Commit Graph

5086 Commits

Author SHA1 Message Date
Tom Krizek
da42fa7622 Revert "Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'"
This reverts commit b2a4447af8, reversing
changes made to 8924f92956.

It also removes release note 6038, since the fix is reverted.
2022-12-08 10:23:40 +01:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
91504c1f6e Check TTLs of mixed TTL ANY response with expired records
(cherry picked from commit e49f83499a)
2022-12-08 10:46:20 +11:00
Ondřej Surý
a6847fa678 Fix missing zone_check() call in checkds test
The bad2-dswithdrawn.checkds tests were missing call to the
zone_checks() contributing to intermittent timing failures of the
checkds system test.

(cherry picked from commit 718831bfcc)
2022-12-07 19:32:01 +01:00
Mark Andrews
627a1e1f43 Check that restored catalog zone works
Using a restored catalog zone excercised a use-after-free bug.
The test checks that the use-after-free bug is gone and is just
a reasonable behaviour check in its own right.

(cherry picked from commit bca84c8601)
2022-12-07 12:55:42 +11:00
Aram Sargsyan
8fcb333622 Add serve-stale CNAME check with stale-answer-client-timeout off
Prime the cache with the following records:

    shortttl.cname.example.	1	IN	CNAME	longttl.target.example.
    longttl.target.example.	600	IN	A	10.53.0.2

Wait for the CNAME record to expire, disable the authoritative server,
and query 'shortttl.cname.example' again, expecting a stale answer.

(cherry picked from commit 21faf44ef7)
2022-12-06 13:50:54 +00:00
Tom Krizek
76d88b7f04 Add dnstap prerequisite for dnstap system test
(cherry picked from commit 9846c920c3)
2022-12-02 11:09:28 +01:00
Tom Krizek
7ff5b01d3c Use feature-test feature detection in pytests
Avoid using the environment variables for feature detection and use the
feature-test utility instead.

Remove the obsolete environment variables from conf.sh, since they're no
longer used anywhere.

(cherry picked from commit 9730ac4c56)
2022-12-02 11:05:46 +01:00
Tom Krizek
0b31a7c54c Use feature-test to detect feature support in system tests
Previously, there were two different ways to detect feature support.
Either through an environment variable set by configure in conf.sh, or
using the feature-test utility.

It is more simple and consistent to have only one way of detecting the
feature support. Using the feature-test utility seems superior the the
environment variables set by configure.

(cherry picked from commit d24fb1122e)
2022-12-02 10:56:54 +01:00
Tom Krizek
1054ad0164 Add missing options to feature-test utility
(cherry picked from commit e22d27da71)
2022-12-02 10:54:49 +01:00
Matthijs Mekking
8e629cc169 Update serve-stale test messages to include RRtype
(cherry picked from commit 45f7a15785)
2022-11-30 14:30:58 +01:00
Michal Nowak
771fed4a14 Update sources to Clang 15 formatting 2022-11-29 10:30:34 +01:00
Tom Krizek
172826bfa8 Simplify start/stop helper func in system tests
The system test should never attempt to start or stop any other server
than those that belong to that system test. Therefore, it is not
necessary to specify the system test name in function calls.

Additionally, this makes it possible to run the test inside a
differently named directory, as its name is automatically detected with
the $SYSTESTDIR variable. This enables running the system tests inside a
temporary directory.

Direct use of stop.pl was replaced with a more systematic approach to
use stop_servers helper function.

(cherry picked from commit c100308b7d)
2022-11-25 13:14:45 +01:00
Matthijs Mekking
ed8eba9180 Deprecate auto-dnssec
Deprecate auto-dnssec, add specific log warning to migrate to
dnssec-policy.

Cherry-picking triggered a lot of conflicts, so the changes
were manually picked.

(manually picked from commit f9845dd1)
2022-11-23 13:32:52 +01:00
Matthijs Mekking
4ae380a7f2 Tweak kasp system test script
The retry 3 times when checking signatures did not make sense because
at this point the input file does not change.

Raise the number of retries when checking the apex DNSKEY response to
reduce the number of intermittent failures due to unexpected delays.

(cherry picked from commit 6ef0417274)
2022-11-17 12:32:18 +01:00
Mark Andrews
3dcf1afee2 Address back porting issues
Add and use dig_with_opts, resolve_with_opts and rndccmd.
Use $(()) and $() instead of back ticks.
Add more double quotes around variable.
Add non back ported error corrections from v9_18 and main.
2022-11-17 15:21:58 +11:00
Mark Andrews
9ab162b856 Add system test for dual-stack-servers with possible DNAME response
Create a zone that triggers DNAME owner name checks in a zone that
is only reachable using a dual stack server.  The answer contains
a name that is higher in the tree than the query name.

e.g.
	foo.v4only.net.	CNAME	v4only.net.
	v4only.net.	A	10.0.0.1

ns4 is serving the test zone (ipv4-only)
ns6 is the root server for this test (dual stacked)
ns7 is acting as the dual stack server (dual stacked)
ns9 is the server under test (ipv6-only)

(cherry picked from commit f946133ec9)
2022-11-17 13:08:59 +11:00
Mark Andrews
078efb1526 Support starting and stopping IPv6 only servers
Look for $testdir/$server/named.ipv6-only and use
fd92:7065:b8e:ffff::$n instead of 10.53.0.$n to
communicate with the server.

(cherry picked from commit a35c34e10f)
2022-11-17 13:08:59 +11:00
Mark Andrews
349bd74b63 Check 'named-checkconf -z' and check-wildcard
Add tests to check the behavior of 'named-checkconf -z' and
check-wildcard setting in named.conf.

(cherry picked from commit 708dadac59)
2022-11-17 11:02:18 +11:00
Michal Nowak
0b4be3a26c In POSIX sh, RANDOM variable is undefined
possible bashism in ./bin/tests/system/system-test-driver.sh line 77 ($RANDOM):
    ./run.sh -p "$(($RANDOM%32000+32000))" "$@" "$TEST_PROGRAM"

Also see: https://www.shellcheck.net/wiki/SC3028.
2022-11-14 23:13:04 +01:00
Michal Nowak
c40916dbf3 Hide sh-long-option checkbashism confusion
possible bashism in ./bin/tests/system/system-test-driver.sh line 30 (sh --long-option):
    OPTS=$(getopt --shell sh --name "$(basename "$0")" --options '' --longoptions test-name:,log-file:,trs-file:,color-tests:,expect-failure:,enable-hard-errors: -- "$@")
2022-11-14 23:13:04 +01:00
Michal Nowak
8b9634c9ed Rename $HOSTNAME to $HOST_NAME to silence checkbashisms
checkbashisms warns about possible reliance on HOSTNAME environmental
variable which Bash sets to the name of the current host, and some
commands may leverage it:

    possible bashism in builtin/tests.sh line 199 ($HOST(TYPE|NAME)):
    grep "^\"$HOSTNAME\"$" dig.out.ns1.$n > /dev/null || ret=1
    possible bashism in builtin/tests.sh line 221 ($HOST(TYPE|NAME)):
    grep "^\"$HOSTNAME\"$" dig.out.ns2.$n > /dev/null || ret=1
    possible bashism in builtin/tests.sh line 228 ($HOST(TYPE|NAME)):
    grep "^; NSID: .* (\"$HOSTNAME\")$" dig.out.ns2.$n > /dev/null || ret=1

We don't use the variable this way but rename it to HOST_NAME to silence
the tool.

(cherry picked from commit ae33a8ddea)
2022-11-14 23:13:04 +01:00
Michal Nowak
0f2e25af52 Remove no-op assignment from kasp/tests.sh
"next_key_event_threshold" is assigned with
"next_key_event_threshold+i", but "i" is empty (never set, nor used
afterwards).

posh, the Policy-compliant Ordinary SHell, failed on this assignment
with:

    tests.sh:253: : unexpected `end of expression'

(cherry picked from commit 00c3b1e309)
2022-11-14 23:13:03 +01:00
Michal Nowak
9508a2ce46 Remove unused $@ array from cds/setup.sh
posh, the Policy-compliant Ordinary SHell, failed with:

    setup.sh:57: @: parameter not set

(cherry picked from commit 02a4a95395)
2022-11-14 23:13:03 +01:00
Michal Nowak
a1e697c8b3 Join two rndc lines not to confuse checkbashisms
checkbashisms gets confused by the rndc command being on two lines:

    possible bashism in bin/tests/system/nzd2nzf/tests.sh line 37 (type):
    rndccmd 10.53.0.1 addzone "added.example { type primary; file \"added.db\";

(cherry picked from commit 9eb2f6b0e8)
2022-11-14 23:13:03 +01:00
Michal Nowak
cf67657c71 Replace string comparisons with integer comparisons
checkbashisms reports Bash-style ("==") string comparisons inside test/[
command:

    possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'):
                    if [ $? == 0 ]; then echo_i "failed"; ret=1; fi
    possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'):
                    test $ret == 0 || continue
    possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'):
                    test $ret == 0 || continue

(cherry picked from commit 7640fc5b39)
2022-11-14 21:11:27 +01:00
Michal Nowak
be1379b6e4 Add shell interpreter line where missing
The checkbashisms script reports errors like this one:

    script util/check-line-length.sh does not appear to have a #! interpreter line;
    you may get strange results

(cherry picked from commit 9e68997cbb)
2022-11-14 21:09:42 +01:00
Mark Andrews
8cda49f604 Use file descriptor 3 to save file.prev
If 'set -x' is in effect file.prev gets populated with debugging output.
To prevent this open descriptor 3 and redirect stderr from the awk
command to descriptor 3. Debugging output will stay directed to stderr.

(cherry picked from commit 10f67938db)
2022-11-08 16:44:05 +00:00
Evan Hunt
4840d6f9c9 make dupsigs test less timing-sensitive
the dupsigs test is prone to failing on slow CI machines
because the first test can occur before the zone is fully
signed.

instead of just waiting ten seconds arbitrarily, we now
check every second, and allow up to 30 seconds before giving
up.

(cherry picked from commit d9b85cbaae)
2022-11-07 10:29:00 +01:00
Tom Krizek
a1fd85ac70 Revert "Merge branch '3503-random-default-algorithm-in-tests-v9_16' into 'v9_16'"
This reverts commit a7ac1e0105, reversing
changes made to d690c55ed7.
2022-11-04 10:08:51 +01:00
Matthijs Mekking
9533b68089 Remove checks when going to dnssec-policy none
The changes in the code have the side effect that the CDNSKEY and CDS
records in the secure version of the zone are not reusable and thus
are thrashed from the zone. Remove the apex checks for this use case.
We only care about that the zone is not immediately goes bogus, but
a user really should use the built-in "insecure" policy when unsigning
a zone.

(cherry picked from commit bc703a12e7)
2022-11-03 14:41:31 +01:00
Matthijs Mekking
3656e8c967 Add nsec3 system test that transfers in NSEC3
Similar to an attempt to add NSEC through dynamic update, add a test
case that tries to add NSEC3 through zone transfer.

(cherry picked from commit ef1cb9935c)
2022-11-03 14:41:23 +01:00
Matthijs Mekking
ee18cfe215 Add two more nsec3 system tests
Add one more case that tests reconfiguring a zone to turn off
inline-signing. It should still be a valid DNSSEC zone and the NSEC3
parameters should not change.

Add another test to ensure that you cannot update the zone with a
NSEC3 record.

(cherry picked from commit 4cd8e8e9c3)
2022-11-03 14:41:05 +01:00
Matthijs Mekking
8f6efb8446 Update kasp system test to work with .signed files
We no longer accept copying DNSSEC records from the raw zone to
the secure zone, so update the kasp system test that relies on this
accordingly.

Also add more debugging and store the dnssec-verify results in a file.

(cherry picked from commit 57ea9e08c6)
2022-11-03 14:39:38 +01:00
Matthijs Mekking
9bef41046f Test changing from dynamic to inline-signing
Add a kasp system test that reconfigures a dnssec-policy zone from
maintaining DNSSEC records directly to the zone to using inline-signing.

Add a similar test case to the nsec3 system test, testing the same
thing but now with NSEC3 in use.

(cherry picked from commit 9018fbb205)
2022-11-03 14:39:23 +01:00
Tom Krizek
df436ed93b ci: disable algorithm support checking in softhsm
The algorithm support detection script doesn't seem to work when using
the SoftHSM module. For some reason, dnssec-keygen returns 'crypto
failure'. Since the tests themselves pass, this is likely to be some
bug/definiency in the test scripts that check algorithm support that get
confused by SoftHSM.

Since this issue only happens for the system:gcc:softhsm2.6 job in the
9.16 branch, use a workaround to not introduce this new feature for
this particular problematic job.
2022-11-01 19:51:52 +01:00
Tom Krizek
b5946acfc9 Randomize algorithm selection for mkeys test
Use the ALGORITHM_SET option to use randomly selected default algorithm
in this test. Make sure the test works by using variables instead of
hard-coding values.

(cherry picked from commit f65f276f98)
2022-11-01 19:51:52 +01:00
Tom Krizek
8a6fc2d20e Set algorithms for system tests at runtime
Use the get_algorithms.py script to detect supported algorithms and
select random algorithms to use for the tests.

Make sure to load common.conf.sh after KEYGEN env var is exported.

(cherry picked from commit 69b608ee9f)
2022-11-01 19:51:52 +01:00
Tom Krizek
8b5a9c185a Script for random algorithm selection in system tests
Multiple algorithm sets can be defined in this script. These can be
selected via the ALGORITHM_SET environment variable. For compatibility
reasons, "stable" set contains the currently used algorithms, since our
system tests need some changes before being compatible with randomly
selected algorithms.

The script operation is similar to the get_ports.py - environment
variables are created and then printed out as `export NAME=VALUE`
commands, to be interpreted by shell. Once we support pytest runner for
system tests, this should be a fixture instead.

(cherry picked from commit 5f480c8485)
2022-11-01 19:51:52 +01:00
Tom Krizek
ae86743e7b Export env variables in system tests
Certain variables have to be exported in order for the system tests to
work. It makes little sense to export the variables in one place/script
while they're defined in another place.

Since it makes no harm, export all the variables to make the behaviour
more predictable and consistent. Previously, some variables were
exported as environment variables, while others were just shell
variables which could be used once the configuration was sourced from
another script. However, they wouldn't be exposed to spawned processes.

For simplicity sake (and for the upcoming effort to run system tests
with pytest), export all variables that are used. TESTS, PARALLEL_UNIX
and SUBDIRS variables are automake-specific, aren't used anywhere else
and thus not exported.

(cherry picked from commit 37d14c69c0)
2022-11-01 19:51:52 +01:00
Tom Krizek
edd923e8eb Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-11-01 19:51:52 +01:00
Tom Krizek
a51b0ad31f Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-11-01 19:51:49 +01:00
Aram Sargsyan
f12260c435 Test managed-keys placeholder
Add a dnssec test to make sure that named can correctly process a
managed-keys zone with a placeholder KEYDATA record.

(cherry picked from commit 8c48eabbc1)
2022-11-01 10:55:19 +00:00
Tom Krizek
29782e5613 Remove misleading comment from serve-stale test
The stale-answer-client-timeout option is not set to 0 in the config
neither is it the default value. This was probably caused by a
copy-paste error.
2022-10-24 14:39:48 +02:00
Tom Krizek
01293b86d9 Test serve stale cache with timeout 0 and CNAME
Add a couple of tests that verify the serve-stale behavior when
stale-answer-client-timeout is set to 0 and a (stale) CNAME record is
queried.

Related #3517
2022-10-24 14:39:46 +02:00
Aram Sargsyan
822dd7b8b9 Add another prefetch check in the resolver system test
The test triggers a prefetch, but fails to check if it acutally
happened, which prevented it from catching a bug when the record's
TTL value matches the configured prefetch eligibility value.

Check that prefetch happened by comparing the TTL values.

(cherry picked from commit 89fa9a6592)
2022-10-21 10:30:13 +00:00
Michał Kępień
67319f1004 Add tests for CVE-2022-2795
Add a test ensuring that the amount of work fctx_getaddresses() performs
for any encountered delegation is limited: delegate example.net to a set
of 1,000 name servers in the redirect.com zone, the names of which all
resolve to IP addresses that nothing listens on, and query for a name in
the example.net domain, checking the number of times the findname()
function gets executed in the process; fail if that count is excessively
large.

Since the size of the referral response sent by ans3 is about 20 kB, it
cannot be sent back over UDP (EMSGSIZE) on some operating systems in
their default configuration (e.g. FreeBSD - see the
net.inet.udp.maxdgram sysctl).  To enable reliable reproduction of
CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid
false positives at the same time (thread scheduling - and therefore the
number of fetch context restarts - vary across operating systems and
across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that
it also listens on TCP and make "ns1" in the "resolver" system test
always use TCP when communicating with "ans3".

Also add a test (foo.bar.sub.tld1/TXT) that ensures the new limitations
imposed on the resolution process by the mitigation for CVE-2022-2795 do
not prevent valid, glueless delegation chains from working properly.

(cherry picked from commit 604d8f0b96)
2022-10-20 10:19:22 +02:00
Evan Hunt
2cf5fd67c0 add a test with CD=1 query for pending data
this is a regression test for [GL #3247].
2022-10-19 13:17:32 -07:00
Tom Krizek
a8f286c9a5 Remove generated controls.conf file from system tests
The controls.conf file shouldn't be used directly without templating it
first. Remove this no longer used hard-coded file to avoid confusion.

(cherry picked from commit cbd0355328)
2022-10-19 16:58:56 +02:00
Tom Krizek
456baa7f4a Revive dupsigs system test
Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
  new happens there)

Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.

(cherry picked from commit cb0a2ae1dd)
2022-10-19 16:58:56 +02:00