5028 Commits

Author SHA1 Message Date
Petr Špaček
d63bc6af08 Clarify error message about missing inline-signing & dnssec-policy
(cherry picked from commit 058c1744ba)
2022-10-06 10:31:15 +02:00
Mark Andrews
03d363d0ee Add sleeps to ixfr system test
ensure that at least a second has passed since a zone was last loaded
to prevent it accidentally being skipped as up to date.

(cherry picked from commit 491a8cfe96)
2022-10-06 08:36:38 +11:00
Michal Nowak
9f27c3f95e Drop flake8 ignore lists
flake8 is not used in BIND 9 CI and inline ignore lists are not needed
anymore.

(cherry picked from commit f5d9fa6ea4)
2022-10-05 18:33:34 +02:00
Mark Andrews
e396d5d72d Add support for 'dohpath' to SVCB (and HTTPS)
dohpath is specfied in draft-ietf-add-svcb-dns and has a value
of 7.  It must be a relative path (start with a /), be encoded
as UTF8 and contain the variable dns ({?dns}).

(cherry picked from commit 6d561d3886)
2022-10-04 15:33:49 +11:00
Mark Andrews
47e8a98240 keymgr: use DEFAULT_ALGORITHM instead of {nsec3}rsasha1 2022-10-03 13:28:26 +02:00
Michal Nowak
f822943473 coverage: use $DEFAULT_ALGORITHM 2022-10-03 13:28:25 +02:00
Mark Andrews
21cd56b42b Fix mkeys to work with DEFAULT_ALGORITHM properly
Stop using a RSASHA1 fixed key in ns3's named.conf as the
trusted key and instead compute a broken digest from the
real digest to use in trusted-keys.

(cherry picked from commit be4cbe2b80)
2022-10-03 13:28:25 +02:00
Mark Andrews
42727aab9a kasp: stop using RSASHA1 unless necessary for the test
Moves tests from being RSASHA1 based to RSASHA256 based where possible
and split out the remaining RSASHA1 based tests so that they are not
run on OS's that don't support RSASHA1.

(cherry picked from commit db028684e5)
2022-10-03 13:28:25 +02:00
Mark Andrews
4daa3d6dae keymgr2kasp: use FIPS compliant algorithms and key sizes
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b015166)
2022-10-03 13:28:25 +02:00
Mark Andrews
3d642f46f2 dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.

(cherry picked from commit 9c6de6d12d)
2022-10-03 13:28:25 +02:00
Mark Andrews
77e0878444 autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.

Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.

(cherry picked from commit 99ad09975e)
2022-10-03 13:28:25 +02:00
Mark Andrews
e6d1117891 rsabigexponent: convert the test from RSASHA1 to RSASHA256
RSASHA1 is not supported on some platforms.

(cherry picked from commit 8c3c011860)
2022-10-03 13:28:25 +02:00
Mark Andrews
fe4d8ca7c7 mkeys: use $() instead of back quotes
(cherry picked from commit 0e45a2b02c)
2022-10-03 13:19:35 +02:00
Mark Andrews
4950ab72e8 Upgrade uses of hmac-sha1 to DEFAULT_HMAC
where the test is not hmac-sha1 specific

(cherry picked from commit c533e8bc5b)
2022-10-03 13:19:35 +02:00
Mark Andrews
e8545ad255 zonechecks: use $DEFAULT_ALGORITHM
(cherry picked from commit 459e6980e5)
2022-10-03 13:19:35 +02:00
Mark Andrews
864a2b127a wildcard: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f65c9cf85)
2022-10-03 13:19:34 +02:00
Mark Andrews
76a154d8b1 views: use $DEFAULT_ALGORITHM
(cherry picked from commit 86b29606c3)
2022-10-03 13:19:34 +02:00
Mark Andrews
16c6557aa2 verify: use $DEFAULT_ALGORITHM
(cherry picked from commit 93f7c7cdcd)
2022-10-03 13:19:34 +02:00
Mark Andrews
150ace9801 upforwd: use $DEFAULT_ALGORITHM
(cherry picked from commit 5585909904)
2022-10-03 13:19:34 +02:00
Mark Andrews
516694cd8c unknown: use $DEFAULT_ALGORITHM
(cherry picked from commit 9970d4317d)
2022-10-03 13:19:34 +02:00
Mark Andrews
b8645af516 synthfromdnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit 73fd49f8bb)
2022-10-03 13:19:34 +02:00
Mark Andrews
a2d8660485 staticstub: use $DEFAULT_ALGORITHM
(cherry picked from commit 32337b9dbf)
2022-10-03 13:19:34 +02:00
Mark Andrews
204811ae41 smartsign: use $DEFAULT_ALGORITHM
(cherry picked from commit 941b95edb0)
2022-10-03 13:19:34 +02:00
Mark Andrews
49d8978cb4 rpz: use $DEFAULT_ALGORITHM
(cherry picked from commit 1861c3e503)
2022-10-03 13:19:34 +02:00
Mark Andrews
b26a89df34 rootkeysentinel: use $DEFAULT_ALGORITHM
(cherry picked from commit b0e1d9b1b3)
2022-10-03 13:19:34 +02:00
Mark Andrews
e78c158ba6 resolver: use $DEFAULT_ALGORITHM
(cherry picked from commit 05ef8c81dd)
2022-10-03 13:19:34 +02:00
Mark Andrews
52ce408f0d redirect: use $DEFAULT_ALGORITHM
(cherry picked from commit e0e03602ba)
2022-10-03 13:19:33 +02:00
Mark Andrews
ce8cef8a4b pending: use $DEFAULT_ALGORITHM
(cherry picked from commit 6fd50b9fda)
2022-10-03 13:19:33 +02:00
Mark Andrews
1b94de8d1f nsupdate: use $DEFAULT_ALGORITHM
(cherry picked from commit c2d18567fc)
2022-10-03 13:19:33 +02:00
Mark Andrews
fd8bd94212 mkeys: use $DEFAULT_ALGORITHM
(cherry picked from commit 78fa082999)
2022-10-03 13:19:33 +02:00
Mark Andrews
61cfb9a68e mirror: use $DEFAULT_ALGORITHM
(cherry picked from commit ff95bafa39)
2022-10-03 13:19:33 +02:00
Mark Andrews
17a26bced4 metadata: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f1dc83bfb)
2022-10-03 13:19:33 +02:00
Mark Andrews
6843c764c6 inline: use $DEFAULT_ALGORITHM
(cherry picked from commit e3acddefd1)
2022-10-03 13:19:33 +02:00
Mark Andrews
45c21fd5af dsdigest: use $DEFAULT_ALGORITHM
(cherry picked from commit 49de14cb9e)
2022-10-03 13:19:33 +02:00
Mark Andrews
4ba58611c7 dnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit d0b0139c90)
2022-10-03 13:19:33 +02:00
Mark Andrews
53625cc639 dns64: use $DEFAULT_ALGORITHM
(cherry picked from commit 5cbf1e1598)
2022-10-03 13:19:33 +02:00
Mark Andrews
7cf9e28924 chain: use $DEFAULT_ALGORITHM
(cherry picked from commit 3419178bd2)
2022-10-03 13:19:33 +02:00
Mark Andrews
5f146c76bd cds: use $DEFAULT_ALGORITHM
(cherry picked from commit 6cf0b73ede)
2022-10-03 13:19:33 +02:00
Mark Andrews
1bd3c49454 autosign: use $DEFAULT_ALGORITHM
(cherry picked from commit bb810b0ac9)
2022-10-03 13:19:32 +02:00
Mark Andrews
7f2b46f4e5 Suffix may be used before it is assigned a value
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
        12. invalid_operation: Invalid operation on null-like value suffix.
    145        r.authority.append(
    146            dns.rrset.from_text(
    147                "icky.ptang.zoop.boing." + suffix,
    148                1,
    149                IN,
    150                NS,
    151                "a.bit.longer.ns.name." + suffix,
    152            )
    153        )

(cherry picked from commit 432064f63c)
2022-09-28 11:19:50 +10:00
Mark Andrews
4fc1975709 Check that changing the TSIG key is successful
Switch the primary to require 'next_key' for zone transfers then
update the catalog zone to say to use 'next_key'.  Next update the
zones contents then check that those changes are seen on the
secondary.

(cherry picked from commit 176e172210)
2022-09-27 23:58:22 +10:00
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Mark Andrews
69be4d3bdc Improve awk tests to prevent false negatives
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.

(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
2022-08-18 13:43:47 +10:00
Mark Andrews
19bf98201b Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py
initalise suffix to ""

    170        r.answer.append(
    171            dns.rrset.from_text(
    172                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
    173            )
    174        )
    175        r.flags |= dns.flags.AA
           15. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
    176    elif endswith(lqname, "icky.ptang.zoop.boing."):
           CID 350722 (#7 of 7): Bad use of null-like value (FORWARD_NULL)
           16. invalid_operation: Invalid operation on null-like value suffix.
    177        r.authority.append(
    178            dns.rrset.from_text(
    179                "icky.ptang.zoop.boing." + suffix,
    180                1,
    181                IN,
    182                SOA,
    183                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
    184            )
    185        )

(cherry picked from commit eb798d0478)
2022-07-27 14:27:26 -04:00
Evan Hunt
fb8f102ffc warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
2022-07-22 15:24:34 -07:00