Commit graph

12208 commits

Author SHA1 Message Date
Matthijs Mekking
aa744b5dd9 Add primaries, parental-agents as synonyms
Add back the top blocks 'parental-agents', 'primaries', and 'masters'
to the configuration. Do not document them as so many names for the
same clause is confusing.

This has a slight negative side effect that a top block 'primaries'
can be referred to with a zone statement 'parental-agents' for example,
but that shouldn't be a big issue.

(cherry picked from commit 1b2eadb197)
2024-12-13 11:23:03 +01:00
Matthijs Mekking
4555a31934 Unify parental-agents, primaries to remote-servers
Having zone statements that are also top blocks is confusing, and if
we want to add more in the future (which I suspect will be for
generalized notifications, multi-signer), we need to duplicate a lot
of code.

Remove top blocks 'parental-agents' and 'primaries' and just have one
top block 'remote-servers' that you can refer to with zone statements.

(cherry picked from commit b121f02eac)
2024-12-13 10:39:25 +01:00
Mark Andrews
e8ef8eddb8 Fix startup notify rate test
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition.  Additionally 20 samples lead to test
failures.  Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 40.

(cherry picked from commit 46388d07a2)
2024-12-13 00:07:52 +00:00
Michal Nowak
1bff2cd49c Wait for "all zones loaded" after rndc reload in "database" test
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.

(cherry picked from commit 0bdd03db66)
2024-12-12 12:09:30 +00:00
Michal Nowak
945dbad5ed Add rr-related common test artifacts
(cherry picked from commit c607237b77)
2024-12-11 00:38:56 +00:00
Mark Andrews
4bc7d505e8 Use a different burst name to identify test queries
This allows easier identification of which burst is which in
named.run.

(cherry picked from commit e02d66b279)
2024-12-10 21:55:31 +00:00
Colin Vidal
32f5b69703 Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries
Add a none parameter to named configuration option `query-source` (respectively `query-source-v6`) which forbid usage of IPv4 (respectively IPv6) addresses when named is doing an upstream query.

Closes #4981 Turning-off upstream IPv6 queries while still listening to downstream queries on IPv6.

Merge branch 'colin/querysource-none' into 'main'

See merge request isc-projects/bind9!9727

Backport of MR !9727

Some changes had to be done to the existing 9.20.x code in order to
make this backport compatible:

- first, the 9.20.x branches support the `port` parameter in
  query-source[-v6], where 9.21.x does not. The original changes
  depend on things that can't be backported because that would break
  `port` support.

- second, the changes remove the optional `address` parameter from the
  canonical form. So `query-source address <ip>` is now printed as
  `query-source <ip>`. This means that `named-checkconf -p` will now
  generate different output if users have `query-source address <ip>` or
  `query-source address <ip> port <port>`; it will now generate
  `query-source <ip>` or `query-source <ip> port <port>`. This is a
  non-breaking change, because the parser has been updated to support
  this form as well.
2024-12-10 11:58:20 +01:00
Matthijs Mekking
551d1dd67d Drop single-use RETERR macro
If the RETERR define is only used once in a file, just drop the macro.

(cherry picked from commit b6d031462f)
2024-12-10 08:47:25 +00:00
Mark Andrews
6177eb8c5b Fix static stub subtest description
(cherry picked from commit f173a01454)
2024-12-10 03:16:33 +00:00
Artem Boldariev
17dd30ec52 Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.

So, the files were regenerated on a FIPS compliant system using the
following stanza:

$ openssl dhparam -out <file> 3072

Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:

https://openssl-library.org/news/openssl-3.1-notes/
(cherry picked from commit 384c92880e)
2024-12-09 12:00:49 +00:00
Ondřej Surý
81d661ffc0
Revert "Attach dnssecsignstats, rcvquerystats, and requeststats"
This reverts commit fb50a71159.

(cherry picked from commit 7a99d1baf8)
2024-12-08 12:03:12 +01:00
Evan Hunt
f7d67710e2 preserve cache across reload when using attach-cache
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.

in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.

(cherry picked from commit f3af8a7dc3)
2024-12-06 18:19:54 -08:00
Matthijs Mekking
cc004b2b8f Add test case for nsupdate hangs on large update
This test case hangs, despite the update being performed on the
name server.

(cherry picked from commit 3adabb4f89)
2024-12-06 08:31:19 +00:00
Michal Nowak
dffcf1226c Use os.getenv() instead of os.environ
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.

(cherry picked from commit 1a5683b638)
2024-12-06 07:06:31 +00:00
Michal Nowak
85176a62ca Fix skipif decorators' conditions
The ECDSA256 and ECDSA384 check conditions were switched.

(cherry picked from commit 2a7b8d9795)
2024-12-06 07:06:31 +00:00
Matthijs Mekking
dd098a4b3b Change default max-recursion-queries to 50
Changing the default for max-recursion-queries from 100 to 32 was too
strict in some cases, especially lookups in reverse IPv6 trees started
to fail more frequently. From issue #4921 it looks like 50 is a better
default.

Now that we have 'max-query-count' as a global limit of outgoing queries
per client request, we can increase the default for
'max-recursion-queries' again, as the number of recursive queries is
no longer bound by the multiple of 'max-recursion-queries' and
'max-query-restarts'.

(cherry picked from commit 84df920d9e)
2024-12-06 06:20:33 +00:00
Matthijs Mekking
1d7ddb5ec4 Add a CAMP test case
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.

(cherry picked from commit 73eafaba14)
2024-12-06 06:20:33 +00:00
Matthijs Mekking
63e5f295fb Add +maxtotalqueries option to delv
The max-query-count value can now be set on the command line in delv
with +maxtotalqueries.

(cherry picked from commit 74f845d62f)
2024-12-06 06:20:33 +00:00
Matthijs Mekking
492f79560d Implement global limit for outgoing queries
This global limit is not reset on query restarts and is a hard limit
for any client request.

(cherry picked from commit 16b3bd1cc7)
2024-12-06 06:20:33 +00:00
Matthijs Mekking
c233bb9de0 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.

(cherry picked from commit bbc16cc8e6)
2024-12-06 06:20:33 +00:00
Mark Andrews
bcf3f8b44d Attach dnssecsignstats, rcvquerystats, and requeststats
In dns_zone_getdnssecsignstats, dns_zone_getrcvquerystats and
dns_zone_getrequeststats attach to the statistics structure.

(cherry picked from commit fb50a71159)
2024-12-06 16:45:52 +11:00
Petr Menšík
5a1c39b1b7 Finalize removal of memory debug flags size and mctx
Commit 4b3d0c6600 has removed them, but
did not remove few traces in documentation and help. Remove them from
remaining places.

(cherry picked from commit 65b9eeb39a)
2024-12-06 03:13:14 +00:00
Mark Andrews
3eea26ba37 Check dnssec-signzone behaviour with revoked keys
Only DNSKEY records should be signed with a revoked key.

(cherry picked from commit 30ef6dde05)
2024-12-06 01:00:08 +00:00
Mark Andrews
db19675ee9 Do not sign non DNSKEY RRset with revoked keys
It does not make sense to sign RRsets other than DNSKEY with revoked
keys.

(cherry picked from commit 23775c6006)
2024-12-06 01:00:08 +00:00
Michal Nowak
e8d6be9c38 Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.

(cherry picked from commit e7d973bd00)
2024-12-05 10:08:34 +00:00
Colin Vidal
c586d9a658 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.

(cherry picked from commit d13e94b930)

Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)
2024-12-05 10:30:28 +01:00
Michal Nowak
211a0eafa9 Rewrite ecdsa system test to pytest
(cherry picked from commit 292e919156)
2024-12-05 07:46:17 +00:00
Ondřej Surý
de7312ae5f Remove dns_badcache usage in the resolver (lame-ttl)
The lame-ttl processing was overriden to be disabled in the config,
but the code related to the lame-ttl was still kept in the resolver
code.  More importantly, the DNS_RESOLVER_BADCACHETTL() macro would
cause the entries in the resolver badcache to be always cached for at
least 30 seconds even if the lame-ttl would be set to 0.

Remove the dns_badcache code from the dns_resolver unit, so we save some
processing time and memory in the resolver code.

(cherry picked from commit b61739836d)
2024-11-27 17:07:03 +00:00
Ondřej Surý
6c3f1f09b2 Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.

(cherry picked from commit 2cb5a6210f)
2024-11-27 17:07:03 +00:00
Aram Sargsyan
bebdabc06c Fix the nslookup system test
The nslookup system test checks the count of resolved addresses in
the CNAME tests using a 'grep' match on the hostname, and ignoring
lines containing the 'canonical name' string. In order to protect
the check from intermittent failures like the 'address in use' warning
message, which then automatically resolves after a retry, edit the
'grep' matching string to also ignore the comments (as the mentioned
warning message is a comment which contains the hostname).

(cherry picked from commit 345b0f9e5c)
2024-11-27 13:35:25 +00:00
Aram Sargsyan
61d49b0731 Test trying of the next primary server
Add test cases which check that when a XoT primary server is
unreachable or is already marked as unreachble then the next
primary server in the list is used.

(cherry picked from commit 12225d125b)
2024-11-27 11:49:02 +00:00
Aram Sargsyan
375bd8ec75 xfrin: refactor and fix the ISC_R_CANCELED case handling
Previously a ISC_R_CANCELED result code switch-case has been added to
the zone.c:zone_xfrdone() function, which did two things:

1. Schedule a new zone transfer if there's a scheduled force reload of
   the zone.

2. Reset the primaries list.

This proved to be not a well-thought change and causes problems,
because the ISC_R_CANCELED code is used not only when the whole transfer
is canceled, but also when, for example, a particular primary server is
unreachable, and named still needs to continue the transfer process by
trying the next server, which it now no longer does in some cases. To
solve this issue, three changes are made:

1. Make sure dns_zone_refresh() runs on the zone's loop, so that the
   sequential calls of dns_zone_stopxfr() and dns_zone_forcexfr()
   functions (like done in 'rndc retransfer -force') run in intended
   order and don't race with each other.

2. Since starting the new transfer is now guaranteed to run after the
   previous transfer is shut down (see the previous change), remove the
   special handling of the ISC_R_CANCELED case, and let the default
   handler to handle it like before. This will bring back the ability to
   try the next primary if the current one was interrupted with a
   ISC_R_CANCELED result code.

3. Change the xfrin.c:xfrin_shutdown() function to pass the
   ISC_R_SHUTTINGDOWN result code instead of ISC_R_CANCELED, as it makes
   more sense.

(cherry picked from commit 3262ebd0f3)
2024-11-27 11:49:01 +00:00
JINMEI Tatuya
c862555b66 update system tests to confirm new log messages
(cherry picked from commit 000720fe14)
2024-11-27 11:17:34 +11:00
Michal Nowak
58316503b6 Rewrite emptyzones system test to pytest
(cherry picked from commit 3ace62472c)
2024-11-26 17:03:30 +00:00
Michal Nowak
a506a04c98 Add isctest.check.refused()
(cherry picked from commit 7bedd1c296)
2024-11-26 17:03:30 +00:00
Michal Nowak
5d28efecfc Rewrite database system test to pytest
(cherry picked from commit 8005ad0dcd)
2024-11-26 12:12:26 +00:00
Michal Nowak
3cb61b1252 Revert "xfail upforwd system test if DNSTAP is enabled"
This reverts commit 0579e0a429.

(cherry picked from commit e7e73da39a)
2024-11-26 10:50:15 +00:00
Nicki Křížek
d7cb6263a3 Ignore test artifacts in .libs
Some tests may leave artifacts in the .libs directory. Ignore this
directory when detecting expected artifacts.

(cherry picked from commit cf606a9ead)
2024-11-26 09:06:06 +00:00
Alessio Podda
0472494417 Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.

This effectively reverts half of e3892805d6

(cherry picked from commit 99b4f01b33)
2024-11-26 07:17:06 +00:00
Nicki Křížek
80967a2c66 Allow re-run of mkeys system test
On some slow systems, the test might intermittently fail due to inherent
timing issues. In our CI, this most often happens in the
system:gcc:8fips:amd64 jobs.

(cherry picked from commit a299650a6f)
2024-11-25 14:35:54 +00:00
Ondřej Surý
c22176c0f9
Remove redundant semicolons after the closing braces of functions
(cherry picked from commit 1a19ce39db)
2024-11-19 14:26:56 +01:00
Ondřej Surý
58a15d38c2
Remove redundant parentheses from the return statement
(cherry picked from commit 0258850f20)
2024-11-19 14:26:52 +01:00
Ondřej Surý
9b346bc6f1 Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am.  Adjust the required automake files
as needed.

(cherry picked from commit 88103e72d5)
2024-11-15 14:03:44 +00:00
Nicki Křížek
9ba60be870 Fix clean.sh removal omissions
- Ensure keyfromlabel token is cleaned up
- Remove forgotten clean.sh file
- Add missing enginepkcs11 test artifact

(cherry picked from commit 7dde34afac)
2024-11-12 11:21:15 +01:00
Nicki Křížek
0b9d3fbfea Ensure pytest runner get proper outcome from flaky reruns
When a test is re-run by the flaky plugin, the TestReport outcomes
collected in the pytest_runtest_makereport() hook should be overriden.
Each of the setup/call/teardown phases is reported again and since we
care about the overall outcome, their respective results should be
overriden so that only the outcome from the final test (re)run gets
reported.

Prior to this change, it lead to a situation where an extra_artifact
generated during the test might be ignored. This was caused because the
check was skipped, since the test was incorrectly considered as "failed"
in the case where the test would fail on the first run, but pass on a
subsequent flaky rerun.

(cherry picked from commit b66fb31dcb)
2024-11-12 10:20:27 +00:00
Nicki Křížek
0ed39d76dc Remove invocations and mentions of clean.sh
(cherry picked from commit f2cb2e5723)
2024-11-08 15:39:50 +01:00
Nicki Křížek
c3a0af96ad Replace clean.sh files with extra_artifacts mark
The artifact lists in clean.sh and extra_artifacts might be slightly
different. The list was updated for each test to reflect the current
state.

(cherry picked from commit 7c259fe254)
2024-11-08 15:39:50 +01:00
Michał Kępień
95d3bbd5dc Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.

With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.

(cherry picked from commit 3a9f4edddc)
2024-11-08 15:39:50 +01:00
Mark Andrews
e2746e86d9 Remove named_g_sessionkey and named_g_sessionkeyname
They are only declared and cleaned up but otherwise unused.

(cherry picked from commit f70ff727ec)
2024-11-07 02:18:48 +00:00
Matthijs Mekking
9a92cb4fbb Fix dnssec-ksr to support KSK rollovers
dnssec-ksr can now sign KSR files with multiple KSKs. A planned KSK
rollover is supported, meaning the KSR will first be signed with
one KSK and later with another. The timing metadata for CDS and
CDNSKEY records are also taken into account, so these records are
only published when the time is between "SyncPublish" and "SyncDelete".

(cherry picked from commit d7f2a2f437)
2024-11-04 01:10:34 +00:00