While libcap-enabled builds check whether any capability named requests
is within the permitted capability set, non-libcap builds just try
requesting them, which potentially causes a misleading error message to
be output ("Operation not permitted: please ensure that the capset
kernel module is loaded"). Ensure non-libcap builds also check whether
any requested capability is within the permitted capability set.
With "dnssec-validation" now defaulting to "auto", it needs to be
explicitly set to "yes" (the previous default value) for all validating
resolvers used in system tests. Ensure that requirement is satisfied by
the resolvers used in the "rpz" system test.
(cherry picked from commit ff6b717955)
Change 4897 modified the way the $DNSRPS_TEST_MODE variable is used in
bin/tests/system/rpz/tests.sh without updating all references to it,
which i.a. causes the $native and $dnsrps variables to not be set in the
default testing mode, effectively preventing failed checks from being
propagated to the final result of the test. Use $mode instead of
$DNSRPS_TEST_MODE where appropriate to fix error handling in the "rpz"
system test.
(cherry picked from commit 730c6651a0)
4971. [bug] dnssec-signzone and dnssec-verify did not treat records
below a DNAME as out-of-zone data. [GL #298]
(cherry picked from commit f467ba8e1f)
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains. Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records. Check that DNAME-obscured
records are not signed.
(cherry picked from commit 75c0d85fc4)
The keyfile and key ID for the original managed key do not change
throughout the mkeys system test. Keep them in helper variables to
prevent calling "cat" multiple times and improve code readability.
(cherry picked from commit 68f056b2a0)
Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.
(cherry picked from commit 120af964ce)
Add a set of helper functions for system test scripts which enable
converting key data from a set of keyfiles to either a "trusted-keys"
section or a "managed-keys" section suitable for including in a
resolver's configuration file.
(cherry picked from commit 2392b8bc7d)
In order to decrease code duplication, express the logic contained in
all zone logging functions using dns_zone_logv() calls.
(cherry picked from commit 5c03cd339e)
Add a new libdns function, dns_zone_logv(), which takes a single va_list
argument rather than a variable number of arguments and can be used as a
base for implementing more specific zone logging functions.
(cherry picked from commit bb2dfb3f49)
