These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false. This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor. This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly. However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.
This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.
Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect. Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages. This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.
In the "mirror" system test, ns3 periodically sends trust anchor
telemetry queries to ns1 and ns2. It may thus happen that for some
non-recursive queries for names inside mirror zones which are not yet
loaded, ns3 will be able to synthesize a negative answer from the cached
records it obtained from trust anchor telemetry responses. In such
cases, NXDOMAIN responses will be sent with the root zone SOA in the
AUTHORITY section. Since the root zone used in the "mirror" system test
has the same serial number as ns2/verify.db.in and zone verification
checks look for the specified serial numbers anywhere in the answer, the
test could be broken if different zone names were used.
The +noauth dig option could be used to address this weakness, but that
would prevent entire responses from being stored for later inspection,
which in turn would hamper troubleshooting test failures. Instead, use
a different serial number for ns2/verify.db.in than for any other zone
used in the "mirror" system test and check the number of records in the
ANSWER section of each response.
Due to the way the "mirror" system test is set up, it is impossible for
the "verify-unsigned" and "verify-untrusted" zones to contain any serial
number other than the original one present in ns2/verify.db.in. Thus,
using presence of a different serial number in the SOA records of these
zones as an indicator of problems with mirror zone verification is
wrong. Look for the original zone serial number instead as that is the
one that will be returned by ns3 if one of the aforementioned zones is
successfully verified.
Ensure IXFR statistics are calculated correctly by dig and named, both
for incoming and outgoing transfers. Disable EDNS when using dig to
request an IXFR so that the same reference file can be used for testing
statistics calculated by both dig and named (dig uses EDNS by default
when sending transfer requests, which affects the number of bytes
transferred).
Ensure AXFR statistics are calculated correctly by dig and named, both
for incoming and outgoing transfers. Rather than employing a zone which
is already used in the "xfer" system test, create a new one whose AXFR
form spans multiple TCP messages. Disable EDNS when using dig to
request an AXFR so that the same reference file can be used for testing
statistics calculated by both dig and named (dig uses EDNS by default
when sending transfer requests, which affects the number of bytes
transferred).
the occluded-key test creates both a KEY and a DNSKEY. the second
call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
a spurious warning to be printed when it sees the type KEY record.
this should be fixed in dnssec.c, but the meantime this change silences
the warning by reversing the order in which the keys are created.
- options that were flagged as obsolete or not implemented in 9.0.0
are now flagged as "ancient", and are a fatal error
- the ARM has been updated to remove these, along with other
obsolete descriptions of BIND 8 behavior
- the log message for obsolete options explicitly recommends removal
This adds a test for rndc dumpdb to ensure the correct "stale
comment" is printed. It also adds a test for non-stale data to
ensure no "stale comment" is printed for active RRsets.
In addition, the serve-stale tests are hardened with more accurate
grep calls.
The introduced grep call checks whether there was a
response that has an answer and an additional record.
There should be only one in the nsupdate output that is
for the TKEY response.
The introduced grep call checks whether there was a
response that has an answer and an additional record.
There should be only one in the nsupdate output that is
for the TKEY response.
use a lame server configuration to force SERVFAILs instead of killing ns2.
this prevents test failures that occurred due to a different behavior of
the netowrking stack in windows.
