upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 22:28:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/mirror/tests.sh

554 lines
26 KiB
Bash
Raw Normal View History

Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
Increase dig query timeout to 2 seconds The "mirror" system test expects all dig queries (including recursive ones) to be responded to within 1 second, which turns out to be overly optimistic in certain cases and leads to false positives being triggered. Increase dig query timeout used throughout the "mirror" system test to 2 seconds in order to alleviate the issue.
2019-03-20 04:50:35 -04:00
DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi"
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
# Wait until the transfer of the given zone to ns3 either completes successfully
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
# or is aborted by a verification failure or a REFUSED response from the master.
Prevent races when waiting for log messages The "mirror" system test checks whether log messages announcing a mirror zone coming into effect are emitted properly. However, the helper functions responsible for waiting for zone transfers and zone loading to complete do not wait for these exact log messages, but rather for other ones preceding them, which introduces a possibility of false positives. This problem cannot be addressed by just changing the log message to look for because the test still needs to discern between transferring a zone and loading a zone. Add two new log messages at debug level 99 (which is what named instances used in system tests are configured with) that are to be emitted after the log messages announcing a mirror zone coming into effect. Tweak the aforementioned helper functions to only return once the log messages they originally looked for are followed by the newly added log messages. This reliably prevents races when looking for "mirror zone is now in use" log messages and also enables a workaround previously put into place in the "mirror" system test to be reverted.
2019-02-14 04:41:56 -05:00
# Note that matching on any transfer status is deliberately avoided because some
# checks performed by this test cause transfer attempts to end with the "IXFR
# failed" status, which is followed by an AXFR retry and this test needs to
# check what the result of the latter transfer attempt is.
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
wait_for_transfer() {
zone=$1
for i in 1 2 3 4 5 6 7 8 9 10; do
Prevent races when waiting for log messages The "mirror" system test checks whether log messages announcing a mirror zone coming into effect are emitted properly. However, the helper functions responsible for waiting for zone transfers and zone loading to complete do not wait for these exact log messages, but rather for other ones preceding them, which introduces a possibility of false positives. This problem cannot be addressed by just changing the log message to look for because the test still needs to discern between transferring a zone and loading a zone. Add two new log messages at debug level 99 (which is what named instances used in system tests are configured with) that are to be emitted after the log messages announcing a mirror zone coming into effect. Tweak the aforementioned helper functions to only return once the log messages they originally looked for are followed by the newly added log messages. This reliably prevents races when looking for "mirror zone is now in use" log messages and also enables a workaround previously put into place in the "mirror" system test to be reverted.
2019-02-14 04:41:56 -05:00
# Wait until a "freeing transfer context" message is logged
# after one of the transfer results we are looking for is
# logged. This is needed to prevent races when checking for
# "mirror zone is now in use" messages.
nextpartpeek ns3/named.run | \
awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \
grep "'$zone/IN'.*freeing transfer context" > /dev/null && return
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
sleep 1
done
echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run"
ret=1
}
# Wait until loading the given zone on the given server either completes
# successfully for the specified serial number or fails.
wait_for_load() {
zone=$1
serial=$2
log=$3
for i in 1 2 3 4 5 6 7 8 9 10; do
Prevent races when waiting for log messages The "mirror" system test checks whether log messages announcing a mirror zone coming into effect are emitted properly. However, the helper functions responsible for waiting for zone transfers and zone loading to complete do not wait for these exact log messages, but rather for other ones preceding them, which introduces a possibility of false positives. This problem cannot be addressed by just changing the log message to look for because the test still needs to discern between transferring a zone and loading a zone. Add two new log messages at debug level 99 (which is what named instances used in system tests are configured with) that are to be emitted after the log messages announcing a mirror zone coming into effect. Tweak the aforementioned helper functions to only return once the log messages they originally looked for are followed by the newly added log messages. This reliably prevents races when looking for "mirror zone is now in use" log messages and also enables a workaround previously put into place in the "mirror" system test to be reverted.
2019-02-14 04:41:56 -05:00
# Wait until a "zone_postload: (...): done" message is logged
# after one of the loading-related messages we are looking for
# is logged. This is needed to prevent races when checking for
# "mirror zone is now in use" messages.
nextpartpeek $log | \
awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \
grep "zone_postload: zone $zone/IN: done" > /dev/null && return
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
sleep 1
done
echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log"
ret=1
}
# Trigger a reload of ns2 and wait until loading the given zone completes.
reload_zone() {
zone=$1
serial=$2
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 06:59:11 -05:00
rndc_reload ns2 10.53.0.2
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
wait_for_load $zone $serial ns2/named.run
}
status=0
n=0
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' ns2/verify.db.in`
UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
n=`expr $n + 1`
echo_i "checking that an unsigned mirror zone is rejected ($n)"
ret=0
wait_for_transfer verify-unsigned
$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
Fix serial number used in zone verification checks Due to the way the "mirror" system test is set up, it is impossible for the "verify-unsigned" and "verify-untrusted" zones to contain any serial number other than the original one present in ns2/verify.db.in. Thus, using presence of a different serial number in the SOA records of these zones as an indicator of problems with mirror zone verification is wrong. Look for the original zone serial number instead as that is the one that will be returned by ns3 if one of the aforementioned zones is successfully verified.
2019-02-14 04:41:56 -05:00
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that a mirror zone signed using an untrusted key is rejected ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_transfer verify-untrusted
$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
Fix serial number used in zone verification checks Due to the way the "mirror" system test is set up, it is impossible for the "verify-unsigned" and "verify-untrusted" zones to contain any serial number other than the original one present in ns2/verify.db.in. Thus, using presence of a different serial number in the SOA records of these zones as an indicator of problems with mirror zone verification is wrong. Look for the original zone serial number instead as that is the one that will be returned by ns3 if one of the aforementioned zones is successfully verified.
2019-02-14 04:41:56 -05:00
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Do not check SEP bit for mirror zone trust anchors When a mirror zone is verified, the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() is set to false. This means that in order for its verification to succeed, a mirror zone needs to have at least one key with the SEP bit set configured as a trust anchor. This brings no security benefit and prevents zones signed only using keys without the SEP bit set from being mirrored, so change the value of the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
2019-02-14 05:03:35 -05:00
nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Do not check SEP bit for mirror zone trust anchors When a mirror zone is verified, the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() is set to false. This means that in order for its verification to succeed, a mirror zone needs to have at least one key with the SEP bit set configured as a trust anchor. This brings no security benefit and prevents zones signed only using keys without the SEP bit set from being mirrored, so change the value of the 'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
2019-02-14 05:03:35 -05:00
n=`expr $n + 1`
echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_transfer verify-csk
$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_transfer verify-axfr
$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "No correct RSASHA256 signature for verify-axfr SOA" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)"
ret=0
nextpart ns3/named.run > /dev/null
cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed
reload_zone verify-axfr ${UPDATED_SERIAL_GOOD}
$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1
wait_for_transfer verify-axfr
$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1
Verify mirror zone AXFRs Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that an IXFR of an incorrectly signed mirror zone is rejected ($n)"
nextpartreset ns3/named.run
ret=0
wait_for_transfer verify-ixfr
Prevent races when waiting for log messages The "mirror" system test checks whether log messages announcing a mirror zone coming into effect are emitted properly. However, the helper functions responsible for waiting for zone transfers and zone loading to complete do not wait for these exact log messages, but rather for other ones preceding them, which introduces a possibility of false positives. This problem cannot be addressed by just changing the log message to look for because the test still needs to discern between transferring a zone and loading a zone. Add two new log messages at debug level 99 (which is what named instances used in system tests are configured with) that are to be emitted after the log messages announcing a mirror zone coming into effect. Tweak the aforementioned helper functions to only return once the log messages they originally looked for are followed by the newly added log messages. This reliably prevents races when looking for "mirror zone is now in use" log messages and also enables a workaround previously put into place in the "mirror" system test to be reverted.
2019-02-14 04:41:56 -05:00
# Sanity check: the initial, properly signed version of the zone should have
# been announced as coming into effect.
nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
# Make a copy of the original zone file for reuse in journal tests below.
cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
# Wait 1 second so that the zone file timestamp changes and the subsequent
Prevent races when waiting for log messages The "mirror" system test checks whether log messages announcing a mirror zone coming into effect are emitted properly. However, the helper functions responsible for waiting for zone transfers and zone loading to complete do not wait for these exact log messages, but rather for other ones preceding them, which introduces a possibility of false positives. This problem cannot be addressed by just changing the log message to look for because the test still needs to discern between transferring a zone and loading a zone. Add two new log messages at debug level 99 (which is what named instances used in system tests are configured with) that are to be emitted after the log messages announcing a mirror zone coming into effect. Tweak the aforementioned helper functions to only return once the log messages they originally looked for are followed by the newly added log messages. This reliably prevents races when looking for "mirror zone is now in use" log messages and also enables a workaround previously put into place in the "mirror" system test to be reverted.
2019-02-14 04:41:56 -05:00
# invocation of "rndc reload" triggers a zone reload.
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
sleep 1
cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed
reload_zone verify-ixfr ${UPDATED_SERIAL_BAD}
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
# Make a copy of the bad zone journal for reuse in journal tests below.
cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
# Trigger IXFR.
$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1
wait_for_transfer verify-ixfr
# Ensure the transfer was incremental as expected.
if [ `nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l` -eq 0 ]; then
echo_i "failed: did not get an incremental response"
ret=1
fi
# Ensure the new, bad version of the zone was not accepted.
$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
# A positive answer is expected as the original version of the "verify-ixfr"
# zone should have been successfully verified.
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Log a message when a mirror zone becomes unusable Log a message if a mirror zone becomes unusable for the resolver (most usually due to the zone's expiration timer firing). Ensure that verification failures do not cause a mirror zone to be unloaded (instead, its last successfully verified version should be served if it is available).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "No correct RSASHA256 signature for verify-ixfr SOA" > /dev/null || ret=1
# Despite the verification failure for this IXFR, this mirror zone should still
# be in use as its previous version should have been verified successfully.
nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)"
ret=0
nextpart ns3/named.run > /dev/null
# Wait 1 second so that the zone file timestamp changes and the subsequent
# invocation of "rndc reload" triggers a zone reload.
sleep 1
cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed
reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD}
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
# Make a copy of the good zone journal for reuse in journal tests below.
cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
# Trigger IXFR.
$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1
wait_for_transfer verify-ixfr
# Ensure the new, good version of the zone was accepted.
$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
# The log message announcing the mirror zone coming into effect should not have
# been logged this time since the mirror zone in question is expected to
Log a message when a mirror zone becomes unusable Log a message if a mirror zone becomes unusable for the resolver (most usually due to the zone's expiration timer firing). Ensure that verification failures do not cause a mirror zone to be unloaded (instead, its last successfully verified version should be served if it is available).
2019-01-16 09:31:48 -05:00
# already be in use before this test case is checked.
Log a message when a transferred mirror zone comes into effect Log a message when a mirror zone is successfully transferred and verified, but only if no database for that zone was yet loaded at the time the transfer was initiated. This could have been implemented in a simpler manner, e.g. by modifying zone_replacedb(), but (due to the calling order of the functions involved in finalizing a zone transfer) that would cause the resulting logs to suggest that a mirror zone comes into effect before its transfer is finished, which would be confusing given the nature of mirror zones and the fact that no message is logged upon successful mirror zone verification. Once the dns_zone_replacedb() call in axfr_finalize() is made, it becomes impossible to determine whether the transferred zone had a database attached before the transfer was started. Thus, that check is instead performed when the transfer context is first created and the result of this check is passed around in a field of the transfer context structure. If it turns out to be desired, the relevant log message is then emitted just before the transfer context is freed. Taking this approach means that the log message added by this commit is not timed precisely, i.e. mirror zone data may be used before this message is logged. However, that can only be fixed by logging the message inside zone_replacedb(), which causes arguably more dire issues discussed above. dns_zone_isloaded() is not used to double-check that transferred zone data was correctly loaded since the 'shutdown_result' field of the zone transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize() succeeds (and that in turn will not happen unless dns_zone_replacedb() succeeds).
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1
Verify mirror zone IXFRs Update ixfr_commit() so that all incoming versions of a mirror zone transferred using IXFR are verified before being used.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that loading an incorrectly signed mirror zone from disk fails ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run
$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "No correct RSASHA256 signature for verify-load SOA" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Increase TAT query interval Currently, ns3 in the "mirror" system test sends trust anchor telemetry queries every second as it is started with "-T tat=1". Given the number of trust anchors configured on ns3 (9), TAT-related traffic clutters up log files, hindering troubleshooting efforts. Increase TAT query interval to 3 seconds in order to alleviate the issue. Note that the interval chosen cannot be much higher if intermittent test failures are to be avoided: TAT queries are only sent after the configured number of seconds passes since resolver startup. Quick experiments show that even on contemporary hardware, ns3 should be running for at least 5 seconds before it is first shut down, so a 3-second TAT query interval seems to be a reasonable, future-proof compromise. Ensure the relevant check is performed before ns3 is first shut down to emphasize this trade-off and make it more clear by what time TAT queries are expected to be sent.
2019-03-20 04:50:35 -04:00
n=`expr $n + 1`
echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)"
ret=0
# ns3 is started with "-T tat=3", so TAT queries should have already been sent.
grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)"
ret=0
Make calls to the stop.pl always use the test name instead of '.'
2018-12-03 07:14:32 -05:00
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mirror ns3
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror
nextpart ns3/named.run > /dev/null
Make calls to the start.pl always use the test name instead of '.'
2018-12-03 06:29:39 -05:00
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mirror ns3
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run
$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1
Verify mirror zone files loaded from disk Verify data read from mirror zone files before it is used in order to prevent loading corrupt mirror zones from disk.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that loading a journal for an incorrectly signed mirror zone fails ($n)"
ret=0
Make calls to the stop.pl always use the test name instead of '.'
2018-12-03 07:14:32 -05:00
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mirror ns3
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror
cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
# Temporarily disable transfers of the "verify-ixfr" zone on ns2. This is
# required to reliably test whether the message announcing the mirror zone
# coming into effect is not logged after a failed journal verification since
# otherwise a corrected version of the zone may be transferred after
# verification fails but before we look for the aforementioned log message.
# (NOTE: Keep the embedded newline in the sed function list below.)
sed '/^zone "verify-ixfr" {$/,/^};$/ {
s/10.53.0.3/10.53.0.254/
}' ns2/named.conf > ns2/named.conf.modified
mv ns2/named.conf.modified ns2/named.conf
rndc_reconfig ns2 10.53.0.2
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
nextpart ns3/named.run > /dev/null
Make calls to the start.pl always use the test name instead of '.'
2018-12-03 06:29:39 -05:00
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mirror ns3
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run
$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "No correct RSASHA256 signature for verify-ixfr SOA" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1
# Restore transfers for the "verify-ixfr" zone on ns2.
# (NOTE: Keep the embedded newline in the sed function list below.)
sed '/^zone "verify-ixfr" {$/,/^};$/ {
s/10.53.0.254/10.53.0.3/
}' ns2/named.conf > ns2/named.conf.modified
mv ns2/named.conf.modified ns2/named.conf
rndc_reconfig ns2 10.53.0.2
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that loading a journal for a correctly signed mirror zone succeeds ($n)"
ret=0
Make calls to the stop.pl always use the test name instead of '.'
2018-12-03 07:14:32 -05:00
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mirror ns3
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror
cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl
nextpart ns3/named.run > /dev/null
Make calls to the start.pl always use the test name instead of '.'
2018-12-03 06:29:39 -05:00
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mirror ns3
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run
$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
Improve reliability of zone verification checks In the "mirror" system test, ns3 periodically sends trust anchor telemetry queries to ns1 and ns2. It may thus happen that for some non-recursive queries for names inside mirror zones which are not yet loaded, ns3 will be able to synthesize a negative answer from the cached records it obtained from trust anchor telemetry responses. In such cases, NXDOMAIN responses will be sent with the root zone SOA in the AUTHORITY section. Since the root zone used in the "mirror" system test has the same serial number as ns2/verify.db.in and zone verification checks look for the specified serial numbers anywhere in the answer, the test could be broken if different zone names were used. The +noauth dig option could be used to address this weakness, but that would prevent entire responses from being stored for later inspection, which in turn would hamper troubleshooting test failures. Instead, use a different serial number for ns2/verify.db.in than for any other zone used in the "mirror" system test and check the number of records in the ANSWER section of each response.
2019-02-14 04:41:56 -05:00
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1
Verify mirror zone journals As mirror zone files are verified when they are loaded from disk, verify journal files as well to ensure invalid data is not used. Reuse the journals generated during IXFR tests to test this.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Restore zone database and zone node if cache search results are to be ignored When query processing hits a delegation from a locally configured zone, an attempt may be made to look for a better answer in the cache. In such a case, the zone-sourced delegation data is set aside and the lookup is retried using the cache database. When that lookup is completed, a decision is made whether the answer found in the cache is better than the answer found in the zone. Currently, if the zone-sourced answer turns out to be better than the one found in the cache: - qctx->zdb is not restored into qctx->db, - qctx->node, holding the zone database node found, is not even saved. Thus, in such a case both qctx->db and qctx->node will point at cache data. This is not an issue for BIND versions which do not support mirror zones because in these versions non-recursive queries always cause the zone-sourced delegation to be returned and thus the non-recursive part of query_delegation() is never reached if the delegation is coming from a zone. With mirror zones, however, non-recursive queries may cause cache lookups even after a zone delegation is found. Leaving qctx->db assigned to the cache database when query_delegation() determines that the zone-sourced delegation is the best answer to the client's query prevents DS records from being added to delegations coming from mirror zones. Fix this issue by keeping the zone database and zone node in qctx while the cache is searched for an answer and then restoring them into qctx->db and qctx->node, respectively, if the zone-sourced delegation turns out to be the best answer. Since this change means that qctx->zdb cannot be used as the glue database any more as it will be reset to NULL by RESTORE(), ensure that qctx->db is not a cache database before attaching it to qctx->client->query.gluedb. Furthermore, current code contains a conditional statement which prevents a mirror zone from being used as a source of glue records. Said statement was added to prevent assertion failures caused by attempting to use a zone database's glue cache for finding glue for an NS RRset coming from a cache database. However, that check is overly strict since it completely prevents glue from being added to delegations coming from mirror zones. With the changes described above in place, the scenario this check was preventing can no longer happen, so remove the aforementioned check. If qctx->zdb is not NULL, qctx->zfname will also not be NULL; qctx->zsigrdataset may be NULL in such a case, but query_putrdataset() handles pointers to NULL pointers gracefully. Remove redundant conditional expressions to make the cleanup code in query_freedata() match the corresponding sequences of SAVE() / RESTORE() macros more closely.
2018-08-08 01:56:29 -04:00
n=`expr $n + 1`
echo_i "checking delegations sourced from a mirror zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
# Check that a delegation containing a DS RRset and glue is present.
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1
grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1
grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Perform basic resolution checks with a mirror zone in use Make ns3 mirror the "root" zone from ns1 and query the former for a properly signed record below the root. Ensure ns1 is not queried during resolution and that the AD bit is set in the response.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that resolution involving a mirror zone works as expected ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
# Ensure ns1 was not queried.
grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Ensure delegations inside mirror zones are properly handled for non-recursive queries When a resolver is a regular slave (i.e. not a mirror) for some zone, non-recursive queries for names below that slaved zone will return a delegation sourced from it. This behavior is suboptimal for mirror zones as their contents should rather be treated as validated, cached DNS responses. Modify query_delegation() and query_zone_delegation() to permit clients allowed cache access to check its contents for a better answer when responding to non-recursive queries.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)"
ret=0
# Issue a non-recursive query for an RRset which is expected to be in cache.
$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
# Ensure the response is not a delegation.
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that delegations from cache which improve mirror zone delegations are properly handled ($n)"
ret=0
# First, issue a recursive query in order to cache an RRset which is not within
# the mirror zone's bailiwick.
$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1
# Ensure the child-side NS RRset is returned.
grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
Restore zone database and zone node if cache search results are to be ignored When query processing hits a delegation from a locally configured zone, an attempt may be made to look for a better answer in the cache. In such a case, the zone-sourced delegation data is set aside and the lookup is retried using the cache database. When that lookup is completed, a decision is made whether the answer found in the cache is better than the answer found in the zone. Currently, if the zone-sourced answer turns out to be better than the one found in the cache: - qctx->zdb is not restored into qctx->db, - qctx->node, holding the zone database node found, is not even saved. Thus, in such a case both qctx->db and qctx->node will point at cache data. This is not an issue for BIND versions which do not support mirror zones because in these versions non-recursive queries always cause the zone-sourced delegation to be returned and thus the non-recursive part of query_delegation() is never reached if the delegation is coming from a zone. With mirror zones, however, non-recursive queries may cause cache lookups even after a zone delegation is found. Leaving qctx->db assigned to the cache database when query_delegation() determines that the zone-sourced delegation is the best answer to the client's query prevents DS records from being added to delegations coming from mirror zones. Fix this issue by keeping the zone database and zone node in qctx while the cache is searched for an answer and then restoring them into qctx->db and qctx->node, respectively, if the zone-sourced delegation turns out to be the best answer. Since this change means that qctx->zdb cannot be used as the glue database any more as it will be reset to NULL by RESTORE(), ensure that qctx->db is not a cache database before attaching it to qctx->client->query.gluedb. Furthermore, current code contains a conditional statement which prevents a mirror zone from being used as a source of glue records. Said statement was added to prevent assertion failures caused by attempting to use a zone database's glue cache for finding glue for an NS RRset coming from a cache database. However, that check is overly strict since it completely prevents glue from being added to delegations coming from mirror zones. With the changes described above in place, the scenario this check was preventing can no longer happen, so remove the aforementioned check. If qctx->zdb is not NULL, qctx->zfname will also not be NULL; qctx->zsigrdataset may be NULL in such a case, but query_putrdataset() handles pointers to NULL pointers gracefully. Remove redundant conditional expressions to make the cleanup code in query_freedata() match the corresponding sequences of SAVE() / RESTORE() macros more closely.
2018-08-08 01:56:29 -04:00
grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1
Ensure delegations inside mirror zones are properly handled for non-recursive queries When a resolver is a regular slave (i.e. not a mirror) for some zone, non-recursive queries for names below that slaved zone will return a delegation sourced from it. This behavior is suboptimal for mirror zones as their contents should rather be treated as validated, cached DNS responses. Modify query_delegation() and query_zone_delegation() to permit clients allowed cache access to check its contents for a better answer when responding to non-recursive queries.
2018-06-28 07:38:39 -04:00
grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1
# Issue a non-recursive query for something below the cached zone cut.
$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1
Restore zone database and zone node if cache search results are to be ignored When query processing hits a delegation from a locally configured zone, an attempt may be made to look for a better answer in the cache. In such a case, the zone-sourced delegation data is set aside and the lookup is retried using the cache database. When that lookup is completed, a decision is made whether the answer found in the cache is better than the answer found in the zone. Currently, if the zone-sourced answer turns out to be better than the one found in the cache: - qctx->zdb is not restored into qctx->db, - qctx->node, holding the zone database node found, is not even saved. Thus, in such a case both qctx->db and qctx->node will point at cache data. This is not an issue for BIND versions which do not support mirror zones because in these versions non-recursive queries always cause the zone-sourced delegation to be returned and thus the non-recursive part of query_delegation() is never reached if the delegation is coming from a zone. With mirror zones, however, non-recursive queries may cause cache lookups even after a zone delegation is found. Leaving qctx->db assigned to the cache database when query_delegation() determines that the zone-sourced delegation is the best answer to the client's query prevents DS records from being added to delegations coming from mirror zones. Fix this issue by keeping the zone database and zone node in qctx while the cache is searched for an answer and then restoring them into qctx->db and qctx->node, respectively, if the zone-sourced delegation turns out to be the best answer. Since this change means that qctx->zdb cannot be used as the glue database any more as it will be reset to NULL by RESTORE(), ensure that qctx->db is not a cache database before attaching it to qctx->client->query.gluedb. Furthermore, current code contains a conditional statement which prevents a mirror zone from being used as a source of glue records. Said statement was added to prevent assertion failures caused by attempting to use a zone database's glue cache for finding glue for an NS RRset coming from a cache database. However, that check is overly strict since it completely prevents glue from being added to delegations coming from mirror zones. With the changes described above in place, the scenario this check was preventing can no longer happen, so remove the aforementioned check. If qctx->zdb is not NULL, qctx->zfname will also not be NULL; qctx->zsigrdataset may be NULL in such a case, but query_putrdataset() handles pointers to NULL pointers gracefully. Remove redundant conditional expressions to make the cleanup code in query_freedata() match the corresponding sequences of SAVE() / RESTORE() macros more closely.
2018-08-08 01:56:29 -04:00
# Ensure the cached NS RRset is returned in a delegation, along with the
# parent-side DS RRset.
Ensure delegations inside mirror zones are properly handled for non-recursive queries When a resolver is a regular slave (i.e. not a mirror) for some zone, non-recursive queries for names below that slaved zone will return a delegation sourced from it. This behavior is suboptimal for mirror zones as their contents should rather be treated as validated, cached DNS responses. Modify query_delegation() and query_zone_delegation() to permit clients allowed cache access to check its contents for a better answer when responding to non-recursive queries.
2018-06-28 07:38:39 -04:00
grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1
Restore zone database and zone node if cache search results are to be ignored When query processing hits a delegation from a locally configured zone, an attempt may be made to look for a better answer in the cache. In such a case, the zone-sourced delegation data is set aside and the lookup is retried using the cache database. When that lookup is completed, a decision is made whether the answer found in the cache is better than the answer found in the zone. Currently, if the zone-sourced answer turns out to be better than the one found in the cache: - qctx->zdb is not restored into qctx->db, - qctx->node, holding the zone database node found, is not even saved. Thus, in such a case both qctx->db and qctx->node will point at cache data. This is not an issue for BIND versions which do not support mirror zones because in these versions non-recursive queries always cause the zone-sourced delegation to be returned and thus the non-recursive part of query_delegation() is never reached if the delegation is coming from a zone. With mirror zones, however, non-recursive queries may cause cache lookups even after a zone delegation is found. Leaving qctx->db assigned to the cache database when query_delegation() determines that the zone-sourced delegation is the best answer to the client's query prevents DS records from being added to delegations coming from mirror zones. Fix this issue by keeping the zone database and zone node in qctx while the cache is searched for an answer and then restoring them into qctx->db and qctx->node, respectively, if the zone-sourced delegation turns out to be the best answer. Since this change means that qctx->zdb cannot be used as the glue database any more as it will be reset to NULL by RESTORE(), ensure that qctx->db is not a cache database before attaching it to qctx->client->query.gluedb. Furthermore, current code contains a conditional statement which prevents a mirror zone from being used as a source of glue records. Said statement was added to prevent assertion failures caused by attempting to use a zone database's glue cache for finding glue for an NS RRset coming from a cache database. However, that check is overly strict since it completely prevents glue from being added to delegations coming from mirror zones. With the changes described above in place, the scenario this check was preventing can no longer happen, so remove the aforementioned check. If qctx->zdb is not NULL, qctx->zfname will also not be NULL; qctx->zsigrdataset may be NULL in such a case, but query_putrdataset() handles pointers to NULL pointers gracefully. Remove redundant conditional expressions to make the cleanup code in query_freedata() match the corresponding sequences of SAVE() / RESTORE() macros more closely.
2018-08-08 01:56:29 -04:00
grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1
Ensure delegations inside mirror zones are properly handled for non-recursive queries When a resolver is a regular slave (i.e. not a mirror) for some zone, non-recursive queries for names below that slaved zone will return a delegation sourced from it. This behavior is suboptimal for mirror zones as their contents should rather be treated as validated, cached DNS responses. Modify query_delegation() and query_zone_delegation() to permit clients allowed cache access to check its contents for a better answer when responding to non-recursive queries.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Do not treat mirror zone data as authoritative Section 4 of RFC 7706 suggests that responses sourced from a local copy of a zone should not have the AA bit set. Follow that recommendation by setting 'qctx->authoritative' to ISC_FALSE when a response to a query is coming from a mirror zone.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
Ensure responses sourced from mirror zones have the AD bit set Zone RRsets are assigned trust level "ultimate" upon load, which causes the AD bit to not be set in responses coming from slave zones, including mirror zones. Make dns_zoneverify_dnssec() update the trust level of verified RRsets to "secure" so that the AD bit is set in such responses. No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in case of any DNSSEC failure, which causes the mirror zone version being verified to be discarded.
2018-06-28 07:38:39 -04:00
echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)"
Do not treat mirror zone data as authoritative Section 4 of RFC 7706 suggests that responses sourced from a local copy of a zone should not have the AA bit set. Follow that recommendation by setting 'qctx->authoritative' to ISC_FALSE when a response to a query is coming from a mirror zone.
2018-06-28 07:38:39 -04:00
ret=0
$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
Ensure responses sourced from mirror zones have the AD bit set Zone RRsets are assigned trust level "ultimate" upon load, which causes the AD bit to not be set in responses coming from slave zones, including mirror zones. Make dns_zoneverify_dnssec() update the trust level of verified RRsets to "secure" so that the AD bit is set in such responses. No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in case of any DNSSEC failure, which causes the mirror zone version being verified to be discarded.
2018-06-28 07:38:39 -04:00
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
Do not treat mirror zone data as authoritative Section 4 of RFC 7706 suggests that responses sourced from a local copy of a zone should not have the AA bit set. Follow that recommendation by setting 'qctx->authoritative' to ISC_FALSE when a response to a query is coming from a mirror zone.
2018-06-28 07:38:39 -04:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that resolution succeeds with unavailable mirror zone data ($n)"
ret=0
wait_for_transfer initially-unavailable
# Query for a record in a zone that is set up to be mirrored, but
# untransferrable from the configured master. Resolution should still succeed.
$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
# Sanity check: the authoritative server should have been queried.
nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1
# Reconfigure ns2 so that the zone can be mirrored on ns3.
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
sed '/^zone "initially-unavailable" {$/,/^};$/ {
s/10.53.0.254/10.53.0.3/
}' ns2/named.conf > ns2/named.conf.modified
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
mv ns2/named.conf.modified ns2/named.conf
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 06:59:11 -05:00
rndc_reconfig ns2 10.53.0.2
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
# Flush the cache on ns3 and retransfer the mirror zone.
$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1
nextpart ns3/named.run > /dev/null
$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1
wait_for_transfer initially-unavailable
# Query for the same record again. Resolution should still succeed.
$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1
# Ensure the authoritative server was not queried.
nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that resolution succeeds with expired mirror zone data ($n)"
ret=0
# Reconfigure ns2 so that the zone from the previous test can no longer be
# mirrored on ns3.
Log a message when a mirror zone loaded from disk comes into effect Log a message when a mirror zone is successfully loaded from disk and subsequently verified. This could have been implemented in a simpler manner, e.g. by modifying an earlier code branch inside zone_postload() which checks whether the zone already has a database attached and calls attachdb() if it does not, but that would cause the resulting logs to indicate that a mirror zone comes into effect before the "loaded serial ..." message is logged, which would be confusing. Tweak some existing sed commands used in the "mirror" system test to ensure that separate test cases comprising it do not break each other.
2019-01-16 09:31:48 -05:00
sed '/^zone "initially-unavailable" {$/,/^};$/ {
s/10.53.0.3/10.53.0.254/
}' ns2/named.conf > ns2/named.conf.modified
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
mv ns2/named.conf.modified ns2/named.conf
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 06:59:11 -05:00
rndc_reconfig ns2 10.53.0.2
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
# Stop ns3, update the timestamp of the zone file to one far in the past, then
# restart ns3.
Make calls to the stop.pl always use the test name instead of '.'
2018-12-03 07:14:32 -05:00
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mirror ns3
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
touch -t 200001010000 ns3/initially-unavailable.db.mirror
nextpart ns3/named.run > /dev/null
Make calls to the start.pl always use the test name instead of '.'
2018-12-03 06:29:39 -05:00
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mirror ns3
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
# Ensure named attempts to retransfer the zone due to its expiry.
wait_for_transfer initially-unavailable
Log a message when a mirror zone becomes unusable Log a message if a mirror zone becomes unusable for the resolver (most usually due to the zone's expiration timer firing). Ensure that verification failures do not cause a mirror zone to be unloaded (instead, its last successfully verified version should be served if it is available).
2019-01-16 09:31:48 -05:00
# Ensure the expected messages were logged.
nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1
Fall back to normal recursion when mirror zone data is unavailable If transferring or loading a mirror zone fails, resolution should still succeed by means of falling back to regular recursive queries. Currently, though, if a slave zone is present in the zone table and not loaded, a SERVFAIL response is generated. Thus, mirror zones need special handling in this regard. Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a domain name is looked up rather than a zone itself. Handle that flag in dns_zt_find() in such a way that a mirror zone which is expired or not yet loaded is ignored when looking up domain names, but still possible to find when the caller wants to know whether the zone is configured. This causes a fallback to recursion when mirror zone data is unavailable without making unloaded mirror zones invisible to code checking a zone's existence.
2018-06-28 07:38:39 -04:00
# Query for a record in the expired zone. Resolution should still succeed.
$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
# Sanity check: the authoritative server should have been queried.
nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Treat mirror zone data as cache data for access control purposes As mirror zone data should be treated the way validated, cached DNS responses are, it should not be used when responding to clients who are not allowed cache access. Reuse code responsible for determining cache database access for evaluating mirror zone access.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Disable outgoing mirror zone transfers by default As mirror zone data should be treated the way validated, cached DNS responses are, outgoing mirror zone transfers should be disabled unless they are explicitly enabled by zone configuration.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1
grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Disable notifies for mirror zones unless also-notify is used Since the mirror zone feature is expected to mostly be used for the root zone, prevent slaves from sending NOTIFY messages for mirror zones by default. Retain the possibility to use "also-notify" as it might be useful in certain cases.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking that notifies are disabled by default for mirror zones ($n)"
ret=0
grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Make "rndc zonestatus" output for mirror zones different than for regular slave zones Replace "type: slave" with "type: mirror" in "rndc zonestatus" output for mirror zones in order to enable the user to tell a regular slave zone and a mirror zone apart.
2018-06-28 07:38:39 -04:00
n=`expr $n + 1`
echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)"
ret=0
$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1
grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
n=`expr $n + 1`
Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration.
2018-10-09 04:54:51 -04:00
echo_i "checking that \"rndc reconfig\" properly handles a mirror -> slave zone type change ($n)"
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
ret=0
# Sanity check before we start.
$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
# Reconfigure the zone so that it is no longer a mirror zone.
add required whitespace
2018-07-11 00:25:53 -04:00
# (NOTE: Keep the embedded newline in the sed function list below.)
sed '/^zone "verify-reconfig" {$/,/^};$/ {
Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration.
2018-10-09 04:54:51 -04:00
s/type mirror;/type slave;/
add required whitespace
2018-07-11 00:25:53 -04:00
}' ns3/named.conf > ns3/named.conf.modified
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
mv ns3/named.conf.modified ns3/named.conf
add required whitespace
2018-07-11 00:25:53 -04:00
nextpart ns3/named.run > /dev/null
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 06:59:11 -05:00
rndc_reconfig ns3 10.53.0.3
Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration.
2018-10-09 04:54:51 -04:00
# Zones whose type was changed should not be reusable, which means the tested
# zone should have been reloaded from disk.
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run
# Ensure responses sourced from the reconfigured zone have AA=1 and AD=0.
$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration.
2018-10-09 04:54:51 -04:00
echo_i "checking that \"rndc reconfig\" properly handles a slave -> mirror zone type change ($n)"
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
ret=0
# Put an incorrectly signed version of the zone in the zone file used by ns3.
nextpart ns3/named.run > /dev/null
cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror
# Reconfigure the zone so that it is a mirror zone again.
add required whitespace
2018-07-11 00:25:53 -04:00
# (NOTE: Keep the embedded newline in the sed function list below.)
sed '/^zone "verify-reconfig" {$/,/^};$/ {
Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration.
2018-10-09 04:54:51 -04:00
s/type slave;/type mirror;/
add required whitespace
2018-07-11 00:25:53 -04:00
}' ns3/named.conf > ns3/named.conf.modified
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
mv ns3/named.conf.modified ns3/named.conf
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 06:59:11 -05:00
rndc_reconfig ns3 10.53.0.3
Do not reuse zones whose "mirror" setting was changed Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2018-07-05 04:54:56 -04:00
# The reconfigured zone should fail verification.
wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run
$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-reconfig SOA" > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Test whether mirror zones can be added and removed dynamically Extend the "mirror" zone system test to make sure mirror zones can be added and removed dynamically using rndc.
2018-10-09 04:54:51 -04:00
n=`expr $n + 1`
echo_i "checking that a mirror zone can be added using rndc ($n)"
ret=0
# Sanity check: the zone should not exist in the root zone.
$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
# Mirror a zone which does not exist in the root zone.
nextpart ns3/named.run > /dev/null
$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; masters { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1
wait_for_transfer verify-addzone
# Check whether the mirror zone was added and whether it behaves as expected.
$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that a mirror zone can be deleted using rndc ($n)"
ret=0
# Remove the mirror zone added in the previous test.
$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1
# Check whether the mirror zone was removed.
$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
Add a system test for mirror zones Create the basic files comprising a system test and define a few helper functions which will be useful when testing mirror zones.
2018-06-28 07:38:39 -04:00
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Reference in a new issue Copy permalink