Commit Graph
10375 Commits
Author SHA1 Message Date
Matthijs Mekking ee18cfe215 Add two more nsec3 system tests
Add one more case that tests reconfiguring a zone to turn off
inline-signing. It should still be a valid DNSSEC zone and the NSEC3
parameters should not change.

Add another test to ensure that you cannot update the zone with a
NSEC3 record.

(cherry picked from commit 4cd8e8e9c3)
2022-11-03 14:41:05 +01:00
Matthijs Mekking 8f6efb8446 Update kasp system test to work with .signed files
We no longer accept copying DNSSEC records from the raw zone to
the secure zone, so update the kasp system test that relies on this
accordingly.

Also add more debugging and store the dnssec-verify results in a file.

(cherry picked from commit 57ea9e08c6)
2022-11-03 14:39:38 +01:00
Matthijs Mekking 9bef41046f Test changing from dynamic to inline-signing
Add a kasp system test that reconfigures a dnssec-policy zone from
maintaining DNSSEC records directly to the zone to using inline-signing.

Add a similar test case to the nsec3 system test, testing the same
thing but now with NSEC3 in use.

(cherry picked from commit 9018fbb205)
2022-11-03 14:39:23 +01:00
Tom Krizek df436ed93b ci: disable algorithm support checking in softhsm
The algorithm support detection script doesn't seem to work when using
the SoftHSM module. For some reason, dnssec-keygen returns 'crypto
failure'. Since the tests themselves pass, this is likely to be some
bug/definiency in the test scripts that check algorithm support that get
confused by SoftHSM.

Since this issue only happens for the system:gcc:softhsm2.6 job in the
9.16 branch, use a workaround to not introduce this new feature for
this particular problematic job.
2022-11-01 19:51:52 +01:00
Tom Krizek b5946acfc9 Randomize algorithm selection for mkeys test
Use the ALGORITHM_SET option to use randomly selected default algorithm
in this test. Make sure the test works by using variables instead of
hard-coding values.

(cherry picked from commit f65f276f98)
2022-11-01 19:51:52 +01:00
Tom Krizek 8a6fc2d20e Set algorithms for system tests at runtime
Use the get_algorithms.py script to detect supported algorithms and
select random algorithms to use for the tests.

Make sure to load common.conf.sh after KEYGEN env var is exported.

(cherry picked from commit 69b608ee9f)
2022-11-01 19:51:52 +01:00
Tom Krizek 8b5a9c185a Script for random algorithm selection in system tests
Multiple algorithm sets can be defined in this script. These can be
selected via the ALGORITHM_SET environment variable. For compatibility
reasons, "stable" set contains the currently used algorithms, since our
system tests need some changes before being compatible with randomly
selected algorithms.

The script operation is similar to the get_ports.py - environment
variables are created and then printed out as `export NAME=VALUE`
commands, to be interpreted by shell. Once we support pytest runner for
system tests, this should be a fixture instead.

(cherry picked from commit 5f480c8485)
2022-11-01 19:51:52 +01:00
Tom Krizek ae86743e7b Export env variables in system tests
Certain variables have to be exported in order for the system tests to
work. It makes little sense to export the variables in one place/script
while they're defined in another place.

Since it makes no harm, export all the variables to make the behaviour
more predictable and consistent. Previously, some variables were
exported as environment variables, while others were just shell
variables which could be used once the configuration was sourced from
another script. However, they wouldn't be exposed to spawned processes.

For simplicity sake (and for the upcoming effort to run system tests
with pytest), export all variables that are used. TESTS, PARALLEL_UNIX
and SUBDIRS variables are automake-specific, aren't used anywhere else
and thus not exported.

(cherry picked from commit 37d14c69c0)
2022-11-01 19:51:52 +01:00
Tom Krizek edd923e8eb Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-11-01 19:51:52 +01:00
Tom Krizek a51b0ad31f Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-11-01 19:51:49 +01:00
Aram Sargsyan f12260c435 Test managed-keys placeholder
Add a dnssec test to make sure that named can correctly process a
managed-keys zone with a placeholder KEYDATA record.

(cherry picked from commit 8c48eabbc1)
2022-11-01 10:55:19 +00:00
Tom Krizek 29782e5613 Remove misleading comment from serve-stale test
The stale-answer-client-timeout option is not set to 0 in the config
neither is it the default value. This was probably caused by a
copy-paste error.
2022-10-24 14:39:48 +02:00
Tom Krizek 01293b86d9 Test serve stale cache with timeout 0 and CNAME
Add a couple of tests that verify the serve-stale behavior when
stale-answer-client-timeout is set to 0 and a (stale) CNAME record is
queried.

Related #3517
2022-10-24 14:39:46 +02:00
Aram Sargsyan c65c6ecee5 Getting the "prefetch" setting from the configuration cannot fail
The "prefetch" setting is in "defaultconf" so it cannot fail, use
INSIST to confirm that.

The 'trigger' and 'eligible' variables are now prefixed with
'prefetch_' and their declaration moved to an upper level, because
there is no more additional code block after this change.

(cherry picked from commit 0227565cf1)
2022-10-21 10:30:56 +00:00
Aram Sargsyan 822dd7b8b9 Add another prefetch check in the resolver system test
The test triggers a prefetch, but fails to check if it acutally
happened, which prevented it from catching a bug when the record's
TTL value matches the configured prefetch eligibility value.

Check that prefetch happened by comparing the TTL values.

(cherry picked from commit 89fa9a6592)
2022-10-21 10:30:13 +00:00
Artem Boldariev 46664bfe5d Fix named failing to start on Solaris systems with hundreds of CPUs
This commit fixes a startup issue on Solaris systems with
many (reportedly > 510) CPUs by bumping RLIMIT_NOFILE. This appears to
be a regression from 9.11.

(cherry picked from commit fff01fe7eb)
2022-10-20 15:21:53 +03:00
Michał KępieńandMichal Nowak 67319f1004 Add tests for CVE-2022-2795
Add a test ensuring that the amount of work fctx_getaddresses() performs
for any encountered delegation is limited: delegate example.net to a set
of 1,000 name servers in the redirect.com zone, the names of which all
resolve to IP addresses that nothing listens on, and query for a name in
the example.net domain, checking the number of times the findname()
function gets executed in the process; fail if that count is excessively
large.

Since the size of the referral response sent by ans3 is about 20 kB, it
cannot be sent back over UDP (EMSGSIZE) on some operating systems in
their default configuration (e.g. FreeBSD - see the
net.inet.udp.maxdgram sysctl).  To enable reliable reproduction of
CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid
false positives at the same time (thread scheduling - and therefore the
number of fetch context restarts - vary across operating systems and
across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that
it also listens on TCP and make "ns1" in the "resolver" system test
always use TCP when communicating with "ans3".

Also add a test (foo.bar.sub.tld1/TXT) that ensures the new limitations
imposed on the resolution process by the mitigation for CVE-2022-2795 do
not prevent valid, glueless delegation chains from working properly.

(cherry picked from commit 604d8f0b96)
2022-10-20 10:19:22 +02:00
Evan Hunt 2cf5fd67c0 add a test with CD=1 query for pending data
this is a regression test for [GL #3247].
2022-10-19 13:17:32 -07:00
Tom Krizek a8f286c9a5 Remove generated controls.conf file from system tests
The controls.conf file shouldn't be used directly without templating it
first. Remove this no longer used hard-coded file to avoid confusion.

(cherry picked from commit cbd0355328)
2022-10-19 16:58:56 +02:00
Tom Krizek 456baa7f4a Revive dupsigs system test
Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
  new happens there)

Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.

(cherry picked from commit cb0a2ae1dd)
2022-10-19 16:58:56 +02:00
Tom Krizek 84d6484c5a Revive the stress system test
Ensure the port numbers are dynamically filled in with copy_setports.

Clarify test fail condition.

Make the stress test part of the default test suite since it doesn't
seem to run too long or interfere with other tests any more (the
original note claiming so is more than 20 years old).

Related !6883

(cherry picked from commit 7495deea3e)
2022-10-19 16:58:56 +02:00
Tom Krizek 81a224f418 Revive dialup system test
Properly template the port number in config files with copy_setports.

The test takes two minutes on my machine which doesn't seem like a
proper justification to exclude it from the test suite, especially
considering we run these tests in parallel nowadays. The resource usage
doesn't seems significantly increased so it shouldn't interfere with
other system tests.

There also exists a precedent for longer running system tests that are
already part of the default system test suite (e.g. serve-stale takes
almost three minutes on the same machine).

(cherry picked from commit 235ae5f344)
2022-10-19 16:58:55 +02:00
Petr Špaček b57241ddbb Allow system tests to run under root user when inside CI
https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
says variable CI_SERVER="yes" is available in all versions of Gitlab.

(cherry picked from commit ddf46056ca)

Adapted to v9_16's version of run.sh.
2022-10-18 15:18:13 +02:00
Petr Špaček b7cae87b2b Document that nsupdate ignores server command in GSS-TSIG mode
This behavior is present since introduction of GSS-TSIG support,
commit 289ae548d5.

(cherry picked from commit c8a38d70f0)
2022-10-18 10:14:54 +02:00
Michal NowakandOndřej Surý 4be4deb740 Replace fgrep and egrep with grep -F/-E
GNU Grep 3.8 reports the following warnings:

    egrep: warning: egrep is obsolescent; using grep -E
    fgrep: warning: fgrep is obsolescent; using grep -F

(cherry picked from commit 212c4de043)
2022-10-17 09:12:02 +02:00
Michal NowakandOndřej Surý 52b86104ca Remove stray backslashes
GNU Grep 3.8 reports several instances of stray backslashes in matching
patterns:

    grep: warning: stray \ before /
    grep: warning: stray \ before :

(cherry picked from commit 65e91ef5e6)
2022-10-17 09:11:20 +02:00
Tom Krizek 2637043f01 Remove system test delzone
There are multiple reasons to remove this test as obsolete:

- The test may not possibly work for over 2.5 years, since
  98b3b93791 removed the rndc.py python
  tool on which this test relies.
- It isn't part of the test suite either in CI or locally unless it is
  explicitly enabled. As a result, there are many issues which prevent
  the test from being executed caused by various refactoring efforts
  accumulated over time.
- Even if the test could be executed, it has no clear failure condition.
  If the python script(s) fail, the test still passes.

(cherry picked from commit 05180154d9)
2022-10-14 16:48:38 +02:00
Michał Kępień e535dc2b59 Fix startup detection after restart in start.pl
The bin/tests/system/start.pl script waits until a "running" message is
logged by a given name server instance before attempting to send a
version.bind/CH/TXT query to it.  The idea behind this was to make the
script wait until named loads all the zones it is configured to serve
before telling the system test framework that a given server is ready to
use; this prevents the need to add boilerplate code that waits for a
specific zone to be loaded to each test expecting that.

The problem is that when it looks for "running" messages, the
bin/tests/system/start.pl script assumes that the existence of any such
message in the named.run file indicates that a given named instance has
already finished loading all zones.  Meanwhile, some system tests
restart all the named instances they use throughout their lifetime (some
even do that a few times), for example to run Python-based tests.  The
bin/tests/system/start.pl script handles such a scenario incorrectly: as
soon as it finds any "running" message in the named.run file it inspects
and it gets a response to a version.bind/CH/TXT query, it tells the
system test framework that a given server is ready to use, which might
not be true - it is possible that only the "version.bind" zone is loaded
at that point and the "running" message found was logged by a
previously-shutdown named instance. This triggers intermittent failures
for Python-based tests.

Fix by improving the logic that the bin/tests/system/start.pl script
uses to detect server startup: check how many "running" lines are
present in a given named.run file before attempting to start a named
instance and only proceed with version.bind/CH/TXT queries when the
number of "running" lines found in that named.run file increases after
the server is started.

(cherry picked from commit 18e20f95f6)
2022-10-11 11:59:02 +02:00
Michał Kępień c11f286d34 Do not truncate ns2 logs in the "rrsetorder" test
In the "rrsetorder" system test, the ns2 named instance is restarted
without passing the --restart option to bin/tests/system/start.pl.  This
causes the log file for that named instance to be needlessly truncated.
Prevent this from happening by restarting the affected named instance
in the same way as all the other named instances used in system tests.

(cherry picked from commit 9146b956ae)
2022-10-11 11:59:02 +02:00
Petr Špaček d63bc6af08 Clarify error message about missing inline-signing & dnssec-policy
(cherry picked from commit 058c1744ba)
2022-10-06 10:31:15 +02:00
Mark Andrews 03d363d0ee Add sleeps to ixfr system test
ensure that at least a second has passed since a zone was last loaded
to prevent it accidentally being skipped as up to date.

(cherry picked from commit 491a8cfe96)
2022-10-06 08:36:38 +11:00
Michal Nowak 9f27c3f95e Drop flake8 ignore lists
flake8 is not used in BIND 9 CI and inline ignore lists are not needed
anymore.

(cherry picked from commit f5d9fa6ea4)
2022-10-05 18:33:34 +02:00
Mark Andrews e396d5d72d Add support for 'dohpath' to SVCB (and HTTPS)
dohpath is specfied in draft-ietf-add-svcb-dns and has a value
of 7.  It must be a relative path (start with a /), be encoded
as UTF8 and contain the variable dns ({?dns}).

(cherry picked from commit 6d561d3886)
2022-10-04 15:33:49 +11:00
Mark AndrewsandMichal Nowak 47e8a98240 keymgr: use DEFAULT_ALGORITHM instead of {nsec3}rsasha1 2022-10-03 13:28:26 +02:00
Michal Nowak f822943473 coverage: use $DEFAULT_ALGORITHM 2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak 21cd56b42b Fix mkeys to work with DEFAULT_ALGORITHM properly
Stop using a RSASHA1 fixed key in ns3's named.conf as the
trusted key and instead compute a broken digest from the
real digest to use in trusted-keys.

(cherry picked from commit be4cbe2b80)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak 42727aab9a kasp: stop using RSASHA1 unless necessary for the test
Moves tests from being RSASHA1 based to RSASHA256 based where possible
and split out the remaining RSASHA1 based tests so that they are not
run on OS's that don't support RSASHA1.

(cherry picked from commit db028684e5)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak 4daa3d6dae keymgr2kasp: use FIPS compliant algorithms and key sizes
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b015166)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak 3d642f46f2 dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.

(cherry picked from commit 9c6de6d12d)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak 77e0878444 autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.

Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.

(cherry picked from commit 99ad09975e)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak e6d1117891 rsabigexponent: convert the test from RSASHA1 to RSASHA256
RSASHA1 is not supported on some platforms.

(cherry picked from commit 8c3c011860)
2022-10-03 13:28:25 +02:00
Mark AndrewsandMichal Nowak fe4d8ca7c7 mkeys: use $() instead of back quotes
(cherry picked from commit 0e45a2b02c)
2022-10-03 13:19:35 +02:00
Mark AndrewsandMichal Nowak 4950ab72e8 Upgrade uses of hmac-sha1 to DEFAULT_HMAC
where the test is not hmac-sha1 specific

(cherry picked from commit c533e8bc5b)
2022-10-03 13:19:35 +02:00
Mark AndrewsandMichal Nowak e8545ad255 zonechecks: use $DEFAULT_ALGORITHM
(cherry picked from commit 459e6980e5)
2022-10-03 13:19:35 +02:00
Mark AndrewsandMichal Nowak 864a2b127a wildcard: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f65c9cf85)
2022-10-03 13:19:34 +02:00
Mark AndrewsandMichal Nowak 76a154d8b1 views: use $DEFAULT_ALGORITHM
(cherry picked from commit 86b29606c3)
2022-10-03 13:19:34 +02:00
Mark AndrewsandMichal Nowak 16c6557aa2 verify: use $DEFAULT_ALGORITHM
(cherry picked from commit 93f7c7cdcd)
2022-10-03 13:19:34 +02:00
Mark AndrewsandMichal Nowak 150ace9801 upforwd: use $DEFAULT_ALGORITHM
(cherry picked from commit 5585909904)
2022-10-03 13:19:34 +02:00
Mark AndrewsandMichal Nowak 516694cd8c unknown: use $DEFAULT_ALGORITHM
(cherry picked from commit 9970d4317d)
2022-10-03 13:19:34 +02:00
Mark AndrewsandMichal Nowak b8645af516 synthfromdnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit 73fd49f8bb)
2022-10-03 13:19:34 +02:00