Rewrite nsec3_answer/tests_nsec3.py as dnssec_py/tests_nsec3_answer.py
using the isctest.zone helpers for zone setup. ns1 (auth) and ns2
(resolver) were renumbered to ns2 and ns9 respectively to fit the
existing dnssec_py server infrastructure.
Assisted-by: Claude:claude-opus-4-8
Port test_truncated_dnskey from dnssec_malformed_dnskey into the shared
dnssec_py fixture harness, completing the migration and deleting the
remaining dnssec_malformed_dnskey files.
Assisted-by: Claude:claude-opus-4-8
Port test_malformed_ecdsa and test_multiple_rrsigs from the standalone
dnssec_malformed_dnskey directory into the shared dnssec_py fixture
harness. The zone is renamed from example. to dnskey-malformed., the
resolver fixture changes from a dedicated ns3 to the shared ns9, and
trust anchors are wired in via bootstrap() rather than per-directory
config files.
Assisted-by: Claude:claude-opus-4-8
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.
The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.
Assisted-by: Claude:claude-opus-4-8
Only class IN is allowed for user-defined views; the internally
generated `_bind` view stays in the CH class. Both `named` and the
shared checker in `lib/isccfg/check.c` now reject non-IN views, so a
config can no longer pass `named-checkconf` yet fail to start in
`named`.
Tests, configs, and catalog zones using CH or arbitrary classes
(e.g. `class10`) are removed accordingly.
Introduce an abstract ZoneKey base class with two concrete
implementations:
- FileZoneKey wraps a dnssec-keygen-managed key file (kasp.Key).
- PythonZoneKey holds a Python-native keypair for dnspython-based
signing and key operations.
Both share ZoneKey.into_ta() and ZoneKey.is_ksk(). The ZoneKey
abstraction lets Zone.copy_dssets() and Zone.trust_anchors() handle
pure-Python keys without callers needing to know how the key was made.
Assisted-by: Claude:claude-opus-4-8
Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as
dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers.
The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a
delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone
(ns3), signing the parent with NSEC3 at 51 iterations. A validating
resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the
excessive iteration count is logged as a warning. The test verifies that
the query still resolves successfully (insecure, not SERVFAIL) despite
the high iteration count.
Assisted-by: Claude:claude-opus-4-8
Add a new system test directory for DNSSEC tests written in Python,
using the isctest.zone helpers for zone setup rather than shell sign
scripts.
Set up four nameservers:
- ns1: authoritative for the signed root zone
- ns2: authoritative for test zones (primary)
- ns3: authoritative for additional test zones (typically delegations)
- ns9: validating resolver
Zone configuration for ns2 and ns3 is driven by the ``zones`` template
variable via _common/zones.conf.j2, so each test module's bootstrap()
controls which zones those servers load without touching named.conf.
Individual test modules will be added in subsequent commits.
Assisted-by: Claude:claude-opus-4-8
System tests that set up zones — especially DNSSEC tests — require a
chain of common operations: rendering zone files from templates,
generating keys, signing, and propagating DS records to parent zones.
Implement these as methods on isctest.zone.Zone so individual tests
don't need to repeat the logic in shell or ad-hoc Python.
isctest.zone.Zone is a plain class that holds the zone's data and
accumulated state (delegations, keys) alongside the methods that operate
on it. It is intentionally separate from isctest.template.Zone, which
remains a dumb data container for jinja2 template rendering.
Key design points:
- zone.Zone.name is the text form without trailing dot ("." for root);
zone.Zone.dname holds the dns.name.Name for DNS-level operations;
zone.Zone.basename is the filesystem-safe name ("root" for ".").
- filepath_unsigned / filepath_signed are both always available.
filepath returns the appropriate one based on zone.Zone.signed.
- The zones/ subdirectory is the default (subdir="zones"); old-style
tests that place zone files directly in the ns workdir can pass
subdir=None.
- Signing is opt-in via signed=True; configure() auto-detects whether to
generate keys and sign based on this flag, so the same method handles
both signed and unsigned zones.
- delegations and keys are mutable list attributes; callers append to
them before calling configure() rather than threading them through
every call.
Also:
- Add isctest.template.zones() as a bridge from a list of zone.Zone to a
{name: template.Zone} dict suitable for use as the ``zones`` template
variable. template.zones() resolves filepath to the actual zone file
so templates don't need to know whether a zone is signed.
Assisted-by: Claude:claude-opus-4-8
Add a system test covering the synthrecord in reverse mode with a (too)
long prefix. If the prefix size doesn't leave room to add the reversed
IP address, the attempt to generate a name is aborted, and `NXDOMAIN` is
returned.
The test framework already requires Python 3.10+ (conftest.py raises
RuntimeError if version < 3.10), so skipif(sys.version_info < (3, 7))
can never trigger. Remove the dead markers and now-unused sys imports.
Assisted-by: Claude:claude-opus-4-7
When LMDB was made a required dependency (929eccdfdc), the "LMDB" entry
was removed from features.py and the --with-lmdb flag was removed from
feature-test.c. However, the with_lmdb skip marker in mark.py and its
usage in nzd2nzf were not cleaned up. Since FEATURE_LMDB was no longer
being set, the skip condition became permanently true, silently skipping
the test on every run.
Remove the dead skip marker and update other stale references that still
described LMDB as optional (build docs, addzone test comments).
Assisted-by: Claude:claude-opus-4-7
The nsip-wait-recurse and nsdname-wait-recurse timing tests
compare query times with wait-recurse yes vs no. With a
1-second NS response delay in ans5, the timing difference is
too small to reliably measure with whole-second granularity,
causing intermittent failures when both cases round to the
same integer.
Increase the delay from 1 to 3 seconds and add explicit dig
timeout options (+time=30 +tries=1) so that dig does not time
out or retry during the slow wait-recurse yes queries.
Assisted-by: Claude:claude-opus-4-7
After reloading an inline-signed zone from file, named must re-read it,
detect the deltas and generate RRSIGs before the answer is signed, which
can take longer than 5 seconds on a loaded CI host and cause spurious
update_is_signed() timeouts. Bump these reload-based checks to 10
seconds, matching cb_ixfr_is_signed.
Assisted-by: Claude:claude-opus-4-8
Rarely, RNDC fails to refresh the zone on FreeBSD in the default 10
seconds, causing test_edns_expire_refresh to fail with a TimeoutExpired
on the "rndc refresh edns-expire." call. Give it more time, the same
way the reconfigure timeout was bumped in
test_reconfiguration_when_zone_transfer_is_in_the_middle_of_soa_query.
Assisted-by: Claude:claude-opus-4-8
The wait loop in test_checkds() called "rndc loadkeys" once per
second while polling ns9.log for expected parental-agent response
lines. Under load (notably the rbt CI job), responses to one query
batch could land after a subsequent loadkeys had already reset the
per-key DSPUBCOUNT counter in lib/dns/zone.c without cancelling the
in-flight requests. Stragglers from the earlier round then bumped the
new round's counter to parentalscnt and BIND finalized DSPublish for
zones where one parental-agent legitimately serves no DS, spuriously
failing the !DSPublish keystate assertion.
Trigger at most one loadkeys per test case and wait passively via
watch_log_from_start() / wait_for_all(). Watching from the start
of the log preserves the original implicit semantics for zones
whose DS state was already finalized by BIND's automatic checkds
polling at zone-load time -- the expected lines are already
present and the watcher returns immediately.
Assisted-by: Claude:claude-opus-4-7
Two authoritative zones drive the cases. 'example.' answers DNSKEY,
NSEC, NSEC3 and RRSIG queries with a CNAME: a direct recursive query for
one of these must not crash the resolver, and the validator's own DNSKEY
fetch for a signed name must fail as a broken trust chain and return
SERVFAIL promptly.
'secure.' is served faithfully but answers DS queries with an unsigned
CNAME -- the input that drove the validator's insecurity proof into a
self-join. The resolver must return SERVFAIL within a couple of seconds
instead of stalling for twelve.
Assisted-by: Claude:claude-opus-4-8
LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID. When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary. This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).
Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.
Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.
Assisted-by: Claude:claude-opus-4-7
Update PRIORITY_TESTS with the 10 longest-running test
scopes measured from CI (job 7468217). These get scheduled
first so that with --dist=loadscope they land on separate
workers instead of piling up at the end.
Also fix "serve-stale/" to "serve_stale/" to match the
actual directory name, and add a startup check that fails
if any PRIORITY_TESTS entry does not match an existing
directory.
Assisted-by: Claude:claude-opus-4-7
named-checkconf should reject a template that has options that must be
non-zero (max-refresh-time, max-retry-time, min-refresh-time,
min-retry-time).
rndc addzone with a zone that refers to such template should fail
cleanly.
Test that flushing the delegdb via `rndc flush` preserves its
configured size limit. The test checks delegdb watermarks after
`named` startup, flushes caches, and verifies that the delegdb
watermarks are correctly restored afterwards.
To distinguish between the previous `delegdb` memory contexts and the
new ones, we need to know exactly when the previous `delegdb` memory
contexts are removed (this is not immediate, since those are removed
during RCU reclamation phase). A trace is therefore added when a memory
context is destroyed, if `ISC_MEM_DEBUGTRACE` is set.
After SIG and NXT lost their special handling, KEY remained the only
RFC 2535-era type still receiving coexistence allowances: KEY
alongside CNAME at the same owner, KEY answered from the parent side
of a zone cut, KEY kept across CNAME eviction in the cache. RFC 3755
retains type 25 only for SIG(0) and TKEY transaction signatures, and
neither relies on those allowances in practice. The in-tree comment
that flagged the RFC 3007 parent-side carve-out as "unclear" predicted
this cleanup.
Zones that publish CNAME and KEY at the same owner — already invalid
under RFC 2181 — now fail to load. System test fixtures are updated
accordingly, and a new test asserts that SIG, NXT, and KEY records
pick up covering RRSIGs when their zone is signed.
RFC 3755 retired SIG and NXT in favour of RRSIG and NSEC. BIND still
warned about them at zone load, refused them in dynamic updates,
parsed SIG with a non-zero "type covered" field as a signature on an
RRset, and tracked them via dns_rdatatype_issig(). Those carve-outs
were the sole path that made the GL#5818 crash class reachable.
Treat both types as ordinary unknown rdata: they load, transfer, sign
and answer like any other record, and dynamic updates carry them
through the generic path. SIG(0) is unaffected; its message-parsing
carve-out is preserved.
Tests that exercise instrumentation, log output, or other behaviour
that only exists in developer builds (the gcc:almalinux9:amd64 CI job
sets -Ddeveloper=disabled to guard against such accidental coupling)
can now decorate themselves with isctest.mark.with_developer to skip on
non-developer builds.
Assisted-by: Claude:claude-opus-4-7
System tests can check FEATURE_DEVELOPER in the environment, but the
recommended pattern is the with_developer pytest marker added next.
Assisted-by: Claude:claude-opus-4-7
System tests that depend on log output, instrumentation, or other
behaviour only present in developer builds can use this probe to detect
the build configuration at runtime.
Assisted-by: Claude:claude-opus-4-7
An AAAA query for a non-existent name into a view that combines
nxdomain-redirect with dns64 used to abort named via the DNS64
fallback in query_nodata(). The new module exercises all three
documented entry paths into query_redirect(): the authoritative
NXDOMAIN path (ns7, tripping INSIST(!is_zone) in
query_notfound()), the recursive NCACHENXRRSET path (ns8,
tripping REQUIRE in dns_rdataset_first() on a disassociated
rdataset), and the synth-from-dnssec path (ns10 validating
against ns9's signed root, with a primer A query so the second
AAAA reaches query_redirect() via query_coveringnsec()). ns9
serves as a neutral upstream so the cached and synthesized
negatives land real NXRRSETs.
Assisted-by: Claude:claude-opus-4-7
The previous loader was a FileSystemLoader rooted at $srcdir, which
allowed any system test to include any other test's templates -- a
wider scope than intended. Every existing cross-test include already
targets _common/, so make that the only path.
ChoiceLoader + PrefixLoader keeps the existing '_common/foo.j2' path
convention working without changes to call sites. The '_common/'
prefix is deliberately kept rather than dropping it by rooting the
FileSystemLoader at _common/ directly:
- It signals at the include site that the file is a shared
template, not a sibling of the current test; readers don't need
to know the loader configuration to understand where the file
lives.
- It prevents shadowing: a test-local 'controls.conf.j2' would
not collide with the shared one, and the unqualified name keeps
its test-local meaning.
- It makes the dependency greppable: 'grep -rl _common/'
identifies every test that consumes shared snippets.
Assisted-by: Claude:claude-opus-4-7
Add commonly used zone-related data (config snippet and zone file
snippets) as templates which can be reused by filling in different data.
Adjust the isctest.template.Zone to use filepath argument rather than
filename for clarity.
Omit extra newlines when combining and including templates.
Adjust the xfer/ns8/small.db.j2 so it doesn't trim the endline twice
(as that would join the two subsequent records on the same line).
In some cases, the template data might need to be set directly in the
jinja2 templates using `{% set %}`. Expose the template dataclasses to
the templates so we can use these existing classes, rather than creating
ad-hoc data containers.
If a template is being rendered into a directory that represents a
nameserver (e.g. "ns1"), include a nameserver-specific information in
the data - variable called "ns" which has information about the
nameserver this file belongs to.
Ensure the "ns" variable is only exposed to the template when rendered,
without affecting the environment variables (always work with a copy of
the env_vars).
Extend the Nameserver to generate the default IPv4/IPv6 values, add NSX
values for the predefined nameservers (there are 11 of them, as per
bin/tests/system/ifconfig.sh.in max value). Add the missing ns11
fixture.
Extend the Zone to derive the zone filename by default, unless
specified.
Adjust the existing uses of these classes to utilize the simplified
defaults.
Add a variant of checking configuration where inline-signing is
enabled on the secondary, requiring the 'file' entry. This time,
inline-signing is implicitly enabled via dnssec-policy.
Previously, the server would crash if it received a query with an ID
close to 65535 in the badmessageid case, as adding 50 to it would not
fit in uint16.
This was an oversight in porting it from Perl to Python in
f9ed3650ac.
dnspython's RRSIG.to_text() converts the signature inception/expiration
fields by calling time.gmtime(), which on 32-bit platforms raises
OverflowError for values past 2038-01-19 (INT32_MAX). Several DNSSEC
test fixtures use far-future expirations: the precomputed RRSIGs in
the dnssec test's rsasha1.example.db.in zone expire in 2093, ans4 of
the chain test hardcodes 2090, and ans10 of the dnssec test uses
2**32-1 (year 2106). Whenever a response carrying such an RRSIG is
formatted with str()/to_text() the overflow propagates out and either
fails the test (when triggered in isctest.query's debug logging) or
kills the asyncserver-based ans* server (when triggered in its
response logger), which in turn cascades into "Failed to stop
servers" teardown errors and SERVFAIL responses for subsequent tests.
Wrap the to_text() calls in isctest/query.py and the str(response)
call in asyncserver's _log_response() with try/except OverflowError,
falling back to a placeholder message. The conversions are only used
for debug logging, so losing the human-readable form there does not
affect what the tests actually validate.
Assisted-by: Claude:claude-opus-4-7
Make the handlers defined in bin/tests/system/resend_loop/ans3/ans.py
follow canonical naming conventions used in other system tests. Keep
all server initialization code in the main() function.
Since the _get_cookie() function is only used by the CookieHandler
class, make the former a method of the latter to keep related logic
close in the source code.
The "len(cookie.server) == 0" condition is superfluous for the
"resend_loop" system test, so remove it. Add a return type annotation
to the _get_cookie() function.
The "yield" keyword does not cause a function to return. By design,
get_responses() may yield multiple DNS responses in a single call. As
currently implemented, CookieHandler.get_responses() sends two responses
to each client query that does not contain a COOKIE option. Make the
logic in that method consistent with code comments by only sending one
response to every query - either SERVFAIL or BADCOOKIE, never both.
The ans3 custom server instance is created with default_aa=True. Do not
pass the authoritative=True keyword argument to the DnsResponseSend
constructor in CookieHandler.get_responses() as it is redundant.
The ans3 custom server does not have any zones defined, so the responses
passed to its handlers by core isctest.asyncserver code are guaranteed
to be empty. Remove a call to qctx.prepare_new_response() from
CookieHandler.get_responses() as it is redundant.
