Use GitLab Registry for CI purposes. Disable EdDSA support for Debian
sid since the OpenSSL version shipped with it has broken Ed448 support.
Use /dev/urandom as the random device in the "ecdsa" system test to
prevent newer OpenSSL versions from running out of entropy when
verifying ECDSA signatures.
(cherry picked from commit e5ebc13989)
- the text returned by "rndc nta" when adding NTAs to multiple views
was incorrectly terminated after the first line, so users only saw
on NTA added unless they checked the logs.
(cherry picked from commit 83dc5a704a)
$RANDFILE, i.e. bin/tests/system/random.data, should only be written to
if a system test requires support for cryptography and that file does
not already exist. Otherwise, when multiple system tests are run in
parallel, that file might get truncated due to bin/tools/genrandom.c
using fopen() with mode "w" when writing the destination file. With
unfortunate timing, this may cause system tests employing BIND tools
which need entropy (e.g. dnssec-keygen) to fail.
Make sure bin/tests/system/metadata/tests.sh no longer calls
bin/tools/genrandom since $RANDFILE is guaranteed to already be created
by the time bin/tools/genrandom is currently called because
bin/tests/system/metadata/prereq.sh uses bin/tests/system/testcrypto.sh.
Make sure bin/tests/system/sfcache/prereq.sh only writes to $RANDFILE if
it does not already exist.
(cherry picked from commit c12388f5e8)
A short time window exists between logging the addition of an NSEC3PARAM
record to a zone and committing it to the current version of the zone
database. If a query arrives during such a time window, an unsigned
response will be returned. One of the checks in the "inline" system
test requires NSEC3 records to be present in an answer - that check
would fail in the case described above. Use rndc instead of log
watching for checking whether zone signing and NSEC3 chain modifications
are complete in order to prevent intermittent "inline" system test
failures.
(cherry picked from commit e36c869e85)
While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage. This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version. This in
turn prevents zone maintenance from happening for the signed version of
the zone.
Until commit 749b3cacfc, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs). This behavior caused other issues [1] and thus had to be
changed.
Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes. Take care not to clear it prematurely during initial zone
load. Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem. Add comments aiming to
help explain code flow.
[1] see RT #47076
(cherry picked from commit 5431583971)
When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed. If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh. Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.
Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.
(cherry picked from commit 8db550c42f)
Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test. Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test. Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.
(cherry picked from commit 24dd865b97)
If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading. Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.
(cherry picked from commit cb40c5229a)
lo0 and lo0:0 are the same interface on Solaris. Make sure
bin/tests/system/ifconfig.sh does not touch lo0:0 in order to prevent it
from changing the address of the loopback interface on Solaris.
(cherry picked from commit 618921902a)
The "git status" command in Git versions before 1.7.2 does not support
the "--ignored" option. Prevent spamming the console when running
system tests from a Git repository on a host with an ancient Git version
installed.
(cherry picked from commit 2be97feb46)
The output of certain "dig +idnout" invocations may be locale-dependent.
Remove the "dig +idnout" subtest from the "digdelv" system test as IDN
support is already thoroughly tested by the "idna" system test.
(cherry picked from commit fd30a03f2b)
While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.
The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed. The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding. In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.
Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.
Update the "idna" system test accordingly. Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name. Fix invalid subtest description.
(cherry picked from commit 7fe0f00a3b)
Every prereq.sh script must include bin/tests/system/conf.sh, otherwise
if some prerequisite is not met, errors about echo_i not being found
will be printed instead of actual error messages.
(cherry picked from commit cc0e8cda71)
Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty. Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions. Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.
(cherry picked from commit 6c3c6aea37)
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains. Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records. Check that DNAME-obscured
records are not signed.
(cherry picked from commit ff7015a0f8)
The keyfile and key ID for the original managed key do not change
throughout the mkeys system test. Keep them in helper variables to
prevent calling "cat" multiple times and improve code readability.
(cherry picked from commit 2cad382552)
Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.
(cherry picked from commit dce66f7635)
Add a set of helper functions for system test scripts which enable
converting key data from a set of keyfiles to either a "trusted-keys"
section or a "managed-keys" section suitable for including in a
resolver's configuration file.
(cherry picked from commit 21d3658bcb)
