Move the 'zsk-prepub' zones to the rollover test dir and convert ZSK
rollover test to pytest.
We need a way to signal a smooth rollover is going on. Signatures are
being replaced gradually during a ZSK rollover, so the existing
signatures of the predecessor ZSK are still being used. Add a smooth
operator to set the right expectations on what signatures are being
used.
Setting expected key relationships is a bit crude: a list of two
elements where the first element is the index of the expected keys that
is the predecessor, and the second element is the index of the expected
keys that is the successor.
We are changing the KSK lifetime to unlimited in this test case as it
is of no importance.
(cherry picked from commit bd6c70bd67)
Move the 'enable-dnssec' to the rollover test dir and convert to pytest.
This requires new test functionality to check that "CDS is published"
messages are logged (or prohibited).
The setup part is slightly adapted such that it no longer needs to
set the '-P sync' value in most cases (this is then set by 'named'),
and to adjust for the inappropriate safety intervals fix.
(cherry picked from commit 233fdb8d52)
Move the multi-signer test scenarios to the rollover directory and
convert tests to pytest.
- If the KeyProperties set the "legacy" to True, don't set expected
key times, nor check them. Also, when a matching key is found, set
key.external to True.
- External keys don't show up in the 'rndc dnssec -status' output so
skip them in the 'check_dnssecstatus' function. External keys never
sign RRsets, so also skip those keys in the '_check_signatures'
function.
- Key properties strings now can set expected key tag ranges, and if
KeyProperties have tag ranges set, they are checked.
(cherry picked from commit 8ee02190a5)
In order to keep the kasp system test somewhat approachable, let's
move all rollover scenarios to its own test directory. Starting with
the manual rollover test cases.
A new test function is added to 'isctest.kasp', to verify that the
relationship metadata (Predecessor, Successor) is set correctly.
The configuration and setup for the zone 'manual-rollover.kasp' are
almost copied verbatim, the only exception is the keytimes. Similar
to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in
the setup script. In addition to that, the offset is changed from one
day ago to one week ago, so that the key states match the timing
metadata (one day is too short to move a key from "hidden" to
"omnipresent").
(cherry picked from commit 4d08ec50d1)
Vicky and Ondrej have agreed that we should add text to explain that we do not give bug bounties.
Backport of MR !10246
Merge branch 'backport-sgoldlust-main-bug-bounty-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10527
Replace the custom DNS servers used in the "chain" system test with
new code based on the isctest.asyncserver module.
For ans3, replace the sequence of logical conditions present in Perl
code with zone files and a limited amount of custom logic applied on top
of them where necessary.
For ans4, replace the ctl_channel() and create_response() functions with
a custom control command handler coupled with a dynamically instantiated
response handler, making the code more robust and readable.
Migrate sendcmd() and its uses to the new way of sending control queries
to custom servers used in system tests.
Depends on !10409
Backport of MR !10410
Merge branch 'backport-michal/chain-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10526
Replace the custom DNS servers used in the "chain" system test with
new code based on the isctest.asyncserver module.
For ans3, replace the sequence of logical conditions present in Perl
code with zone files and a limited amount of custom logic applied on top
of them where necessary.
For ans4, replace the ctl_channel() and create_response() functions with
a custom control command handler coupled with a dynamically instantiated
response handler, making the code more robust and readable.
Migrate sendcmd() and its uses to the new way of sending control queries
to custom servers used in system tests.
(cherry picked from commit c3d3c9955d)
To improve readability of sendcmd() calls used for controlling
isctest.asyncserver-based custom DNS servers, pass the command's name
and arguments as separate parameters.
(cherry picked from commit 9a230c16ff)
dnspython does not treat CNAME records in zone files in any special way;
they are just RRsets belonging to zone nodes. Process CNAMEs when
preparing zone-based responses just like a normal authoritative DNS
server would.
Adding proper DNAME support to AsyncDnsServer would add complexity to
its code for little gain: DNAME use in custom system test servers is
limited to crafting responses that attempt to trigger bugs in named.
This fact will not be obvious to AsyncDnsServer users as it
automatically loads all zone files it finds and handles CNAME records
like a normal authoritative DNS server would.
Therefore, to prevent surprises:
- raise an exception whenever DNAME records are found in any of the
zone files loaded by AsyncDnsServer,
- add a new optional argument to the AsyncDnsServer constructor that
enables suppressing this new behavior, enabling zones with DNAME
records to be loaded anyway.
This enables response handlers to use the DNAME records present in zone
files in arbitrary ways without complicating the "base" code.
Backport of MR !10409
Merge branch 'backport-michal/asyncserver-alias-records-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10525
Adding proper DNAME support to AsyncDnsServer would add complexity to
its code for little gain: DNAME use in custom system test servers is
limited to crafting responses that attempt to trigger bugs in named.
This fact will not be obvious to AsyncDnsServer users as it
automatically loads all zone files it finds and handles CNAME records
like a normal authoritative DNS server would.
Therefore, to prevent surprises:
- raise an exception whenever DNAME records are found in any of the
zone files loaded by AsyncDnsServer,
- add a new optional argument to the AsyncDnsServer constructor that
enables suppressing this new behavior, enabling zones with DNAME
records to be loaded anyway.
This enables response handlers to use the DNAME records present in zone
files in arbitrary ways without complicating the "base" code.
(cherry picked from commit 8a562526f6)
The constructor for the AsyncDnsServer class takes a 'load_zones'
argument that is not used anywhere and is not expected to be useful in
the future: zone files are not required for an AsyncDnsServer instance
to start and, if necessary, zone-based answers can be suppressed or
modified by installing a custom response handler.
(cherry picked from commit 5110278008)
dnspython does not treat CNAME records in zone files in any special way;
they are just RRsets belonging to zone nodes. Process CNAMEs when
preparing zone-based responses just like a normal authoritative DNS
server would.
(cherry picked from commit 1b8ceec580)
Since AsyncDnsServer logs incoming DNS messages as seen on the wire, do
the same for the responses sent by the server.
(cherry picked from commit 2a9c74546d)
keystore.c failed to compile on Solaris because NAME_MAX was
undefined. Include 'isc/dir.h' which defines NAME_MAX for platforms
that don't define it.
Closes#5327
Backport of MR !10522
Merge branch 'backport-5327-fix-solaris-keystore-build-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10523
keystore.c failed to compile on Solaris because NAME_MAX was
undefined. Include 'isc/dir.h' which defines NAME_MAX for platforms
that don't define it.
(cherry picked from commit 521bf1d50f)
To be consistent with the replacing of Oracle Linux QCOW2 images with
AlmaLinux AWS AMIs, also replace Docker images.
Backport of MR !10434
Merge branch 'backport-mnowak/replace-oracle-linux-with-almalinux-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10512
To be consistent with the replacing of Oracle Linux QCOW2 images with
AlmaLinux AWS AMIs, also replace Docker images.
(cherry picked from commit 63947a2062)
The `pytest` cases checks if a zone is signed by looking at the `NSEC` record at the apex. If that has an RRSIG record, it is considered signed. But `named` signs zones incrementally (in batches) and so the zone may still lack some signatures. In other words, the tests may consider a zone signed while in fact signing is not yet complete, then performs additional checks such as is a subdomain signed with the right key. If this check happens before the zone is actually fully
signed, the check will fail.
Fix this by using `check_dnssec_verify` instead of `check_is_zone_signed`. We were already doing this check, but we now move it up. This will transfer the zone and then run `dnssec-verify` on the response. If the zone is partially signed, the check will fail, and it will retry for up to ten times.
Closes#5303
Backport of MR !10445
Merge branch 'backport-5303-kasp-pytest-intermittent-test-failures-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10510
The pytest cases checks if a zone is signed by looking at the NSEC
record at the apex. If that has an RRSIG record, it is considered
signed. But 'named' signs zones incrementally (in batches) and so
the zone may still lack some signatures. In other words, the tests
may consider a zone signed while in fact signing is not yet complete,
then performs additional checks such as is a subdomain signed with the
right key. If this check happens before the zone is actually fully
signed, the check will fail.
Fix this by using 'check_dnssec_verify' instead of
'check_is_zone_signed'. We were already doing this check, but we now
move it up. This will transfer the zone and then run 'dnssec-verify'
on the response. If the zone is partially signed, the check will fail,
and it will retry for up to ten times.
(cherry picked from commit 7a31fd57e2)
On FIPS-enabled platforms, we need to ensure a minimal version of
hypothesis which no longer uses MD5. This doesn't need to be enforced
for other platforms.
Move the import magic to a utility module to avoid copy-pasting the
boilerplate code around.
Backport of MR !10442
Merge branch 'backport-nicki/pytest-import-hypothesis-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10507
On FIPS-enabled platforms, we need to ensure a minimal version of
hypothesis which no longer uses MD5. This doesn't need to be enforced
for other platforms.
Move the import magic to a utility module to avoid copy-pasting the
boilerplate code around.
(cherry picked from commit 0aff715f40)
Coverity detected that 'optlen' was not being checked in 'process_opt'.
This is actually already done when the OPT record was initially
parsed. Add an INSIST to silence Coverity as is done in message.c.
Closes#5330
Backport of MR !10500
Merge branch 'backport-5330-tainted-scalar-in-client-c-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10505
Coverity detected that 'optlen' was not being checked in 'process_opt'.
This is actually already done when the OPT record was initially
parsed. Add an INSIST to silence Coverity as is done in message.c.
(cherry picked from commit 72cd6e8591)
The memory context for managers and dlz_dlopen_driver units had no name
and that was causing trouble with the statistics channel output. Set
the name for the two memory context that were missing a proper name.
(cherry picked from commit 5d264b3329)
A secondary zone could initiate a new zone transfer from the
primary server after it had been already deleted from the
secondary server, and before the internal garbage collection
was activated to clean it up completely. This has been fixed.
Closes#5291
Backport of MR !10449
Merge branch 'backport-5291-zone-delete-bug-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10496
After b171cacf4f, a zone object can
remain in the memory for a while, until garbage collection is run.
Setting the DNS_ZONEFLG_EXITING flag should prevent the zone
maintenance function from running while it's in that state.
Otherwise, a secondary zone could initiate a zone transfer after
it had been deleted.
(cherry picked from commit 874ca5ca2f)
A secondary zone could fail to further refresh with new
versions of the zone from a primary server if named was
reconfigured during the SOA request step of an ongoing
zone transfer. This has been fixed.
Closes#5307
Backport of MR !10468
Merge branch 'backport-5307-zone-refresh-stuck-after-reconfiguration-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10495
When request manager shuts down, it also shuts down all its ongoing
requests. Currently it calls their callback functions with a
ISC_R_SHUTTINGDOWN result code for the request. Since a request
manager can shutdown not only during named shutdown but also during
named reconfiguration, instead of sending ISC_R_SHUTTINGDOWN result
code send a ISC_R_CANCELED code to avoid confusion and errors with
the expectation that a ISC_R_SHUTTINGDOWN result code can only be
received during actual shutdown of named.
All the callback functions which are passed to either the
dns_request_create() or the dns_request_createraw() functions have
been analyzed to confirm that they can process both the
ISC_R_SHUTTINGDOWN and ISC_R_CANCELED result codes. Changes were
made where it was necessary.
(cherry picked from commit f4cd307c6b)
This new test checks that named can correctly process an interrupted
SOA request during zone transfer, caused by reconfiguration.
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit aa6ca3e776)
When the zone.c:refresh_callback() callback function is called during
a SOA request before a zone transfer, it can receive a
ISC_R_SHUTTINGDOWN result for the sent request when named is shutting
down, and in that case it just destroys the request and finishes the
ongoing transfer, without clearing the DNS_ZONEFLG_REFRESH flag of the
zone. This is alright when named is going to shutdown, but currently
the callback can get a ISC_R_SHUTTINGDOWN result also when named is
reconfigured during the ongoibg SOA request. In that case, leaving the
DNS_ZONEFLG_REFRESH flag set results in the zone never being able
to refresh again, because any new attempts will be caneled while
the flag is set. Clear the DNS_ZONEFLG_REFRESH flag on the 'exiting'
error path of the callback function.
(cherry picked from commit 228e441328)
Enable existing rndc system tests (the python test function calling the
shell file was missing). Also update the extra artifacts list to remove
one generated file which was left behind.
Backport of MR !10489
Merge branch 'backport-colin/rndc-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10493
Enable existing rndc system tests (the python test function calling the
shell file was missing). Also update the extra artifacts list to remove
one generated file which was left behind.
(cherry picked from commit f84065a32c)
Backport of MR !10487
Merge branch 'backport-pspacek/update-reporting-procedure-sec-md-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10491
the comments for some calls in the dns_message API specified
requirements which were not actually enforced in the functions.
in most cases, this has now been corrected by adding the missing
REQUIREs. in one case, the comment was incorrect and has been
revised.
Backport of MR !10466
Merge branch 'backport-each-fix-message-requires-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10484
the comments for some calls in the dns_message API specified
requirements which were not actually enforced in the functions.
in most cases, this has now been corrected by adding the missing
REQUIREs. in one case, the comment was incorrect and has been
revised.
(cherry picked from commit c437da59ee)
