Commit Graph

10459 Commits

Author SHA1 Message Date
Aram Sargsyan
eeaa830ecd Add an "rpz" system test check for a failed reconfiguration
The faulty "DLZ" configuration triggers a reconfiguration failure
in such a place where view reverting code is covered.

(cherry picked from commit 95f4bac002)
2023-02-27 08:42:34 +00:00
Michal Nowak
e8918b1304 Stop logfileconfig/ns1 server with TERM signal
stop.pl tries to stop ns1 via rndc but fails to find rndc.conf because
the logfileconfig test code is unexpectedly executed from the
logfileconfig/ns1/ directory. Instead of stopping ns1 with rndc, it
waits for 30 seconds and then terminates ns1 with the TERM signal.

    I:logfileconfig:testing default logfile using named -L file (9)
    rndc: ../common/rndc.conf does not exist

Stopping ns1 with rndc was recently inadvertently introduced in
172826bfa8. Stop ns1 with the TERM signal
directly, as we did before.
2023-02-23 16:52:59 +01:00
Mark Andrews
e4b5ca92ea Fix backport error in 84929d1cd7
Not all the RETERR's in named_zone_configure where converted to
CHECK's, as was the case in main, leading to a memory leak with
the early returns.
2023-02-23 18:13:58 +11:00
Mark Andrews
f0cbe3ab1f Test RRSIG queries with serve-stale enabled
Make RRSIG queries where the existing tests trigger a DNS_EVENT_TRYSTALE
event.

(cherry picked from commit add40273df)
2023-02-22 14:01:56 +01:00
Aram Sargsyan
d6568bea7c Add tests for CVE-2022-3924
Reproduce the assertion by configuring a 'named' resolver with
'recursive-clients 10;' configuration option and running 20
queries is parallel.

Also tweak the 'ans2/ans.pl' to simulate a 50ms network latency
when qname starts with "latency". This makes sure that queries
running in parallel don't get served immediately, thus allowing
the configured recursive clients quota limitation to be activated.

(cherry picked from commit 4b52b0b4a9)
2023-02-22 10:59:31 +01:00
Mark Andrews
b49a3a56c9 Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.

(cherry picked from commit b41882cc75)
2023-02-21 16:58:42 +01:00
Mark Andrews
552b5152a0 Source conf.sh the v9_16 way 2023-02-19 10:59:08 +00:00
Michal Nowak
e0158ab2b5 Adapt to Python scripts to black 23.1.0
(cherry picked from commit 3cd2cc6254)
2023-02-17 16:55:47 +01:00
Michal Nowak
596918c57a Fix unnecessary "else" after "raise" with pylint 2.16.2
bin/tests/system/get_algorithms.py:225:4: R1720: Unnecessary "else" after "raise", remove the "else" and de-indent the code inside it (no-else-raise)

(cherry picked from commit 8064ac6bec)
2023-02-17 16:55:24 +01:00
Petr Menšík
3f81fbed12 FIPS tests changes for RHEL
Include MD5 feature detection in featuretest tool and use it in some
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
algorithm is unavailable completely and even hmac-md5 algorithm usage
will always fail. Work that around by checking MD5 works and if not,
skipping its usage.

Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
in Fedora and RHEL.

(cherry picked from commit 6ad794a8cd)
2023-02-16 08:48:39 +11:00
Mark Andrews
9109f38ece Add islands of trust to mkeys test
This adds an island of trust that is reachable from the root
where the trust anchors are added to island.conf.

This add an island of trust that is not reachable from the root
where the trust anchors are added to private.conf.

(cherry picked from commit 41bdb5b9fe)
2023-02-14 22:09:52 +00:00
Evan Hunt
aca10608b6 delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.

(cherry picked from commit bafbbd2465)
2023-02-14 10:23:28 -08:00
Tom Krizek
208777b74e Increase named startup wait time for runtime test
Occasionally, the allotted 10 seconds for the "running" line to appear
in log after named is started proved insufficient in CI, especially
during increased load. Give named up to 60 seconds to start up to
mitigate this issue.

(cherry picked from commit b8bb4233e8)
2023-02-13 16:11:04 +01:00
Evan Hunt
5d0a8996ce increase simultaneous updates for quota test
the nsupdate system test was intermittently failing due to the update
quota not being exceeded when it should have been.  this is most likely
a timing issue: the client is sending updates too slowly, or the server
is processing them too quickly, for the quota to fill. this commit
attempts to make that the failure less likely by increasing the number
of update transactions from 10 to 20.

(cherry picked from commit 06b1faf068)
2023-02-13 13:36:11 +01:00
Mark Andrews
539f29d412 Allow some time to the root trust anchor to appear
Following deleting the root trust anchor and reconfiguring the
server it takes some time to for trust anchor to appear in 'rndc
managed-keys status' output.  Retry several times.

(cherry picked from commit 71dbd09796)
2023-02-08 00:46:41 +11:00
Mark Andrews
d53828b749 Handle address lookup failure more gracefully
If the address lookup of the primary server fails just abort
the current update request rather than calling exit.  This allows
nsupdate to cleanup gracefully.

(cherry picked from commit f1387514c6)
2023-02-01 00:41:09 +11:00
Mark Andrews
09fce29a9a Call dns_lib_destroy in bin/named/main.c:printversion
There were unbalanced calls to dns_lib_init and dns_lib_destroy
leading to an OpenSSL memory leak.

(cherry picked from commit 8b3c018f54)
2023-01-31 10:06:15 +11:00
Matthijs Mekking
3ffb63e9bb Force set DS state after 'rndc dnssec -checkds'
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

(cherry picked from commit ee42f66fbe)
2023-01-27 16:09:06 +01:00
Michał Kępień
7b0e57095a Merge tag 'v9_16_37' into v9_16
BIND 9.16.37
2023-01-25 21:34:55 +01:00
Ondřej Surý
e241a3f4db Don't use reference counting in isc_timer unit
The reference counting and isc_timer_attach()/isc_timer_detach()
semantic are actually misleading because it cannot be used under normal
conditions.  The usual conditions under which is timer used uses the
object where timer is used as argument to the "timer" itself.  This
means that when the caller is using `isc_timer_detach()` it needs the
timer to stop and the isc_timer_detach() does that only if this would be
the last reference.  Unfortunately, this also means that if the timer is
attached elsewhere and the timer is fired it will most likely be
use-after-free, because the object used in the timer no longer exists.

Remove the reference counting from the isc_timer unit, remove
isc_timer_attach() function and rename isc_timer_detach() to
isc_timer_destroy() to better reflect how the API needs to be used.

The only caveat is that the already executed event must be destroyed
before the isc_timer_destroy() is called because the timer is no longet
attached to .ev_destroy_arg.

(cherry picked from commit ae01ec2823)
2023-01-19 11:28:10 +01:00
Ondřej Surý
235ce6c888 Commit the change of view for view->managed_keys
When we change the view in the view->managed_keys, we never commit the
change, keeping the previous view possibly attached forever.

Call the dns_zone_setviewcommit() immediately after changing the view as
we are detaching the previous view anyway and there's no way to recover
from that.

(cherry picked from commit 7e8b53720d)
2023-01-17 22:48:37 +01:00
Tom Krizek
7139e297b2 Fix feature detection for pytest markers in tests
The condition was accidentally reversed during refactoring in
9730ac4c56 . It would result in skipped
tests on builds with proper support and false negatives on builds
without proper feature support.

Credit for reporting the issue and the fix goes to Stanislav Levin.

(cherry picked from commit 473cb530f4)
2023-01-17 14:49:38 +01:00
Evan Hunt
8c78511e9a test failure conditions
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.

verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.

(cherry picked from commit b91339b80e)
2023-01-12 12:21:36 +01:00
Evan Hunt
7fe2204a2e add a configuration option for the update quota
add an "update-quota" option to configure the update quota.

(cherry picked from commit f57758a730)
2023-01-12 12:21:36 +01:00
Evan Hunt
35711a29e5 add an update quota
limit the number of simultaneous DNS UPDATE events that can be
processed by adding a quota for update and update forwarding.
this quota currently, arbitrarily, defaults to 100.

also add a statistics counter to record when the update quota
has been exceeded.

(cherry picked from commit 7c47254a14)
2023-01-12 12:21:36 +01:00
Matthijs Mekking
0656395f25 Test deprecate dscp configuration
Add 'dscp' token and 'option' to deprecated.conf. It should trigger warnings
(except when deprecation warnings are being ignored).
2023-01-10 11:16:18 -08:00
Evan Hunt
0b40df8f8a deprecate dscp configuration
This commit deprecates the "dscp" configuration option and "dscp"
parameters to source-address configuration options (query-source,
transfer-source, etc.

(Note that the DSCP feature has not been fully operational since
the network manager was introduced in 9.16.0; outgoing DSCP values
can be configured, but incoming DSCP values are not detected.)
2023-01-10 11:16:18 -08:00
Aram Sargsyan
869abb768b Add serve-stale CNAME check with stale-answer-client-timeout off
Prime the cache with the following records:

    shortttl.cname.example.	1	IN	CNAME	longttl.target.example.
    longttl.target.example.	600	IN	A	10.53.0.2

Wait for the CNAME record to expire, disable the authoritative server,
and query 'shortttl.cname.example' again, expecting a stale answer.

(cherry picked from commit 537187bf2f)
2023-01-09 13:57:43 +01:00
Tony Finch
01788b8852 Don't crash when rndc delzone encounters a catz member
Try to remove the zone from the NZF config only if it was
dynamically added but not by a catalog zone.

(cherry picked from commit 9fa20d6f6c)
2023-01-04 18:04:53 +00:00
Tom Krizek
28b6171424 Don't check algorithm support during configure step
The 9.16 version of ./configure calls bin/tests/system/cleanall.sh
unless --without-make-clean is used. The cleanall.sh script then
includes bin/tests/system/conf.sh, which includes
bin/tests/system/conf.sh.common. At that point, dnssec-keygen which is
used to detect algorithm support isn't compiled, so it can't be used.

More importantly, algorithm selection for system tests during the
./configure phase is irrelevant, so it can be safely skipped.
2022-12-23 12:37:48 +01:00
Tom Krizek
6950dfe003 Disable test algorithm randomization if Python is missing
This change is motivated by the fact that our Windows CI image doesn't
have a Python interpreter.
2022-12-23 12:37:46 +01:00
Tom Krizek
527c69e2c9 Make Perl interpreter required for system tests
This change has no practical impact, as Perl was already required for
all system tests, this check only makes it more explicit.

(cherry picked from commit 084d72d1d5)

conf.sh.win32 was modified in addition of the mentioned commit.
2022-12-22 15:54:19 +01:00
Tom Krizek
2b93b47c32 Ensure test interpreters are defined before common config
Nothing from conf.sh.common is required to set these values. On the
contrary, a Python interpreter needs to be set in order to randomize the
algorithm set (which happens in conf.sh.common).

(cherry picked from commit 492992dca8)

conf.sh.win32 was modified in addition of the above mentioned commit.
2022-12-22 15:54:19 +01:00
Tom Krizek
4b32c5608a Force quiet mode when using testcrypto.sh directly
When testcrypto.sh is used as a standalone script, always use quiet mode
to avoid using undefined commands (such as echo_i) which require
inclusion of the entire conf.sh machinery.

(cherry picked from commit ba35a6df9c)
2022-12-22 15:54:17 +01:00
Tom Krizek
0eb789efba ci: disable algorithm support checking in softhsm
The algorithm support detection script doesn't seem to work when using
the SoftHSM module. For some reason, dnssec-keygen returns 'crypto
failure'. Since the tests themselves pass, this is likely to be some
bug/definiency in the test scripts that check algorithm support that get
confused by SoftHSM.

Since this issue only happens for the system:gcc:softhsm2.6 job in the
9.16 branch, use a workaround to not introduce this new feature for
this particular problematic job.
2022-12-22 15:17:41 +01:00
Tom Krizek
7324a7b5e4 Randomize algorithm selection for mkeys test
Use the ALGORITHM_SET option to use randomly selected default algorithm
in this test. Make sure the test works by using variables instead of
hard-coding values.

(cherry picked from commit f65f276f98)
2022-12-22 15:17:41 +01:00
Tom Krizek
aa5453f5e5 Set algorithms for system tests at runtime
Use the get_algorithms.py script to detect supported algorithms and
select random algorithms to use for the tests.

Make sure to load common.conf.sh after KEYGEN env var is exported.

(cherry picked from commit 69b608ee9f)
2022-12-22 15:17:41 +01:00
Tom Krizek
34497e2350 Script for random algorithm selection in system tests
Multiple algorithm sets can be defined in this script. These can be
selected via the ALGORITHM_SET environment variable. For compatibility
reasons, "stable" set contains the currently used algorithms, since our
system tests need some changes before being compatible with randomly
selected algorithms.

The script operation is similar to the get_ports.py - environment
variables are created and then printed out as `export NAME=VALUE`
commands, to be interpreted by shell. Once we support pytest runner for
system tests, this should be a fixture instead.

(cherry picked from commit 5f480c8485)
2022-12-22 15:17:41 +01:00
Tom Krizek
d45aa7581e Export env variables in system tests
Certain variables have to be exported in order for the system tests to
work. It makes little sense to export the variables in one place/script
while they're defined in another place.

Since it makes no harm, export all the variables to make the behaviour
more predictable and consistent. Previously, some variables were
exported as environment variables, while others were just shell
variables which could be used once the configuration was sourced from
another script. However, they wouldn't be exposed to spawned processes.

For simplicity sake (and for the upcoming effort to run system tests
with pytest), export all variables that are used. TESTS, PARALLEL_UNIX
and SUBDIRS variables are automake-specific, aren't used anywhere else
and thus not exported.

(cherry picked from commit 37d14c69c0)

conf.sh.win32 was modified in addition of the above mentioned commit.
2022-12-22 15:17:41 +01:00
Tom Krizek
4d74430259 Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-12-22 15:17:41 +01:00
Tom Krizek
28815949f8 Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-12-22 15:17:39 +01:00
Tom Krizek
18e2298ed3 Update tests gitignore file
The .mypy_cache was added to the system test dir gitignore, since it
should be ignored.

(cherry picked from commit 4145068bfa)
2022-12-21 13:58:24 +01:00
Tom Krizek
1283d5263b Use common name convention for pytest files
It is better to use consistent file names to avoid issue with sorting
etc.

Using underscore in filenames as opposed to dash was chosen because it
seems more common in pytest/python to use underscore for filenames.

Also rename the bin/tests/system/timeouts/tests-tcp.py file to
bin/tests/system/timeouts/tests_tcp_timeouts.py to avoid pytest name
collision (there can't be two files named tests_tcp.py).

(cherry picked from commit f6409ee6ac)
2022-12-21 13:57:58 +01:00
Tony Finch
2d5160a9b9 A couple of RPZ options were not reconfigured as expected
[bug]	Changes to the RPZ response-policy min-update-interval
	and add-soa options now take effect as expected when
	named is reconfigured. [GL #3740]

(cherry picked from commit d8a3d328db)
2022-12-16 09:54:47 +00:00
Aram Sargsyan
d510221f7e Add big SOA serial logging check into the catz system test
Check that the SOA serial numbers printed when updating a catalog zone
is represented correctly for numbers bigger than 2^31.

(cherry picked from commit de232ab446)
2022-12-15 13:48:30 +00:00
Tony Finch
bdfb06eb5a List supported DNSSEC algorithms at log level NOTICE
NOTICE matches the other startup messages. WARNING weirdly
suggests the list is a problem.

(cherry picked from commit 72f8d03cad)
2022-12-14 11:04:35 +00:00
Mark Andrews
7258465d28 Properly initialise local_ndata in isdotlocal in dig
Remove the trailing '\0' so that the length field of the dns_name_t
structure is correct.  The old data just happens to work with
dns_name_issubdomain but would fail with dns_name_equal.

(cherry picked from commit 8ce163bbc5)
2022-12-14 10:30:51 +11:00
Tom Krizek
da42fa7622 Revert "Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'"
This reverts commit b2a4447af8, reversing
changes made to 8924f92956.

It also removes release note 6038, since the fix is reverted.
2022-12-08 10:23:40 +01:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
91504c1f6e Check TTLs of mixed TTL ANY response with expired records
(cherry picked from commit e49f83499a)
2022-12-08 10:46:20 +11:00