If the system_test_dir contains a symlink, then it might cause issues
further down when using relative_to(), unless it is resolved first. This
has been observed on FreeBSD13 in CI where /home is a symlink to
/usr/home.
(cherry picked from commit b1e3469059)
Turns out the original ans.pl implementation before (!10928) was a copy
of an old version of the ans2 server from the resolver system test.
I reimplemented it fully, even though only two ResponseHandlers are
actually used in the statistics test.
(cherry picked from commit 7d5ec7167b)
Store the most specific matching domain in DomainHandler and
expose it through the `matched_domain` property for subclasses
to use in their implementations of `get_responses`.
(cherry picked from commit b89cc2bd86)
The minimum required hypothesis version has been set in requirements.txt
and no longer needs to be checked at runtime.
Since the hypothesis package is now a mandatory prerequisite, include it
in isctest as the other subpackages.
(cherry picked from commit 1291fa1a6d)
Drop support of EoL python versions for running system tests. The
maintenance cost of supporting end of life ecosystem, especially Python
3.6 on EL8 and the related outdated packages (pytest, dnspython, ...),
has become unreasonable.
(cherry picked from commit ac8e2905b8)
Use collection_path rather than the deprecated path argument for
pytest_ignore_collect() hook.
The collection_path argument was added in pytest 7.0.0, which is the
minimum supported pytest version from now on.
(cherry picked from commit 093bef9211)
This file lists the required Python packages and versions for running
system tests. The easiest way to obtain them is:
pip install -r requirements.txt
The minimum dnspython version is 2.7.0 because it supports TSIG parsing
without validation (for tsig/tests_tsig_hypothesis.py) and wire() (for
names/tests_names.py).
The minimum pytest version was bumped to 7.0.0 because it supports the
collection hook API required by pytest 9.
The minimum hypothesis version was set to 4.41.2 as prior versions might
have issues on FIPS systems.
(cherry picked from commit 628e16d057)
ns3/nsec3-ent.kasp.db is regenerated too fast resulting in
the subsequent 'rndc reload' call failing. This has been
fixed.
(cherry picked from commit f01497e05b)
To provide feature parity with `bin/tests/system/ans.pl` add a control
command to allow easy switching between different sequences of
ResponseHandlers.
(cherry picked from commit 2302fe1235)
It saves an indent and brackets on the call sites.
Also sort the handlers alphabetically where their order doesn't matter
and split the fallback handlers into a separate call to signify that
their position in the end matters.
(cherry picked from commit 7e587201a4)
Since there was no 10.53.0.6 server in the test, renumber the remaining
ones so that there's no gap in the server names.
This commit simply moves the ans.py files without any changes and
renumbers the IP addresses in tests.
(cherry picked from commit 9b63187a99)
Previously, the ans8 server had different response modes that applied to
all queries. Replace it with AsyncDnsServer that has serves the different
response modes under different domains without the need to change the
server behaviour at runtime.
Add the new queries that require an ns3 fallback to the ns3/example.db
zone.
(cherry picked from commit 0b7a089c7f)
The server has three modes of operation - either no response, a partial
AXFR or a complete AXFR. To test the fallback behaviour of dig, these
actions are be combined in a specific sequences. To set up the desired
server behaviour, use the _control queries for the server.
(cherry picked from commit 575f0e3916)
The action can be used to close the connection even after some response
was sent, depending on the ordering of actions in the handler that uses
it. Rename it to CloseConnection to use a more fitting name.
(cherry picked from commit 20887ff80f)
Configure the AsyncDnsServer to ignore all queries to ensure the same
behaviour as with "//" command for ans.pl.
(cherry picked from commit 648f2534b1)
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Fix the qmin test server which uses `make_response`.
(cherry picked from commit 1fc206556b)
On FreeBSD 15.0, sending requests to non-existent address produces
unexpected results. Add a blackhole server instead.
(cherry picked from commit b4c0408d81)
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.
(cherry picked from commit 0ddfa108a7)
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
(cherry picked from commit 1a2e46d364)
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
(cherry picked from commit dc58c73264)
Commit c17ac42608 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.
However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):
received control channel command 'sign step3.zsk-prepub.manual'
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone step3.zsk-prepub.manual/IN (signed): sending notifies
This means we are running the rollover step checks too fast in some
test runs.
Revert the wait for log change for the rollover-zsk-prepub test.
(cherry picked from commit 22c02a4df9)
A generic helper that calls environment-specified binaries has been added,
drop and replace the introduced CmdHelper for the more generic method.
(cherry picked from commit 594ff0816a)
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
(cherry picked from commit e172b4ff1a)
This test does not require a trust chain. Merely update the template
zone files to not point to the common template.
(cherry picked from commit 0016791c91)
This test does not require a trust chain. However, it does have a setup
script. Rewrite the setup shell script to a pytest bootstrap method.
(cherry picked from commit b6c091d113)
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
(cherry picked from commit 08236f4bd6)
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
Now we have to fake different lifetimes, so adjust fake_lifetime
to update a single key.
Note that we have changed the setup slightly: We also sign the
step2 zones, but with post validation disabled. This is more
accurate because we need to test that the public keys and signatures
are being removed from the zone.
(cherry picked from commit cc4244f384)
