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
a92fb659d3 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.

(cherry picked from commit 680aedb595)
2024-11-04 01:10:34 +00:00
Matthijs Mekking
1adcb2945e Add -f option to dnssec-ksr documentation
This was previously left out by error.

(cherry picked from commit 01169b7ffc)
2024-11-04 01:10:34 +00:00
Mark Andrews
f793b28de4 Add missing $FEATURETEST --have-fips-dh
Notify over TLS only works if FIPS DH is supported.  Skip the system
tests parts that depend on it.

(cherry picked from commit 4f7e3e29a7)
2024-11-02 06:02:51 +00:00
Matthijs Mekking
9621369524 Match algorithms when checking signatures
In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the
search string.

(cherry picked from commit 795fcc9f80)
2024-11-01 14:16:38 +00:00
Michal Nowak
ba1d4cc4db Rewrite rsabigexponent system test to pytest
(cherry picked from commit cacff68e78)
2024-10-31 18:15:14 +00:00
Nicki Křížek
668544ec74 Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.

Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.

New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.

(cherry picked from commit 60e118c4fb)
2024-10-31 09:40:46 +00:00
Matthijs Mekking
5c724d4c25 Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There
is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().

This popped up because previously we set 'retired' to 0 in case of
unlimited lifetime, but we changed it to None.

It is actually a false positive, because if lifetime is unlimited
there will be only one key in 'keys'.

However, the code would be better if we always initialized 'active'
and if it is not the first key and retired is set, set the successor
key's active time to the retire time of the predecessor key.

(cherry picked from commit e777efb576)
2024-10-25 11:22:26 +00:00
Matthijs Mekking
8a598cb3bf Fix intermittent ksr test failure
The test_ksr_twotwone may fail if the key id is shorter than 5 digits.
Add a leading space to the expected strings which start with the key
tag to avoid the issue.

(cherry picked from commit d5f32f6990)
2024-10-25 07:47:01 +00:00
Nicki Křížek
93356d6b3a Add legacy.run.sh to .gitignore
While this file is no longer created / used in the main branch, it may
linger around when switching from maintenance branches.

(cherry picked from commit 6262d002bf)
2024-10-24 11:55:18 +00:00
Nicki Křížek
04200e4025 Make system tests compatible with pytest 8.0.0+
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.

Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).

Related https://github.com/pytest-dev/pytest/issues/7777

(cherry picked from commit 7118cbed98)
2024-10-24 11:55:18 +00:00
Timo Eisenmann
a9faeb86aa Use correct certificates for TLS notify tests
Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate
the expired certificate for tls-x6 to reflect the swap of ns2 and ns3.

(cherry picked from commit bbdc6b26aa)
2024-10-24 03:11:50 +00:00
Mark Andrews
08f12c70e6 swap ns2 and ns3 rolls in tls notify tests
Still need to regenerate the expired certificate as it has
the wrong IP address

(cherry picked from commit 87e287c984)
2024-10-24 03:11:50 +00:00
Timo Eisenmann
1b59467e82 Add system tests for notify over TLS
We use ns2 as the primary, and ns3 as the secondary server.

(cherry picked from commit e00beca8c5)
2024-10-24 03:11:50 +00:00
Nicki Křížek
2cdb8c90d1 Use UTC timezone when handling keys in kasp test library
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.

(cherry picked from commit f840deba33)
2024-10-22 10:51:53 +02:00
Nicki Křížek
fb9a87e8c5 Disable too-many/too-few pylint checks
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.

(cherry picked from commit 7639c58c48)
2024-10-22 09:14:06 +02:00
Matthijs Mekking
b46ddad5df Retry dnssec-verify in kasp test code
It is possible that the zone is not yet fully signed because it is
signed in batches. Retry the AXFR and verify command a couple of times.

(cherry picked from commit b8b3df0676)
2024-10-22 06:24:42 +00:00
Nicki Křížek
f1fc2e1db4 Address pylint issues
(cherry picked from commit 3c6124a093)
2024-10-22 06:24:42 +00:00
Nicki Křížek
fafb75ff8e Use difflib rather than diff cmd
(cherry picked from commit b7207fa3e7)
2024-10-22 06:24:42 +00:00
Nicki Křížek
36ab7489f7 Move algorithm defaults to check_keys()
(cherry picked from commit c9ecd2a618)
2024-10-22 06:24:42 +00:00
Nicki Křížek
ba2fe0a830 Use f-strings
(cherry picked from commit 55ec9f94bc)
2024-10-22 06:24:42 +00:00
Nicki Křížek
3cffc34551 Simplify command invocation
(cherry picked from commit 732a959d9a)
2024-10-22 06:24:42 +00:00