From 9950f6d651770d3ddd25873b5614f3d440797fec Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Thu, 7 Mar 2024 14:58:38 +0100 Subject: [PATCH 1/2] Rewrite glue system test to pytest Limit dnspython to version 2.0.0+ (https://github.com/rthalley/dnspython/pull/503), otherwise the test fails with: E AttributeError: module 'dns.edns' has no attribute 'OptionType' --- bin/tests/system/glue/clean.sh | 1 - bin/tests/system/glue/fi.good | 27 ------- bin/tests/system/glue/noglue.good | 14 ---- bin/tests/system/glue/tests.sh | 90 --------------------- bin/tests/system/glue/tests_glue.py | 104 +++++++++++++++++++++++++ bin/tests/system/glue/tests_sh_glue.py | 14 ---- 6 files changed, 104 insertions(+), 146 deletions(-) delete mode 100644 bin/tests/system/glue/fi.good delete mode 100644 bin/tests/system/glue/noglue.good delete mode 100644 bin/tests/system/glue/tests.sh create mode 100644 bin/tests/system/glue/tests_glue.py delete mode 100644 bin/tests/system/glue/tests_sh_glue.py diff --git a/bin/tests/system/glue/clean.sh b/bin/tests/system/glue/clean.sh index 3c5fac9544..92036f2bba 100644 --- a/bin/tests/system/glue/clean.sh +++ b/bin/tests/system/glue/clean.sh @@ -18,7 +18,6 @@ rm -f */named.conf rm -f */named.memstats rm -f */named.run -rm -f dig.out rm -f ns*/K* rm -f ns*/dsset-* rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/glue/fi.good b/bin/tests/system/glue/fi.good deleted file mode 100644 index a08bc7af49..0000000000 --- a/bin/tests/system/glue/fi.good +++ /dev/null @@ -1,27 +0,0 @@ - -; <<>> DiG 9.0 <<>> +norec @10.53.0.1 -p 5300 foo.bar.fi. A -;; global options: printcmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58772 -;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7 - -;; QUESTION SECTION: -;foo.bar.fi. IN A - -;; AUTHORITY SECTION: -fi. 172800 IN NS NS.EU.NET. -fi. 172800 IN NS NS.TELE.fi. -fi. 172800 IN NS PRIFI.EUNET.fi. -fi. 172800 IN NS NS.UU.NET. -fi. 172800 IN NS T.NS.VERIO.NET. -fi. 172800 IN NS HYDRA.HELSINKI.fi. - -;; ADDITIONAL SECTION: -NS.TELE.fi. 172800 IN A 193.210.19.19 -NS.TELE.fi. 172800 IN A 193.210.18.18 -PRIFI.EUNET.fi. 172800 IN A 193.66.1.146 -NS.UU.NET. 172800 IN A 137.39.1.3 -T.NS.VERIO.NET. 172800 IN A 192.67.14.16 -HYDRA.HELSINKI.fi. 172800 IN A 128.214.4.29 -NS.EU.NET. 172800 IN A 192.16.202.11 - diff --git a/bin/tests/system/glue/noglue.good b/bin/tests/system/glue/noglue.good deleted file mode 100644 index 22eca7bede..0000000000 --- a/bin/tests/system/glue/noglue.good +++ /dev/null @@ -1,14 +0,0 @@ - -; <<>> DiG 9.0 <<>> @10.53.0.1 -p 5300 example.net a -;; global options: printcmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29409 -;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 - -;; QUESTION SECTION: -;example.net. IN A - -;; AUTHORITY SECTION: -example.net. 300 IN NS ns2.example. -example.net. 300 IN NS ns1.example. - diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh deleted file mode 100644 index 4c04b7e0a5..0000000000 --- a/bin/tests/system/glue/tests.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -dig_with_opts() { - "$DIG" +norec -p "${PORT}" "$@" -} - -status=0 -n=0 - -n=$((n + 1)) -echo_i "testing that a ccTLD referral gets a full glue set from the root zone ($n)" -ret=0 -dig_with_opts @10.53.0.1 foo.bar.fi. A >dig.out.$n || ret=1 -digcomp --lc fi.good dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing that we don't find out-of-zone glue ($n)" -ret=0 -dig_with_opts @10.53.0.1 example.net. A >dig.out.$n || ret=1 -digcomp noglue.good dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-a.tc-test-unsigned. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for unsigned referrals close to UDP packet size limit (AAAA glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-aaaa.tc-test-unsigned. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A+AAAA glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-both.tc-test-unsigned. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for signed referrals close to UDP packet size limit (A glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-a.tc-test-signed. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for signed referrals close to UDP packet size limit (AAAA glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-aaaa.tc-test-signed. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "testing truncation for signed referrals close to UDP packet size limit (A+AAAA glue) ($n)" -ret=0 -dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-both.tc-test-signed. >dig.out.$n || ret=1 -grep -q "flags:[^;]* tc" dig.out.$n || ret=1 -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/glue/tests_glue.py b/bin/tests/system/glue/tests_glue.py new file mode 100644 index 0000000000..9d9a8e4a52 --- /dev/null +++ b/bin/tests/system/glue/tests_glue.py @@ -0,0 +1,104 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import dns.message + +import isctest + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") + + +def test_glue_full_glue_set(): + """test that a ccTLD referral gets a full glue set from the root zone""" + msg = dns.message.make_query("foo.bar.fi", "A") + msg.flags &= ~dns.flags.RD + res = isctest.query.udp(msg, "10.53.0.1") + + answer = """;ANSWER +;AUTHORITY +fi. 172800 IN NS HYDRA.HELSINKI.fi. +fi. 172800 IN NS NS.EU.NET. +fi. 172800 IN NS NS.UU.NET. +fi. 172800 IN NS NS.TELE.fi. +fi. 172800 IN NS T.NS.VERIO.NET. +fi. 172800 IN NS PRIFI.EUNET.fi. +;ADDITIONAL +NS.TELE.fi. 172800 IN A 193.210.18.18 +NS.TELE.fi. 172800 IN A 193.210.19.19 +PRIFI.EUNET.fi. 172800 IN A 193.66.1.146 +HYDRA.HELSINKI.fi. 172800 IN A 128.214.4.29 +NS.EU.NET. 172800 IN A 192.16.202.11 +T.NS.VERIO.NET. 172800 IN A 192.67.14.16 +NS.UU.NET. 172800 IN A 137.39.1.3 +""" + expected_answer = dns.message.from_text(answer) + + isctest.check.noerror(res) + isctest.check.rrsets_equal(res.answer, expected_answer.answer) + isctest.check.rrsets_equal(res.authority, expected_answer.authority) + isctest.check.rrsets_equal(res.additional, expected_answer.additional) + + +def test_glue_no_glue_set(): + """test that out-of-zone glue is not found""" + msg = dns.message.make_query("example.net.", "A") + msg.flags &= ~dns.flags.RD + res = isctest.query.udp(msg, "10.53.0.1") + + answer = """;ANSWER +;AUTHORITY +example.net. 300 IN NS ns2.example. +example.net. 300 IN NS ns1.example. +;ADDITIONAL +""" + expected_answer = dns.message.from_text(answer) + + isctest.check.noerror(res) + isctest.check.rrsets_equal(res.answer, expected_answer.answer) + isctest.check.rrsets_equal(res.authority, expected_answer.authority) + isctest.check.rrsets_equal(res.additional, expected_answer.additional) + + +@pytest.mark.parametrize( + "qname,dnssec", + [ + # test truncation for unsigned referrals close to UDP packet size limit (A glue) + ("foo.subdomain-a.tc-test-unsigned.", False), + # test truncation for unsigned referrals close to UDP packet size limit (AAAA glue) + ("foo.subdomain-aaaa.tc-test-unsigned.", False), + # test truncation for unsigned referrals close to UDP packet size limit (A+AAAA glue) + ("foo.subdomain-both.tc-test-unsigned.", False), + # test truncation for signed referrals close to UDP packet size limit (A glue) + ("foo.subdomain-a.tc-test-signed.", True), + # test truncation for signed referrals close to UDP packet size limit (AAAA glue) + ("foo.subdomain-aaaa.tc-test-signed.", True), + # test truncation for signed referrals close to UDP packet size limit (A+AAAA glue) + ("foo.subdomain-both.tc-test-signed.", True), + ], +) +def test_glue_truncation(qname, dnssec): + msg = dns.message.make_query(qname, "A") + msg.flags &= ~dns.flags.RD + if dnssec: + msg.use_edns( + payload=512, + # Zones used in this test were created with dig in mind that, unlike dnspython, + # by default, sets a cookie. Given that the message size must be close to the + # truncation limit, we also need to set a cookie here. + options=[dns.edns.GenericOption(dns.edns.OptionType.COOKIE, b"0xda13cc")], + ) + msg.want_dnssec(wanted=True) + res = isctest.query.udp(msg, "10.53.0.1") + + isctest.check.noerror(res) + assert res.flags & dns.flags.TC diff --git a/bin/tests/system/glue/tests_sh_glue.py b/bin/tests/system/glue/tests_sh_glue.py deleted file mode 100644 index 4f3ff04afc..0000000000 --- a/bin/tests/system/glue/tests_sh_glue.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - - -def test_glue(run_tests_sh): - run_tests_sh() From 69d3efed89d44a10a78ce6ab7a2b28f9724ab41d Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 19 Mar 2024 12:35:48 +0100 Subject: [PATCH 2/2] Use bitwise operation to remove RD from default flags --- bin/tests/system/dialup/tests_dialup_zone_transfer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/dialup/tests_dialup_zone_transfer.py b/bin/tests/system/dialup/tests_dialup_zone_transfer.py index d49f80a345..71b8207b45 100644 --- a/bin/tests/system/dialup/tests_dialup_zone_transfer.py +++ b/bin/tests/system/dialup/tests_dialup_zone_transfer.py @@ -20,7 +20,7 @@ import dns.message def test_dialup_zone_transfer(named_port, servers, ns): msg = dns.message.make_query("example.", "SOA") # Drop the RD flag from the query - msg.flags -= dns.flags.RD + msg.flags &= ~dns.flags.RD ns1response = isctest.query.tcp(msg, "10.53.0.1") with servers[f"ns{ns}"].watch_log_from_start() as watcher: watcher.wait_for_line(