3638 Commits

Author SHA1 Message Date
Mark Andrews
40c7096caf Add DEFAULT_HMAC to conf.sh.common
(cherry picked from commit 972d7fd682)
(cherry picked from commit ba45075acb)
2022-07-07 15:11:33 +10:00
Mark Andrews
76ed6f32e8 update ifconfig.sh
* make it harder to get the interface numbers wrong by using 'max'
to specify the upper bound of the sequence of interfaces and use 'max'
when calculating the interface number
* extract the platform specific instruction into 'up' and 'down'
and call them from the inner loop so that the interface number is
calculated in one place.
* calculate the A and AAAA address in a single place rather than
in each command
* use /sbin/ipadm on Solaris 2.11 and greater

(cherry picked from commit abfb5b1173)
2022-07-07 10:15:35 +10:00
Mark Andrews
d10e20da0d Tighten $GENERATE directive parsing
The original sscanf processing allowed for a number of syntax errors
to be accepted.  This included missing the closing brace in
${modifiers}

Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}.  Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.

(cherry picked from commit 7be64c0e94)
2022-07-06 11:26:24 +10:00
Mark Andrews
16ac79a8f7 Check for overflow in $GENERATE computations
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour.  Detect these conditions and return a
range error.

(cherry picked from commit 5327b9708f)
2022-07-06 11:26:24 +10:00
Mark Andrews
7cd7f7d2cb Increase the amount of time allowed for signing to occur in
On slow systems we have seen this take 9 seconds.  Increased the
allowance from 3 seconds to 10 seconds to reduce the probabilty of
a false negative from the system test.

(cherry picked from commit 4db847e80e)
2022-07-05 23:12:22 +10:00
Mark Andrews
351aa3d3b5 Only report not matching stderr content when we look for it
The previous test code could emit "D:cds:stderr did not match ''" rather
that just showing the contents of stderr.  Moved the debug line inside
the if/else block.

Replaced backquotes with $() and $(()) as approriate.

(cherry picked from commit 304d33fb32)
2022-07-05 23:12:22 +10:00
Michał Kępień
8ebc9c76a9 Add a code comment to the test_send_timeout() test 2022-07-04 23:10:59 +02:00
Mark Andrews
c978785be6 Replace expr's with $((expression)) shell constucts
Also make indenting consistent.

(cherry picked from commit 669c42cd95)
2022-06-23 17:35:51 +10:00
Mark Andrews
9786a785f3 Add missing update of status variable in rrsetorder system test
(cherry picked from commit da63e63c41)
2022-06-23 17:28:58 +10:00
Mark Andrews
f271667a1b Check that the UDP destination port is logged via dnstap
(cherry picked from commit 8d8396c3a7)
2022-06-22 13:52:08 +02:00
Michal Nowak
84d2d25921 Fix implicit string concatenation in tests-checkds.py
pylint 2.14.2 reports the following warnings:

    bin/tests/system/checkds/tests-checkds.py:265:0: W1404: Implicit string concatenation found in call (implicit-str-concat)
    bin/tests/system/checkds/tests-checkds.py:273:0: W1404: Implicit string concatenation found in call (implicit-str-concat)

(cherry picked from commit 831ac8add1)
2022-06-16 13:45:30 +02:00
Tom Krizek
dc5acad543 Report reasons for skipped/xfailed system pytests
If skip/xfail is used in pytest, it can have a reason string associated
with it. When evaluating these tests, it can be useful to be able to
differentiate the reason why the test was skipped/xfailed/xpassed,
because there might be multiple possible reasons for that.

The extra options passed to pytest ensure that the string with the
reason appears in the test summary and thus we're able to find the
string with the reason in the log output.

See https://docs.pytest.org/en/7.1.x/how-to/skipping.html for more info

(cherry picked from commit f6d368167a)
2022-06-16 09:18:32 +02:00
Tom Krizek
b3c7bd1c04 Auto-format Python files with black
This patch is strictly the result of:
$ black $(git ls-files '*.py' '*.py.in')

There have been no manual changes.
2022-06-08 13:34:19 +02:00
Matthijs Mekking
1dc36e2961 Retry quiet to deal with kasp test timing issue
In the cases where we test SOA serial updates and TTL updates, we check
if for "all zones loaded" to ensure the new zone content is loaded. But
this is the unsigned zone, the signed zone still needs to be produced.

There is thus a timing issue where the dig request comes in before
the signing process has finished.

Add a retry quiet to mitigate against it.

(cherry picked from commit 827bba05a0)
2022-06-07 09:38:06 +02:00
Mark Andrews
3183de20c3 Make modifications to keyless.example deterministic
The perl modifation code for keyless.example was not deterministic
(/NXT/ matched part of signature) resulting in different error
strings being returned.  Replaced /NXT/ with /A RRSIG NSEC/ and
updated expected error string,

(cherry picked from commit 69d5e22e58)
2022-06-01 10:42:55 +10:00
Michal Nowak
70c41c60b5 Fix typo in ednscompliance test
Caused by ba0313e649, an incomplete fix of
spelling errors.

(cherry picked from commit 9de2c06a21)
2022-05-18 19:19:48 +02:00
Matthijs Mekking
f922dd3e70 Replace stat with PERL stat in kasp system test
7249bad7 introduced the -c option to stat(1) command, but BSD systems
do not know about it. Replace the stat(1) command with a PERL script
that achieves the same.

Why PERL? For consistency purposes, there are more places in the
system test where we use the same method.

(cherry picked from commit fe601c5915)
2022-05-16 18:53:17 +02:00
Matthijs Mekking
6226ab2fa9 Add kasp test for #3302
Add a test case that triggers a keymgr run that will not trigger any
metadata changes. Ensure that the last status change of the key files
is unmodified.

(cherry picked from commit 7249bad706)
2022-05-16 10:35:33 +02:00
Evan Hunt
6edbe8452c Add lower bound checks to fetchlimit test
Check that the recursing client count is above a reasonable
minimum, as well as below a maximum, so that we can detect
bugs that cause recursion to fail too early or too often.

(cherry picked from commit 8834c44683)
2022-05-14 00:58:29 -07:00
Evan Hunt
9582d05683 Disable EDNS for the fetchlimit test server
The fetchlimit test depends on a resolver continuing to try UDP
and timing out while the client waits for resolution to succeed.
but since commit bb990030 (flag day 2020), a fetch will always
switch to TCP after two timeouts, unless EDNS was disabled for
the query.

This commit adds "edns no;" to server statements in the fetchlimit
resolver, to restore the behavior expected by the test.

(cherry picked from commit 81deb24deb)
2022-05-14 00:52:22 -07:00
Mark Andrews
967e5e09cd Add test cases using static and static-stub zones
RPZ NSIP and NSDNAME checks were failing with "unrecognized NS
rpz_rrset_find() failed: glue" when static or static-stub zones
where used to resolve the query name.

Add tests using stub and static-stub zones that are expected to
be filtered and not-filtered against NSIP and NSDNAME rules.

stub and static-stub queries are expected to be filtered

stub-nomatch and static-stub-nomatch queries are expected to be passed

(cherry picked from commit 30cb70c826)
2022-05-04 23:53:21 +10:00
Mark Andrews
8ae4fda54a Improve forensics for the querylog section of rndc system test
The dig commands appear to be failing unexpectedly on some platforms
when rate limiting kicks in and the response is dropped.  Correct
behaviour should be for dig to retry the query.  Set +qr and capture
stdout and stderr of each of the dig commands involved.

(cherry picked from commit 614cf5a030)
2022-05-03 00:19:37 +10:00
Matthijs Mekking
22f3c453f0 Fix a kasp system test bug
In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.

However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.

For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).

Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.

(cherry picked from commit 3e1d09ac66)
2022-04-29 13:59:49 +02:00
Matthijs Mekking
3625cf1f63 Minor fixes in kasp system test
Fix two typos and two grep calls.

(cherry picked from commit 2b34b326fc)
2022-04-29 13:59:41 +02:00
Mark Andrews
b5f2ab9cd4 Check that pending negative cache entries for DS can be used successfully
Prime the cache with a negative cache DS entry then make a query for
name beneath that entry. This will cause the DS entry to be retieved
as part of the validation process.  Each RRset in the ncache entry
will be validated and the trust level for each will be updated.

(cherry picked from commit d2d9910da2)
2022-04-19 09:45:16 +10:00
Matthijs Mekking
e5a5b23f41 Test CDS DELETE persists after zone sign
Add a test case for a dynamically added CDS DELETE record and make
sure it is not removed when signing the zone. This happens because
BIND maintains CDS and CDNSKEY publishing and it will only allow
CDS DELETE records if the zone is transitioning to insecure. This is
a state that can be identified when using KASP through 'dnssec-policy',
but not when using 'auto-dnssec'.

(cherry picked from commit f08277f9fb)
2022-04-13 15:13:03 +02:00
Michał Kępień
55f2457526 Fix "forward" system test requirements
Commit 59d1eb3ff8 added a Python-based
name server (bin/tests/system/forward/ans11/ans.py) to the "forward"
system test, but did not update the bin/tests/system/forward/prereq.sh
script to ensure Python is present in the test environment before the
"forward" system test is run.  Update bin/tests/system/forward/prereq.sh
to enforce that requirement.
2022-04-11 14:40:20 +02:00
Mark Andrews
59d1eb3ff8 Add tests for forwarder cache poisoning scenarios
- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

(cherry picked from commit bf3fffff67)
2022-04-08 10:12:24 +02:00
Matthijs Mekking
a8313a6c3c Add system test lingering CLOSE_WAIT TCP sockets
Add a test case to check for lingering TCP sockets stuck in the
CLOSE_WAIT state. This can happen if a client sends some garbage after
its first query.

The system test runs the reproducer script and then sends another TCP
query to the resolver. The resolver is configured to allow one TCP
client only. If BIND has its TCP socket stuck in CLOSE_WAIT, it does
not have the resources available to answer the second query.

Note: A better test would be to check if the named daemon does not
have a TCP socket stuck in CLOSE_WAIT for example with netstat. When
running this test locally you can examine named with netstat manually.
But since netstat is platform specific it is not a good candidate to do
this as a system test.

If you, if you could return, don't let it burn.
Do you have to let it linger?
- Cranberries

(cherry picked from commit b9ebde705b)
2022-04-08 09:36:08 +02:00
Petr Špaček
237d88fe22 Allow py.test system test to skip itself
Enable use of shortcuts like pytest.importorskip and other tricks
which can cause test to skip itself.

(cherry picked from commit b8829c801f)

In addition to b8829c801f,
"R:$systest:SKIPPED" is not being printed when pytests are skipped
because that leads to two `R:` lines - SKIPPED and PASS/FAIL which is
determined later based on other conditions (core files identified,
assertion failures, shell test result, ...) - which is wrong and
testsummary.sh rightfully stumbles on it:

    I:Found 106 test results, but 105 tests were run
2022-04-08 09:20:55 +02:00
Tony Finch
3f4a63332a MacOS needs more IP addresses to run the system tests
The launchd script only counted up to 8 whereas ifconfig.sh went all
the way up to 10, and even a bit further than that.

(cherry picked from commit 29a3e77425)
2022-04-04 15:08:45 +01:00
Evan Hunt
975a3da84e add a system test for $GENERATE with an integer overflow
the line "$GENERATE 19-28/2147483645 $ CNAME x" should generate
a single CNAME with the owner "19.example.com", but prior to the
overflow bug it generated several CNAMEs, half of them with large
negative values.

we now test for the bugfix by using "named-checkzone -D" and
grepping for a single CNAME in the output.

(cherry picked from commit bd814b79d4)
2022-04-01 21:47:24 +11:00
Evan Hunt
fc7ed00d70 update shell syntax
clean up the shell syntax in the checkzone test prior to adding
a new test.

(cherry picked from commit 2261c853b5)
2022-04-01 21:46:33 +11:00
Tony Finch
a5d65815bc Log "not authoritative for update zone" more clearly
Ensure the update zone name is mentioned in the NOTAUTH error message
in the server log, so that it is easier to track down problematic
update clients. There are two cases: either the update zone is
unrelated to any of the server's zones (previously no zone was
mentioned); or the update zone is a subdomain of one or more of the
server's zones (previously the name of the irrelevant parent zone was
misleadingly logged).

Closes #3209

(cherry picked from commit 84c4eb02e7)
2022-03-30 13:24:56 +01:00
Ondřej Surý
75f9dd8e82 Simplify way we tag unreachable code with only ISC_UNREACHABLE()
Previously, the unreachable code paths would have to be tagged with:

    INSIST(0);
    ISC_UNREACHABLE();

There was also older parts of the code that used comment annotation:

    /* NOTREACHED */

Unify the handling of unreachable code paths to just use:

    UNREACHABLE();

The UNREACHABLE() macro now asserts when reached and also uses
__builtin_unreachable(); when such builtin is available in the compiler.

(cherry picked from commit 584f0d7a7e)
2022-03-25 09:33:51 +01:00
Michał Kępień
eaed6c74d8 Fix broken dnspython version checks
The dns.query Python module has the send_tcp() method defined in both
dnspython 1.x and 2.x, so checking for the existence of that method to
determine the dnspython version available in the test environment does
not make any sense.  Fix by checking the dns.version.MAJOR integer
instead.
2022-03-14 09:19:03 +01:00
Michał Kępień
e41c0a6b6c Rework skipping long tests
The ability to conveniently mark tests which should only be run when the
CI_ENABLE_ALL_TESTS environment variable is set seems to be useful on a
general level and therefore it should not be limited to the "timeouts"
system test, where it is currently used.

pytest documentation [1] suggests to reuse commonly used test markers by
putting them all in a single Python module which then has to be imported
by test files that want to use the markers defined therein.  Follow that
advice by creating a new bin/tests/system/pytest_custom_markers.py
Python module containing the relevant marker definitions.

Note that "import pytest_custom_markers" works from a test-specific
subdirectory because pytest modifies sys.path so that it contains the
paths to all parent directories containing a conftest.py file (and
bin/tests/system/ is one).  PyLint does not like that, though, so add a
relevant PyLint suppression.

The above changes make bin/tests/system/timeouts/conftest.py redundant,
so remove it.

[1] https://docs.pytest.org/en/7.0.x/how-to/skipping.html#id1

(cherry picked from commit 00392921f0)
2022-03-14 09:19:03 +01:00
Michał Kępień
30bbbc7aef Rework imports in dnspython-based system tests
Ensure all "import dns.*" statements are always placed after
pytest.importorskip('dns') calls, in order to allow the latter to
fulfill their purpose.  Explicitly import all dnspython modules used by
each dnspython-based test to avoid relying on nested imports.  Replace
function-scoped imports with global imports to reduce code duplication.

(cherry picked from commit 49312d6bb2)
2022-03-14 09:19:03 +01:00
Michał Kępień
45bbb518d5 Fix skipping tests requiring dnspython
The intended purpose of the @pytest.mark.dnspython{,2} decorators was to
cause dnspython-based tests to be skipped if dnspython is not available
(or not recent enough).  However, a number of system tests employing
those decorators contain global "import dns.resolver" statements which
trigger ImportError exceptions during test initialization if dnspython
is not available.  In other words, the @pytest.mark.dnspython{,2}
decorators serve no useful purpose.

Currently, whenever a Python-based test requires dnspython, that
requirement applies to all tests in a given *.py file.  Given that,
employ global pytest.importorskip() calls to ensure dnspython-based
parts of various system tests are skipped when dnspython is not
available.  Remove all occurrences of the @pytest.mark.dnspython{,2}
decorators (and all associated code) to prevent confusion.

(cherry picked from commit 05c97f2329)
2022-03-14 09:19:03 +01:00
Michał Kępień
d9ae31be8c Fix skipping tests requiring the requests module
The intended purpose of the @pytest.mark.requests decorator was to cause
Python-based parts of the "statschannel" system test to be skipped if
the requests Python module is not available.  However, both
tests-json.py and tests-xml.py contain a global "import requests"
statement which triggers ImportError exceptions during test
initialization if the requests module is not available.  In other words,
the @pytest.mark.requests decorator serves no useful purpose.

Since all tests in both tests-json.py and tests-xml.py depend on the
requests Python module, employ pytest.importorskip() to ensure the
Python-based parts of the "statschannel" system test are skipped when
the requests module is not available.  Remove all occurrences of the
@pytest.mark.requests decorator (and all associated code) to prevent
confusion.

(cherry picked from commit 704ad2907f)
2022-03-14 09:19:03 +01:00
Michał Kępień
098bd03f7d Simplify skipping tests depending on libxml2
All tests in bin/tests/system/statschannel/tests-xml.py require libxml2
support to be enabled in BIND 9 at build-time.  Instead of applying the
same pytest.mark.skipif() decorator to every test in that file, set the
'pytestmark' global accordingly in order to immediately skip all tests
in tests-xml.py if libxml2 support is not compiled in.

Remove all occurrences of the @pytest.mark.xml decorator (and all
associated code) from the "statschannel" system test as the
xml.etree.ElementTree module is a part of the Python standard library
since Python 2.5 (so checking whether it is available is redundant) and
checking for libxml2 support in the tested BIND 9 build is already
handled by setting the 'pytestmark' global accordingly.

(cherry picked from commit 286b57c7f1)
2022-03-14 09:19:03 +01:00
Michał Kępień
c1a0651f54 Simplify skipping tests depending on json-c
All tests in bin/tests/system/statschannel/tests-json.py require json-c
support to be enabled in BIND 9 at build-time.  Instead of applying the
same pytest.mark.skipif() decorator to every test in that file, set the
'pytestmark' global accordingly in order to immediately skip all tests
in tests-json.py if json-c support is not compiled in.

Remove all occurrences of the @pytest.mark.json decorator (and all
associated code) from the "statschannel" system test as the json module
is a part of the Python standard library since Python 2.6 (so checking
whether it is available is redundant) and checking for json-c support in
the tested BIND 9 build is already handled by setting the 'pytestmark'
global accordingly.

Also remove a related excerpt from bin/tests/system/rpzextra/conftest.py
as it is a copy-paste artifact that serves no purpose in the "rpzextra"
system test.

(cherry picked from commit 0a76f186a5)
2022-03-14 09:19:03 +01:00
Michał Kępień
14a3bb4897 Refactor "statschannel" test's helper modules
The "statschannel" system test contains two Python helper modules:

  - generic.py: test functions directly invoked by both tests-json.py
    and test-xml.py,

  - helper.py: helper functions invoked by test functions in generic.py.

The above logic for splitting helper functions into Python modules
prevents selective test skipping from working due to unconditional
import statements being present in both helper modules.  For example, if
dnspython is not available on the test host, tests-json.py imports
generic.py, which in turn imports helper.py, which in turn attempts to
import various dnspython modules, triggering ImportError exceptions
during test initialization.  Various decorators used for some tests
(like @pytest.mark.dnspython) suggest that such a scenario should be
handled gracefully, but that is not the case - modifying the test
collection in conftest.py does not prevent pytest from failing due to
import errors.

Fix by moving helper functions around to achieve a different split:

  - generic.py: helper functions only relying on the Python standard
    library,

  - generic_dnspython.py: helper functions requiring dnspython.

Only two tests in tests-{json,xml}.py need dnspython to work
(test_traffic_json(), test_traffic_xml()).  Since all
dnspython-dependent code is now present in generic_dnspython.py, employ
pytest.importorskip() in those two tests to ensure they can be
selectively skipped when dnspython is not available.  Adjust other code
to account for the revised Python helper module layout.  Remove all
occurrences of the @pytest.mark.dnspython decorator (and all associated
code) from the "statschannel" system test to prevent confusion.

(cherry picked from commit 96b7f9f9aa)
2022-03-14 09:19:03 +01:00
Michał Kępień
30d7a68129 Reuse common port-related test fixtures
Most Python-based system tests need to know which ports were assigned to
a given test by bin/tests/system/get_ports.sh.  This is currently
handled by inspecting the values of various environment variables (set
by bin/tests/system/run.sh) and passing the port numbers to Python
scripts via pytest fixtures.  However, this glue code has so far been
copy-pasted into each system test using it, rather than reused.

Since pytest also looks for conftest.py files in parent directories,
move commonly used fixtures to bin/tests/system/conftest.py.  Set the
scope of all the moved fixtures to "session" as their return values are
only based on environment variables, so there is no point in recreating
them for every test requesting them.  Adjust test code accordingly.

(cherry picked from commit 53ef8835c1)
2022-03-14 09:19:03 +01:00
Mark Andrews
38d930e5cb Add test configurations with invalid dnssec-policy clauses
bad-ksk-without-zsk.conf only has a ksk defined without a
matching zsk for the same algorithm.

bad-zsk-without-ksk.conf only has a zsk defined without a
matching ksk for the same algorithm.

bad-unpaired-keys.conf has two keys of different algorithms
one ksk only and the other zsk only

(cherry picked from commit f23e86b96b)
2022-03-08 21:56:39 +11:00
Petr Špaček
17ff0227f8 Fix timeouts system test compatibility with python2
v9_16 branch still supports Python 2.7.
Fixup for 260b4c02cf.

Related: !5856
2022-02-18 11:26:58 +01:00
Ondřej Surý
b3efa9f7ed Add XFR max-transfer-time-out and max-tranfer-idle-out system tests
Extend the timeouts system test to ensure that the maximum outgoing
transfer time (max-transfer-time-out) and maximum outgoing transfer idle
time (max-transfer-idle-out) works as expected.  This is done by
lowering the limits to 5/1 minutes and testing that the connection has
been dropped while sleeping between the individual XFR messages.

(cherry picked from commit 8fed1b6461)
2022-02-17 22:59:24 +01:00
Evan Hunt
d822a87804 backport regression test from GL #3157
add "blackhole { none; };" to a secondary server in the xfer system
test to ensure that the error in GL #3157 is not present in 9.16.
2022-02-17 09:38:26 -08:00
Ondřej Surý
260b4c02cf Add TCP write timeout system test
Extend the timeouts system test that bursts the queries for large TXT
record and never read any responses back filling up the server TCP write
buffer.  The test should work with the default wmem_max value on
Linux (208k).

(cherry picked from commit b735182ae0)
2022-02-17 10:05:24 +01:00
Ondřej Surý
ad5869ac6c Remove unused functions from isc_thread API
The isc_thread_setaffinity call was removed in !5265 and we are not
going to restore it because it was proven that the performance is better
without it.  Additionally, remove the already disabled cpu system test.

The isc_thread_setconcurrency function is unused and also calling
pthread_setconcurrency() on Linux has no meaning, formerly it was
added because of Solaris in 2001 and it was removed when taskmgr was
refactored to run on top of netmgr in !4918.

(cherry picked from commit 0500345513)
2022-02-09 18:09:48 +01:00