10199 Commits

Author SHA1 Message Date
Petr Špaček
17ff0227f8 Fix timeouts system test compatibility with python2
v9_16 branch still supports Python 2.7.
Fixup for 260b4c02cf.

Related: !5856
2022-02-18 11:26:58 +01:00
Ondřej Surý
b3efa9f7ed Add XFR max-transfer-time-out and max-tranfer-idle-out system tests
Extend the timeouts system test to ensure that the maximum outgoing
transfer time (max-transfer-time-out) and maximum outgoing transfer idle
time (max-transfer-idle-out) works as expected.  This is done by
lowering the limits to 5/1 minutes and testing that the connection has
been dropped while sleeping between the individual XFR messages.

(cherry picked from commit 8fed1b6461)
2022-02-17 22:59:24 +01:00
Evan Hunt
d822a87804 backport regression test from GL #3157
add "blackhole { none; };" to a secondary server in the xfer system
test to ensure that the error in GL #3157 is not present in 9.16.
2022-02-17 09:38:26 -08:00
Ondřej Surý
260b4c02cf Add TCP write timeout system test
Extend the timeouts system test that bursts the queries for large TXT
record and never read any responses back filling up the server TCP write
buffer.  The test should work with the default wmem_max value on
Linux (208k).

(cherry picked from commit b735182ae0)
2022-02-17 10:05:24 +01:00
Ondřej Surý
ad5869ac6c Remove unused functions from isc_thread API
The isc_thread_setaffinity call was removed in !5265 and we are not
going to restore it because it was proven that the performance is better
without it.  Additionally, remove the already disabled cpu system test.

The isc_thread_setconcurrency function is unused and also calling
pthread_setconcurrency() on Linux has no meaning, formerly it was
added because of Solaris in 2001 and it was removed when taskmgr was
refactored to run on top of netmgr in !4918.

(cherry picked from commit 0500345513)
2022-02-09 18:09:48 +01:00
Evan Hunt
ef20d189ab test ECS information is passed in dlzexternal
the dlzexternal test driver now includes ECS, if present in the
query, in the TXT record returned for QNAME "source-addr".

(cherry picked from commit 79ddedabf8)
2022-01-27 16:20:55 -08:00
Petr Špaček
dbe0778b67 extend DLZ interface and example with ECS support
Apparently we forgot about DLZ when updating DNS_CLIENTINFO_VERSION
constant for ECS, which is at value "3" since ECS was introduced.

The code in example drivers and tests now hardcodes version numbers
2 (without ECS) and 3 (with ECS) depending on what a given code path
requires.

(cherry picked from commit f81debe1c8)
2022-01-27 16:20:55 -08:00
Michał Kępień
d995bd8dec Fix waiting for lock file removal upon exit
Commit c787a539d2 fixed a certain class of
intermittent system test failures caused by named instances unable to
restart.  The root cause was bin/tests/system/stop.pl returning without
waiting for a named instance to remove its lock file.

Later on, it turned out that the above change causes other issues on
Windows due to the way named handles signals on that platform.  Commit
761ba4514f intended to address those
issues by making the server_lock_file() subroutine in
bin/tests/system/stop.pl return an empty value on Windows, in order to
prevent the script for waiting for lock file cleanup on that platform.
Note, however, that Windows detection in that subroutine is limited to
checking whether the CYGWIN environment variable is set.

While that environment variable was not set on Unix-like systems before
commit 761ba4514f, another commit
(a33237f070, merged a few weeks later)
changed that by setting the CYGWIN environment variable to an empty
value on Unix-like systems.  This made the defined($ENV{'CYGWIN'}) check
in server_lock_file() return true, inadvertently preventing
bin/tests/system/stop.pl from waiting for lock file removal before
exiting on Unix-like systems and therefore reintroducing the original
issue.

Fix by making server_lock_file() only return an empty value when the
CYGWIN environment variable is set to a non-empty value (which is what
bin/tests/system/conf.sh.win32 does).  Adjust a similar check in the
pid_file_exists() subroutine in the same way for consistency.

(cherry picked from commit a938db2170)
2022-01-26 15:29:39 +01:00
Michał Kępień
93ad500f38 Do not strip leading whitespace from test output
The echo_*() and cat_*() functions in bin/tests/system/conf.sh.common
call the "read" builtin command without specifying the field separator
to use.  This results in leading whitespace getting stripped from each
line of the texts passed to those functions, which mangles e.g. pytest
output, hindering test failure troubleshooting.

Address by setting IFS to an empty value for the "read" calls used in
the aforementioned helper functions.

(cherry picked from commit fb87022115)
2022-01-26 15:29:39 +01:00
Michał Kępień
318adbee61 Retain all named.run files from each test run
The bin/tests/system/start.pl script truncates the named.run file for a
given named instance unless it is invoked with the --restart
command-line option.  Ever since Python-based tests were introduced,
bin/tests/system/run.sh may start named instances used by a given system
test multiple times within a single run, causing the
bin/tests/system/start.pl script to truncate some of the log files
written during the test.  This makes troubleshooting certain test
failures hard or even impossible.

Fix by calling bin/tests/system/start.pl with the --restart command-line
option for every start_servers() invocation except the first one.

(cherry picked from commit 65abbca79b)
2022-01-26 15:29:39 +01:00
Aram Sargsyan
4ada743291 Don't use RTLD_DEEPBIND with sanitizers
dlopen(3) RTLD_DEEPBIND flag is incompatible with sanitizer runtime
(see https://github.com/google/sanitizers/issues/611 for details).
2022-01-26 08:19:02 +00:00
Aram Sargsyan
b5735ec37a Fix invalid control port number in the catz system test
When failure is expected, the `rndc` command in the catz system test
is being called directly instead of using a function, i.e.:

    $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig \
        > /dev/null 2>&1 && ret=1

... instead of:

    rndccmd 10.53.0.2 reconfig && ret=1

This is done to suppress messages like "lt-rndc: 'reconfig' failed:
failure" appearing in the message log of the test, because failure
is actually expected, and the appearance of that message can be
confusing.

The port value used in this case is not correct, making the
`rndc reload` command to fail.  This error was not detected earlier
only because the failure of the command is actually expected, but
the failure happens for a "wrong" reason, and the test still passes.

Fix the error by using the existing variable instead of the fixed
number.

(cherry picked from commit 5f9d4b5db4)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
094e416fff Add a system test for view reverting after a failed reconfiguration
Test the view reverting code by introducing a faulty dlz configuration
in named.conf and using `rndc reconfig` to check if named handles the
situation correctly.

We use "dlz" because the dlz processing code is located in an ideal
place in the view configuration function for the test to cover the
view reverting code.

This test is specifically added to the catz system test to additionally
cover the catz reconfiguration during the mentioned failed
reconfiguration attempt.

(cherry picked from commit 62337d433f)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
f555f1d2eb Improve the view configuration error handling and reverting logic
If a view configuration error occurs during a named reconfiguration
procedure, BIND can end up having twin views (old and new), with some
zones and internal structures attached to the old one, and others
attached to the new one, which essentially creates chaos.

Implement some additional view reverting mechanisms to avoid the
situation described above:

 1. Revert rpz configuration.

 2. Revert catz configuration.

 3. Revert zones to view attachments.

(cherry picked from commit 3697560f04)
2022-01-26 08:19:02 +00:00
Evan Hunt
075722f8a2 rndc: add an extra task reference
adding an extra task before launching the rndc app prevents
a use-after-free when task events fire after the app has been
shut down by a signal.
2022-01-19 11:05:00 -08:00
Ondřej Surý
35aba6f078 Add missing backtick to host.rst
The missing backtick was causing formatting problems in the host
manpage.

(cherry picked from commit aaa31962d2)
2022-01-16 08:02:26 +01:00
Ondřej Surý
2bf7921c7e Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00
Michał Kępień
1904acc7ef Check unsigned serial number in signed zone files
All signed zone files present in bin/tests/system/inline/ns8 should
contain the unsigned serial number in the raw-format header.  Add a
check to ensure that is the case.  Extend the dnssec-signzone command
line in ns8/sign.sh with the -L option to allow the zones initially
signed there to pass the newly added check.  Add another zone to the
configuration for the ns8 named instance to ensure the check also passes
when multiple zones are inline-signed by a single named instance.

(cherry picked from commit ab49205af3)
2022-01-06 12:27:12 +01:00
Matthijs Mekking
99316385d3 Replace RSASHA1 in autosign test with default alg
Change RSASHA1 to $DEFAULT_ALGORITHM to be FIPS compliant.

There is one RSASHA1 occurence left, to test that dynamically adding an
NSEC3PARAM record to an NSEC-only zone fails.

(cherry picked from commit 6e9fed2d24)
2022-01-06 09:35:53 +01:00
Matthijs Mekking
17ae663084 Update autosign test
Update the autosign system test with new expected behavior.

The 'nozsk.example' zone should have its expired zone signatures
deleted and replaced with signatures generated with the KSK.

The 'inaczsk.example' zone should have its expired zone signatures
deleted and replaced with signatures generated with the KSK.

In both scenarios, signatures are deleted, not retained, so the
"retaining signatures" warning should not be logged.

Furthermore, thsi commit fixex a test bug where the 'awk' command
always returned 0.

Finally, this commit adds a test case for an offline KSK, for the zone
'noksk.example'. In this case the expired signatures should be retained
(despite the zone being bogus, but resigning the DNSKEY RRset with the
ZSK won't help here).

(cherry picked from commit fbd559ad0d)
2022-01-06 09:35:42 +01:00
Evan Hunt
21b0093440 Prevent a shutdown race in catz_create_chg_task()
If a catz event is scheduled while the task manager was being
shut down, task-exclusive mode is unavailable. This needs to be
handled as an error rather than triggering an assertion.

(cherry picked from commit 973ac1d891)
2022-01-05 13:37:46 +01:00
Mark Andrews
0e0cd6bf17 Report duplicate dnssec-policy names
Duplicate dnssec-policy names were detected as an error condition
but were not logged.

(cherry picked from commit b8845454c8)
2022-01-04 09:04:07 +11:00
Ondřej Surý
1f7d2d53f0 Disable the internal memory allocator by default
For small sized allocations, the internal allocator gets the memory in
bigger blobs that gets splits into right-sized chunks.  This increases
speed of small allocations and reduced the fragmentation, but such
memory is never released back to the operating system.

Disable the internal allocator by default, and add new `-M internal`
command line option to `named`.
2021-12-15 13:29:19 +01:00
Ondřej Surý
6abebaaad9 Remove locking mechanism from the isc_mempool
Now, that all the locked mempools have been replaced with simple isc_mem
context, remove unused optional locking from isc_mempool API.
2021-12-15 13:29:19 +01:00
Ondřej Surý
974f2f6ace Replace locked mempools with memory contexts
Current mempools are kind of hybrid structures - they serve two
purposes:

 1. mempool with a lock is basically static sized allocator with
    pre-allocated free items

 2. mempool without a lock is a doubly-linked list of preallocated items

The first kind of usage could be easily replaced with jemalloc small
sized arena objects and thread-local caches.

The second usage not-so-much and we need to keep this (in
libdns:message.c) for performance reasons.
2021-12-15 13:29:19 +01:00
Evan Hunt
c243daf839 Add a regression test
Reconfigure the server without catalog-zone configuration, and then
put it back and reconfigure again, to confirm that there's no crash.

(cherry picked from commit bb411af31d)
2021-12-01 09:56:59 +00:00
Aram Sargsyan
4b362a82eb Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:

1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.

Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.

(cherry picked from commit 43ac2cd229)
2021-12-01 09:56:59 +00:00
Mark Andrews
566fc191e1 Update the description of fetches-per-zone counters
(cherry picked from commit 65f6d8af75)
2021-11-30 22:40:28 +11:00
Mark Andrews
f805436655 Check dnssec-dsfromkey with revoked DNSKEY
Checks that there is a revoked key in the DNSKEY RRset then checks
that only the correct number of DS records are produced.

(cherry picked from commit e7a3ada1d2)
2021-11-30 22:11:03 +11:00
Tony Finch
3f7fa710d7 dnssec-dsfromkey should not convert revoked keys
it is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.

(cherry picked from commit 04a5529c2d)
2021-11-30 22:11:03 +11:00
Mark Andrews
bf1eaf4661 Exercise ISC_R_NOSPACE path in dns_sdlz_putrr
Use relative names when adding SOA record and a long domain
name to create SOA RR where the wire format is longer than
the initial buffer allocation in dns_sdlz_putrr.

(cherry picked from commit 6dc5248606)
2021-11-26 07:47:14 +11:00
Evan Hunt
43df2f3aba Make mdig use the OS-supplied ephemeral port range
mdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.

(cherry picked from commit 0fecb10c17)
2021-11-17 14:46:32 -08:00
Mark Andrews
1a94a31484 Embed NAMED_SYSCONFDIR contents in the bind.keys comment
(cherry picked from commit 1d7b1f74c9)
2021-11-17 08:46:07 +11:00
Mark Andrews
4ad84547c5 Update comments around built in trust anchors
The comments now say "# BEGIN TRUST ANCHORS" and "# END TRUST ANCHORS".

(cherry picked from commit 43a7f3f532)
2021-11-17 08:46:07 +11:00
Mark Andrews
c28478e0ee Replace incorrect sed expersion with awk
The sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.

(cherry picked from commit be879cda72)
2021-11-10 12:51:03 +11:00
Petr Špaček
f3838f76ac Fix system test .status file cleanup
(cherry picked from commit 6495e59a4c)
2021-11-09 13:13:56 +01:00
Petr Špaček
602683d081 Add new system test for wildcard expansion
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.

(cherry picked from commit 49da19c353)
2021-11-09 13:13:56 +01:00
Ondřej Surý
0ac270dff2 Disable lame-ttl cache
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
2021-10-28 12:22:33 +02:00
Evan Hunt
9c834a99a4 Fix statistics test error
The statistics system test sometimes needs a pause to wait for the
expected stats to be reported.

Also, the test for priming queries was ineffective; the result of
the grep was not being checked.

(cherry picked from commit c167feb1dc)
2021-10-27 12:56:51 -07:00
Evan Hunt
0085a8205f Fix cds test error
The margin of error (up to 2 seconds) allowed for the inception time
in the cds system test was a bit too small, and has been increased to 3
seconds.

(cherry picked from commit 3ecaccb961)
2021-10-27 12:08:19 -07:00
Evan Hunt
bf599c1649 Fix catz test error
The catz system test included a test case that was looking for a single
answer record after an update, when it should have been looking for two.
The test usually passed because of timing - the first dig usually got a
response before the update was completed - but occasionally the update
processed fast enough for the test to fail. On investigation, it turned
out to be the test that was wrong.

(cherry picked from commit 9b6060c6c4)
2021-10-27 12:08:19 -07:00
Evan Hunt
c2f7b2e7d2 Fix digdelv test error
The digdelv system test has a test case in which stderr was
included in the dig output. When trace logging was in use,
this confused the grep and caused a spurious test failure.

(cherry picked from commit 2143120636)
2021-10-27 12:08:12 -07:00
Mark Andrews
e1490496a6 Check that existing catalog zone entries are preserved
Update the 'catz' system test by adding tests that update an
catalog zone (catalog1.example) while preserving existing entries
(increase SOA serial) then check that catalog zone has transferred
and that the existing entries have not accidentally been removed
as a consequence (can return updated zone content).

(cherry picked from commit bf9c569852)
2021-10-28 00:04:44 +11:00
Evan Hunt
9456be2225 fix qmin system test
The qmin system test was printing spurious output.  On investigation,
the test case turned out to be both broken and ineffective: its
expectations were wrong, and it was printing the output because its
wrong expectations were not met, and those failed expectations were
not causing a test failure. All of this has been corrected.

(cherry picked from commit ac3eb921fc)
2021-10-20 01:36:53 -07:00
Mark Andrews
981643b19a Don't tests stats channels that haven't been configured
pytest was failing because it was testing features that had
not been configured.  test to see if those features have been
configured before running the tests.

(cherry picked from commit 10c01cba61)
2021-10-14 17:33:01 +11:00
Evan Hunt
6836e3c071 cleanup references to ancient named.conf options
some removed options were still referenced in config.c or the ARM.

(cherry picked from commit 69e25f41ae)
2021-10-12 23:52:39 -07:00
Ondřej Surý
093cd31ae2 Update the source code formatting using clang-format-13
clang-format-13 fixed some of the formatting that clang-format-12 got
wrong.  Update the formatting.

(cherry picked from commit ed95f9fba3)
2021-10-12 11:31:55 +02:00
Aram Sargsyan
311074f51e Handle a missing zone when reloading a catalog zone
Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.

This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.

(cherry picked from commit 94a5712801)
2021-09-30 20:15:19 +00:00
Mark Andrews
0a6ed417b5 Check that 'check-names {secondary|slave} ignore;' works
(cherry picked from commit 0b0d400d7c)
2021-09-29 19:51:53 +10:00
Mark Andrews
f72946794f Check that 'check-names master ignore;' works
(cherry picked from commit 9107c8caeb)
2021-09-29 19:51:53 +10:00