Commit Graph

10299 Commits

Author SHA1 Message Date
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Tony Finch
dff843199f Ensure that named_server_t is properly initialized
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
2022-09-12 11:21:37 +01:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Aram Sargsyan
8b328f0049 Do not use libxml2 deprecated functions
The usage of xmlInitThreads() and xmlCleanupThreads() functions in
libxml2 is now marked as deprecated, and these functions will be made
private in the future.

Use xmlInitParser() and xmlCleanupParser() instead of them.

(cherry picked from commit a5d412d924)
2022-09-06 09:22:35 +00:00
Matthijs Mekking
bc9c65f465 Remove implicit inline-signing code
Remove the code that sets implicit inline-signing on zones using
dnssec-policy.

(cherry picked from commit a6b09c9c69186e81a9be54e8b7bb413b1ac4d650)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Ondřej Surý
efbdf81931 Allow fallback to IDNA2003 processing
In several cases where IDNA2008 mappings do not exist whereas IDNA2003
mappings do, dig was failing to process the suplied domain name.  Take a
backwards compatible approach, and convert the domain to IDNA2008 form,
and if that fails try the IDNA2003 conversion.

(cherry picked from commit 10923f9d87)
2022-09-05 10:21:36 +02:00
Evan Hunt
28640e37d8 quote addresses in YAML output
YAML strings should be quoted if they contain colon characters.
Since IPv6 addresses do, we now quote the query_address and
response_address strings in all YAML output.

(cherry picked from commit 66eaf6bb73)
2022-08-31 16:18:57 -07:00
Petr Menšík
ba9a140e1f Reset parser before parsing of internal trust anchor
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.

(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
2022-08-19 15:20:59 +10:00
Mark Andrews
69be4d3bdc Improve awk tests to prevent false negatives
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.

(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
2022-08-18 13:43:47 +10:00
Mark Andrews
19bf98201b Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py
initalise suffix to ""

    170        r.answer.append(
    171            dns.rrset.from_text(
    172                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
    173            )
    174        )
    175        r.flags |= dns.flags.AA
           15. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
    176    elif endswith(lqname, "icky.ptang.zoop.boing."):
           CID 350722 (#7 of 7): Bad use of null-like value (FORWARD_NULL)
           16. invalid_operation: Invalid operation on null-like value suffix.
    177        r.authority.append(
    178            dns.rrset.from_text(
    179                "icky.ptang.zoop.boing." + suffix,
    180                1,
    181                IN,
    182                SOA,
    183                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
    184            )
    185        )

(cherry picked from commit eb798d0478)
2022-07-27 14:27:26 -04:00
Evan Hunt
fb8f102ffc warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
2022-07-22 15:24:34 -07:00
Matthijs Mekking
111b215987 Reject zones with TTL higher than dnssec-policy max-zone-ttl
Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.

With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.
2022-07-22 13:40:12 -07:00
Matthijs Mekking
2022384b8d Test dnssec-policy max-zone-ttl rejects zone with too high TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
2022-07-22 13:39:17 -07:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Michał Kępień
b68851773c Make "named -h" output match option-handling code
The usage instructions printed by "named -h" are missing the "external"
and "internal" flags that can be passed to the -M command-line option.
Add the missing flags to "named -h" output.
2022-07-15 10:45:34 +02:00
Michał Kępień
31012c1c0d Update documentation for named's -M option
Add "internal" to the list of legal values for the -M command-line
option (commit 1f7d2d53f0 added that
flag).

Make the style of the relevant paragraph more in line with the next one
and split its contents up into an unordered list of options for improved
readability.

(cherry picked from commit f0c31ceb3b)
2022-07-15 10:45:34 +02:00
Michał Kępień
4d1986ebcb Handle ISC_MEM_DEFAULTFILL consistently
Contrary to what the documentation states, memory filling is only
enabled by --enable-developer (or by setting -DISC_MEM_DEFAULTFILL=1) if
the internal memory allocator is used.  However, the internal memory
allocator is disabled by default, so just using the --enable-developer
build-time option does not enable memory filling (passing "-M fill" on
the named command line is necessary to actually enable it).  As memory
filling is a useful tool for troubleshooting certain types of bugs, it
should also be enabled by --enable-developer when the system allocator
is used.

Furthermore, memory-related preprocessor macros are handled in two
distinct locations: lib/isc/include/isc/mem.h and bin/named/main.c.
This makes the logic hard to follow.

Move all code handling the ISC_MEM_DEFAULTFILL preprocessor macro to
lib/isc/include/isc/mem.h, ensuring memory filling is enabled by the
--enable-developer build-time switch, no matter which memory allocator
is used.
2022-07-15 10:45:34 +02:00
Mark Andrews
9980c7be8d kasp: add missing logging during setup
Some zones where not being logged when just DNSSEC keys where being
generated in system test setup phase.  Add logging for these zones.

(cherry picked from commit 04627997eb)
2022-07-14 09:46:16 +10:00
Mark Andrews
5fec2fcbe7 Make "checking revoked key with duplicate key ID" work
There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.

(cherry picked from commit 513cb24b55)
2022-07-13 10:58:41 +10:00
Matthijs Mekking
0d5e0867df Inherit dnssec-policy in check for inline-signing
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. But the function responsible
for this did not inherit the dnssec-policy option from the view or
options level, and thus never enabled inline-signing, while the zone
should have been.

This is fixed by this commit.

(cherry picked from commit 576b21b168)
2022-07-12 12:48:21 +02:00
Matthijs Mekking
eb7d65b84d Test setting of inline-signing with dnssec-policy
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. Add test cases to verify this.

(cherry picked from commit efa8a4e88d)
2022-07-12 12:48:16 +02:00
Matthijs Mekking
2db23e475b Fix kasp system test bugs
Fix a comment, ensuring the right parameters are used (zone is
parameter $3, not $2) and add view and policy parameters to the comment.

Fix the view tests and test the correct view (example3 instead of
example2).

Fix placement of "n=$((n+1)" for two test cases.

(cherry picked from commit ff65f07779)
2022-07-12 12:48:08 +02:00
Mark Andrews
40c7096caf Add DEFAULT_HMAC to conf.sh.common
(cherry picked from commit 972d7fd682)
(cherry picked from commit ba45075acb)
2022-07-07 15:11:33 +10:00
Mark Andrews
76ed6f32e8 update ifconfig.sh
* make it harder to get the interface numbers wrong by using 'max'
to specify the upper bound of the sequence of interfaces and use 'max'
when calculating the interface number
* extract the platform specific instruction into 'up' and 'down'
and call them from the inner loop so that the interface number is
calculated in one place.
* calculate the A and AAAA address in a single place rather than
in each command
* use /sbin/ipadm on Solaris 2.11 and greater

(cherry picked from commit abfb5b1173)
2022-07-07 10:15:35 +10:00
Mark Andrews
d10e20da0d Tighten $GENERATE directive parsing
The original sscanf processing allowed for a number of syntax errors
to be accepted.  This included missing the closing brace in
${modifiers}

Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}.  Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.

(cherry picked from commit 7be64c0e94)
2022-07-06 11:26:24 +10:00
Mark Andrews
16ac79a8f7 Check for overflow in $GENERATE computations
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour.  Detect these conditions and return a
range error.

(cherry picked from commit 5327b9708f)
2022-07-06 11:26:24 +10:00
Mark Andrews
7cd7f7d2cb Increase the amount of time allowed for signing to occur in
On slow systems we have seen this take 9 seconds.  Increased the
allowance from 3 seconds to 10 seconds to reduce the probabilty of
a false negative from the system test.

(cherry picked from commit 4db847e80e)
2022-07-05 23:12:22 +10:00
Mark Andrews
351aa3d3b5 Only report not matching stderr content when we look for it
The previous test code could emit "D:cds:stderr did not match ''" rather
that just showing the contents of stderr.  Moved the debug line inside
the if/else block.

Replaced backquotes with $() and $(()) as approriate.

(cherry picked from commit 304d33fb32)
2022-07-05 23:12:22 +10:00
Michał Kępień
8ebc9c76a9 Add a code comment to the test_send_timeout() test 2022-07-04 23:10:59 +02:00
Mark Andrews
c978785be6 Replace expr's with $((expression)) shell constucts
Also make indenting consistent.

(cherry picked from commit 669c42cd95)
2022-06-23 17:35:51 +10:00
Mark Andrews
9786a785f3 Add missing update of status variable in rrsetorder system test
(cherry picked from commit da63e63c41)
2022-06-23 17:28:58 +10:00
Mark Andrews
f271667a1b Check that the UDP destination port is logged via dnstap
(cherry picked from commit 8d8396c3a7)
2022-06-22 13:52:08 +02:00
Matthijs Mekking
3d2126cc82 Add comment on DNSSEC signing zone configuration
I was slightly confused here, so IMO it can use a comment.

(cherry picked from commit c80531758c)
2022-06-20 16:50:51 +02:00
Michal Nowak
a584a8f88f Update clang to version 14
(cherry picked from commit 1c45a9885a)
2022-06-16 18:11:03 +02:00
Michal Nowak
84d2d25921 Fix implicit string concatenation in tests-checkds.py
pylint 2.14.2 reports the following warnings:

    bin/tests/system/checkds/tests-checkds.py:265:0: W1404: Implicit string concatenation found in call (implicit-str-concat)
    bin/tests/system/checkds/tests-checkds.py:273:0: W1404: Implicit string concatenation found in call (implicit-str-concat)

(cherry picked from commit 831ac8add1)
2022-06-16 13:45:30 +02:00
Tom Krizek
dc5acad543 Report reasons for skipped/xfailed system pytests
If skip/xfail is used in pytest, it can have a reason string associated
with it. When evaluating these tests, it can be useful to be able to
differentiate the reason why the test was skipped/xfailed/xpassed,
because there might be multiple possible reasons for that.

The extra options passed to pytest ensure that the string with the
reason appears in the test summary and thus we're able to find the
string with the reason in the log output.

See https://docs.pytest.org/en/7.1.x/how-to/skipping.html for more info

(cherry picked from commit f6d368167a)
2022-06-16 09:18:32 +02:00
Petr Špaček
3eae58207a Update NSEC3 guidance to match draft-ietf-dnsop-nsec3-guidance-10
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
is on it's way to become RFC, so let's update our recommendations in the
docs to be in line with it.

The default values for dnssec-policy and dnssec-signzone were adapted to
match v9_16 branch.

(cherry picked from commit 2ee3f4e6c8)
2022-06-15 18:10:50 +02:00
Petr Špaček
f01f316268 Clarify dnssec-keyfromlabel -a in man page
(cherry picked from commit 5f53003dae)
2022-06-10 08:02:33 +02:00
Tom Krizek
b3c7bd1c04 Auto-format Python files with black
This patch is strictly the result of:
$ black $(git ls-files '*.py' '*.py.in')

There have been no manual changes.
2022-06-08 13:34:19 +02:00
Matthijs Mekking
1dc36e2961 Retry quiet to deal with kasp test timing issue
In the cases where we test SOA serial updates and TTL updates, we check
if for "all zones loaded" to ensure the new zone content is loaded. But
this is the unsigned zone, the signed zone still needs to be produced.

There is thus a timing issue where the dig request comes in before
the signing process has finished.

Add a retry quiet to mitigate against it.

(cherry picked from commit 827bba05a0)
2022-06-07 09:38:06 +02:00
Mark Andrews
3183de20c3 Make modifications to keyless.example deterministic
The perl modifation code for keyless.example was not deterministic
(/NXT/ matched part of signature) resulting in different error
strings being returned.  Replaced /NXT/ with /A RRSIG NSEC/ and
updated expected error string,

(cherry picked from commit 69d5e22e58)
2022-06-01 10:42:55 +10:00
Ondřej Surý
32a3970b13 Replace netievent lock-free queue with simple locked queue
The current implementation of isc_queue uses Michael-Scott lock-free
queue that in turn uses hazard pointers.  It was discovered that the way
we use the isc_queue, such complicated mechanism isn't really needed,
because most of the time, we either execute the work directly when on
nmthread (in case of UDP) or schedule the work from the matching
nmthreads.

Replace the current implementation of the isc_queue with a simple locked
ISC_LIST.  There's a slight improvement - since copying the whole list
is very lightweight - we move the queue into a new list before we start
the processing and locking just for moving the queue and not for every
single item on the list.

NOTE: There's a room for future improvements - since we don't guarantee
the order in which the netievents are processed, we could have two lists
- one unlocked that would be used when scheduling the work from the
matching thread and one locked that would be used from non-matching
thread.

(cherry picked from commit 6bd025942c)
2022-05-25 16:01:58 +02:00
Evan Hunt
9aa68d0dd7 specify time format in the documentation for 'rdnc dnssec -checkds'
also clarified the writing in the surrounding paragraph.

(cherry picked from commit 83f9466d61)
2022-05-18 15:37:13 -07:00
Michal Nowak
70c41c60b5 Fix typo in ednscompliance test
Caused by ba0313e649, an incomplete fix of
spelling errors.

(cherry picked from commit 9de2c06a21)
2022-05-18 19:19:48 +02:00
Matthijs Mekking
f922dd3e70 Replace stat with PERL stat in kasp system test
7249bad7 introduced the -c option to stat(1) command, but BSD systems
do not know about it. Replace the stat(1) command with a PERL script
that achieves the same.

Why PERL? For consistency purposes, there are more places in the
system test where we use the same method.

(cherry picked from commit fe601c5915)
2022-05-16 18:53:17 +02:00
Matthijs Mekking
6226ab2fa9 Add kasp test for #3302
Add a test case that triggers a keymgr run that will not trigger any
metadata changes. Ensure that the last status change of the key files
is unmodified.

(cherry picked from commit 7249bad706)
2022-05-16 10:35:33 +02:00