To provide feature parity with `bin/tests/system/ans.pl` add a control
command to allow easy switching between different sequences of
ResponseHandlers.
It saves an indent and brackets on the call sites.
Also sort the handlers alphabetically where their order doesn't matter
and split the fallback handlers into a separate call to signify that
their position in the end matters.
Since there was no 10.53.0.6 server in the test, renumber the remaining
ones so that there's no gap in the server names.
This commit simply moves the ans.py files without any changes and
renumbers the IP addresses in tests.
Previously, the ans8 server had different response modes that applied to
all queries. Replace it with AsyncDnsServer that has serves the different
response modes under different domains without the need to change the
server behaviour at runtime.
Add the new queries that require an ns3 fallback to the ns3/example.db
zone.
The server has three modes of operation - either no response, a partial
AXFR or a complete AXFR. To test the fallback behaviour of dig, these
actions are be combined in a specific sequences. To set up the desired
server behaviour, use the _control queries for the server.
The action can be used to close the connection even after some response
was sent, depending on the ordering of actions in the handler that uses
it. Rename it to CloseConnection to use a more fitting name.
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Fix the qmin test server which uses `make_response`.
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
Commit c17ac42608 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.
However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):
received control channel command 'sign step3.zsk-prepub.manual'
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone step3.zsk-prepub.manual/IN (signed): sending notifies
This means we are running the rollover step checks too fast in some
test runs.
Revert the wait for log change for the rollover-zsk-prepub test.
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer. To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.test. IN A
;ANSWER
trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
test. 3600 IN DNAME attacker.net.
;AUTHORITY
;ADDITIONAL
This has been discovered internally.
Co-authored-by: Michał Kępień <michal@isc.org>
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
;AUTHORITY
trigger$RANDOM.victim. 3600 IN NS ns.victim.
;ADDITIONAL
ns.victim. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 2".
Co-authored-by: Michał Kępień <michal@isc.org>
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
This attack was originally reported as "test case 1".
Co-authored-by: Michał Kępień <michal@isc.org>
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs. The answer had to be a positive AA=1 answer
with a fake NS along with it. This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.
If it were some other answer, named from the main branch would detect
the attempt and log:
DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM. IN A
;ANSWER
trigger$RANDOM. 3600 IN A 10.53.0.3
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
ns.attacker. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 1c".
Co-authored-by: Michał Kępień <michal@isc.org>
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data. Where applicable, this reduces load
on the test host and the amount of generated logs.
Due to the way various asyncio-related objects (tasks, streams,
transports, selectors) are referencing each other, pausing reads for a
TCP transport (which in practice means removing the client socket from
the set of descriptors monitored by a selector) can cause the client
task (AsyncDnsServer._handle_tcp()) to be prematurely garbage-collected,
causing asyncio code to raise a "Task was destroyed but it is pending!"
exception. Who knew that solutions as elegant as the one introduced by
e407888507 could cause unexpected trouble?
Fix by making a horrible hack even more horrible, specifically by
keeping a reference to each incoming TCP connection to protect its
related asyncio objects from getting garbage-collected. This prevents
AsyncDnsServer from closing any of the ignored TCP connections
indefinitely, which is obviously a pretty brain-dead idea for a
production-grade DNS server, but AsyncDnsServer was never meant to be
one and this hack reliably solves the problem at hand.
Only apply this change for the IgnoreAllConnections handler as the
ConnectionReset handler triggers a connection reset immediately after
pausing reads for an incoming TCP connection.
As pointed out in e407888507, the proper
solution would require implementing a custom asyncio transport from
scratch and that is still deemed to be too much work for the purpose at
hand. Let's see how much longer we can limp along with the existing
approach.
Calling asyncio.Future.set_exception() or asyncio.Future.set_result()
more than once for a given Future object raises an
asyncio.InvalidStateError exception.
In the case of AsyncServer:
- it is enough to capture the first exception raised by higher-level
logic as no exceptions at all are expected to be raised in the first
place,
- no distinction is made between SIGINT and SIGTERM; the only purpose
of the signal handler is to make the server exit cleanly.
Given the above, make both AsyncServer._handle_exception() and
AsyncServer._signal_done() idempotent by ignoring
asyncio.InvalidStateError exceptions raised by the relevant
asyncio.Future.set_*() calls.
If we change from NSEC3 to NSEC we should not produce a zone with
missing NSEC records.
The code only considered having seen a record if there was previously
a signature present at the owner name. However with opt-out, insecure
delegations don't have a RRSIG record. Reconfiguring to NSEC causes
all insecure delegations to have a missing NSEC record.
Add a DNAME record to the test zone to also cover DNAME delegations.
This reverts commit 21295bc188.
In a sense, the ans6 black holeserver, based on asyncserver, "does
nothing". In our case, it won't respond to any query, and if the
IgnoreAllConnections connection handler was installed, it would not read
anything from the client socket.
Previously, sending notifications to an unconfigured address resulted in
no communication from the target (10.53.10.53); hence, the ns3
configuration comment requested a "non-responsive notify recipient (no
reply, no ICMP errors)".
However, examining the PCAP of ans6 reveals some communication from the
10.53.0.6 server to the 10.53.0.3 client, including ICMP Destination
Unreachable (Port Unreachable), and TCP SYN/ACK.
The ans6 communication seems to be sufficiently different to touch
different code paths in named, resulting in the BIND 9.20 backport
failing in the "checking notify retries expire within 30 seconds" test.
But we better revert it from "main" as well.
The RFC says There MUST NOT be more than one DSYNC record for each
combination of RRtype and Scheme. If we encounter more we should drop
the response, as the DSYNC RRset is invalid.
When doing rollover and the CDS/CDNSKEY RRset is updated, test that a
NOTIFY(CDS) message is sent. For other steps in the rollover, prohibit
any dsyncfetch activity.
When starting up the services, send notifies for the existing CDS RRset.
This requires setting up a chain of trust for the test, so the DSYNC
records can be retrieved and validated.
This feature requires enabling 'notify-cds' and 'dnssec-validation'.
In this test, the scanner is pointed to ns2. Since there is no code
for receiving NOTIFY(CDS) messages for delegations, this is treated
as "not authoritative". Checking for this log message ensures us that
the NOTIFY(CDS) message was actually sent.
Now that we log the type of the notify, some expected log messages
in the system tests need to be adjusted accordingly.
The bin/tests/system/nsec3/tests_nsec3_retransfer.py log is changed
to zone_needdump because it is more reliable. Other tests were
adjusted similar in MR !11265, but !11226 introduced a new
"sending notify" log line.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
Now we have to fake different lifetimes, so adjust fake_lifetime
to update a single key.
Note that we have changed the setup slightly: We also sign the
step2 zones, but with post validation disabled. This is more
accurate because we need to test that the public keys and signatures
are being removed from the zone.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM_NUMBER@ in ns3/kasp.conf.j2 to
13 and rename to ns3/kasp.conf.
This test introduces an unsigned delegation, adjust render_and_sign_zone
and configure_tld accordingly.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.
Write a python method to set the key predecessor/successor relationship
into the key state files.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
The RSASHA256 keys are generated with dnssec-keygen, without a policy
provided. Thus we have to fake the lifetime for these keys.
Signing has to be done without the -z option, because the KSK should
not sign all records in case of a KSK/ZSK split. Update the signing
code to allow for extra options when signing with CSK only.
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.
Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/csk2.conf.j2 to
ecdsa256 and rename to ns3/csk2.conf.
Introduce rollover/setup.py for all setup related test code.
Introduce rollover/ns1 and rollover/ns2 to create a chain of trust to
all rollover related test zones. The tld zones in rollover/ns2 contain
a DSYNC record that at a later time will be used for testing Generalized
DNS Notifications.
Write a python version of private_type_record so we can put such
records in the zone via jinja2 templating.
There is no difference, so we are going to make it consistent. This will
make it easier to add a chain of trust for these zones (to be done in
a future commit).
Previously, this was only possible by making a new response by calling
make_response on qctx.query. This however ignored the `default_aa` and
`default_rcode` parameters of AsyncDnsServer.
Add prepare_new_response and save_initialized_response methods to
QueryContext.
Previously, ResponseHandlers had to reparse the queries themselves if
they wanted to use TSIG. This led to `default_aa` and `default_rcode`
information being lost from the newly created messages.
Add support for TSIG keyrings to the AsyncDnsServer class directly.
Previously, the server relied on the modules being imported by the
isctest.asyncserver module. This is fragile and confuses tooling.
Clean up stray imports in the process.
Previously, all responses had to be set as authoritative explicitly
using DnsResponseSend(..., authoritative=True). After using this,
it became obvious that this is obnoxious.
Add an optional keyword-only parameter to AsyncDnsServer that sets the
default value of the AA bit on outgoing responses.
Make all the other parameters keyword-only as well.
When this class was introduced, the constructor of its base class had no
parameters. This was changed in the meantime and these parameters were
not accessible by users of the subclass.
Don't override the constructor.
Move command setup to methods.
Move subclass-specific storage to cached properties.
Take instances of Command instead of the classes themselves for
symmetry with install_response_handler.
An existing SERVFAIL cache test is updated as it initially checks there
are no EDE (the first SERVFAIL) then immediately re-does the same query,
(still SERVFAIL), and expect the CACHED_ERROR EDE.
However, the configuration used for this test to generate a SERVFAIL is
a broken DNSSEC configuration, where the DNSKEY is not the expected one
(it's a ZSK instead of a KZK). As a result, the first attempt also now
raise an EDE (MISSING_DNSKEY).
The authoritative server on "missing-dnskey." zone is ns2, the zone is
initially signed normally, but then the DNSKEY are pulled out from the
signed generated zone file. As a consequence, a quering the resolver ns4
returns a SERVFAIL with EDE9 as the chain of trust is broken: the DS is
prsent in the parent zone (the root zone in ns1), but the DNSKEY is
missing from the zone.
A similar is "wrong-dnskey.", but here the zone is signed correctly,
but the DS points to a different DNSKEY. Hence no supported matching
DNSKEY record could be found for the child.
This test signs a large delegation with mostly insecure delegations
with NSEC3 optout. Once the NSEC3PARAM record is published, run
dnssec-verify to ensure the zone is correctly signed.
- ns3 had fips/rsasha1 config variants. These were refactored similarly
to the way they're handled in nsec3 test.
- ns3 special character zone contains @, which is interpreted by jinja2.
To avoid, {% raw %} directive was added
- ns6 contained unused policies and named2.conf, these were removed
The ns1 named.conf files were sufficiently similar to allow for
de-duplication. No attempt to de-duplicate ns3 was made due to
significant differences among the config files.
- Use a common ns2/named.conf.j2 template for all the "#TN"
replacements. Instead of commenting out with sed, render the template
differently into ns/namedX.conf using variables.
- Keep the final ns2/named7.conf.j2 (formerly ns2/named2.conf.in) as a
separate template for readability due to significant differences.
- The ns3/named.conf.j2 uses has a "#BAD" section that is only included
after restart. Turn it into ns3/named2.conf.
- Since the original config is then restored, keep a copy of it as
ns3/named1.conf using a symlink, causing it to be rendered twice.
- Use jinja2 templates for test* files to render the port number instead
of calling copy_setports in load_db().
- Instead of strings to be replaced by sed, use proper jinja templates.
- ns3/named1.conf.j2 is basically a copy of the default config, because
it needs to be restored later in the test.
- Move ns1/named.conf.j2 to ns1/named2.conf.j2 and adjust the python
test to render this template.
- Convert remaining .in files to .j2 and handle the multiple configs.
- Rename named.conf.j2 to named3.conf.j2 and adjust the python test to
render this template.
- Handle the n2 and ns3 multiple configs as in other similar cases
(ns2/named1.conf.in was moved to ns2/named.conf.j2).
- Merge ns*/statistics-channels.conf.in config snippets into
conditionally rendered section in ns*/named.conf.j2 files.
- Turn ns2/named.conf.in into ns2/named1.conf.j2 because it is used
later in the test to restore the original config.
- Symlink the ns2/named.conf.j2 ns2/named1.conf.j2 to pick a starting
config.
- Change ns2 header into jinja2 template.
- Keep the various ns2 config files as non-templates, same for the
named.default.conf to be consistent.
- Symlink the ns2/named.default.conf as a jinja2 template to pick a
starting config. It is rendered as a template to avoid an error when
the test would overwrite a git-tracked file.
- Use jinja2 templates for the ns3 files, keep named1.conf around
because it's needed later in the test to restore the config. Symlink
it to `ns3/named.conf.j2` to select a default config.
- Merge ns1/tls.options.in into ns1/named.conf.j2 and render it
conditionally. Also conditionally include the additional
ns1/tls.conf.j2 which is always rendered.
- Use multiple templates for ns7 and replace the copy_setports.
- Use jinja2 template for verylarge.in as well.
- Merge options-tls.conf into named.conf in ns2 and ns4 and render it
conditionally. Also conditionally include the additional
named-tls.conf which is always rendered.
- Merge options-tls.conf into named.conf in ns2 and ns4 and render it
conditionally. Also conditionally include the additional
named-tls.conf which is always rendered.
- Use multiple templates for ns3 and ns9 and replace the copy_setports.
- In ns3/named2.conf, use "root2.db" directly rather than replacing it
with "sed" later.
- Replace all named*.in files with jinja2 templates.
- Rename the config files to named.*.conf convention.
- Rename named.plain.in to named.plain.conf.j2 and symlink it as te
default config.
- Rename named.plainconf.in to named.plainlog.conf.j2 (there is a slight
difference from named.plain, despite the similar name)
- Replace named-altX.conf.in with namedX.conf.j2 to stick with the same
naming convention across the entire code base. Note than due to
named1.conf being the first (default) config, the numbers for the altX
are incremented.
- Turn alt9 into named7 to stick with the same number sequence. Adjust
the related file names accordingly.
Render the bad-tsig.db file using jinja2 template to get rid of
copy_setports.
Since the zone is using @ character, use the raw directive to avoid
interpreting it as a variable start.
The following tests use multiple named configs. Previously, these have
been rendered with copy_setports in tests.sh when needed. Transform
these into jinja2 templates and render them during setup. In the tests,
the copy_setports invocations can be then replaced with a simple cp.
This allows rendering multiple named*.conf files using the jinja2
template engine at test start and then simply copying the required
config to named.conf as needed.
The purpose of these variables is to be able to detect feature support
without calling feature-test. This becomes useful when detecting feature
support in jinja2 templates.
To unify the command handling, utilize EnvCmd() to handle rndc commands:
1. Remove isctest.rndc abstractions. They were intended for an upcoming
python-only implementation. A couple of years later, it doesn't seem
to be coming any time soon, so let's stick with the interface that
makes sense today, i.e. use the same command handling interface
everywhere.
2. Remove the specialized rndc.log in favor of the generic logging
already implemented by isctest.run.cmd(). I believe the cause of the
many rndc(log=False) invocations was that nobody wanted this extra
file. Yet, logging everything by default makes sense for debugging,
unless there's a good reason not to. In almost all cases, logging was
switched to the default (enabled).
3. With the NamedInstance.rndc() call now returning CmdResult rather
than combined stdout+stderr string, adjust all the invocations to use
`.out` or `.err` as necessary.
4. Replace some manual rndc invocation and its base argument
construction with the standardized nsX.rndc() call.
5. In cases where rndc is expected to fail, utilize
raise_on_exception=False and check the `.rc` from the result, rather
than handling an exception.
6. In addzone/tests_rndc_deadlock.py, refactor the test slightly to
avoid using EnvCmd() entirely to avoid spamming the logs. This test
calls rndc in a loop from multiple threads and such test case is an
exception which doesn't warrant changing the `isctest.run.cmd()`
implementation.
A generic helper that calls the environment-specified binaries in a
developer-friendly manner, i.e. passing arguments as strings rather than
having to split them first.
The isctest.run.cmd() remains as the basis which provides a clean and
robust interface, while the isctest.run.EnvCmd() can be used as a
convenient wrapper for tests, or when there are some shared default
parameters.
The isctest.run.Dig() is superseded with the isctest.run.EnvCmd(). In
the future, we might revisit adding Dig() or command-specific helpers
again, but it probably only makes sense if they offer command-aware
attributes / methods, rather than just being shortcuts to
isctest.run.EnvCmd().
Refactor the file handling to write to a file directly when calling
isctest.run.cmd().
Refactor the existing code to use CmdResult rather than out and err
separately.
Add a new Grep-like interface which can be used for searching for
regular expressions in files. Replace the prior LogFile used for named
logs with the new TextFile interface.
Add a new module for working with text and keep the isctest.log.watchlog
module focused on its purpose. Move LogFile and LineReader into the new
module. Add compile_pattern() helper which will be useful in subsequent
commits.
It's a fairly common pattern to use regular expression in our tests.
Instead of using the fairly verbose re.compile(), import that function
as Re() instead to allow for more brevity in the test syntax.
The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.
This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.
Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.
The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.
When creating keys, set Publish and Activate times so that keys will
be initialized as omnipresent. This way we start with a safe DNSSEC
state. In most cases at least, because some tests depend on special
key timings.
The ttl[1-4].example cases have become incorrect. With dnssec-policy
we require the TTL to match the dnskey-ttl from the policy.
The delzsk.example will have a ZSK removed from the zone. It also
requires that the DNSKEY RRset is already published. This means
that for the existing keys the, no longer "is now published"
messages will be logged.
The nsec-only.example and reconf.example zones are fixed to have a
correct matching policy.
This all means the expected count of log messages changes slightly.
This test case enables DNSSEC and has a mismatch in policy. Fix the
policy so that it matches the existing key set, and adjust the
expected answer count because no longer a new key is generated.
Make all non-scalar properties of `cfg_obj_t` allocated values, which
ensures the union size is the width of one pointer. Also reorder the
fields inside `cfg_obj_t` to avoid alignment padding that would increase
the size. As a result, a `cfg_obj_t` instance is now 48 bytes on a
64-bit platform.
Add a static assertion to avoid increasing the size of the struct by
mistake.
The function `parse_sockaddrsub` was taking advantage of the fact that
both sockaddr and sockaddrtls were in the same position, and used to
initialize the sockaddr field independently if this was a -tls one or
not. This doesn't work anymore now that all fields are allocated,
so it has been slightly rewritten to take both cases into account
separately.
CLEANUP is a macro similar to CHECK but unconditional, jumping
to cleanup even if the result is ISC_R_SUCCESS. It is now used
in place of DST_RET, CLEANUP_WITH, and CHECK(<non-success constant>).
previously, there were over 40 separate definitions of CHECK macros, of
which most used "goto cleanup", and the rest "goto failure" or "goto
out". there were another 10 definitions of RETERR, of which most were
identical to CHECK, but some simply returned a result code instead of
jumping to a cleanup label.
this has now been standardized throughout the code base: RETERR is for
returning an error code in the case of an error, and CHECK is for jumping
to a cleanup tag, which is now always called "cleanup". both macros are
defined in isc/util.h.
Add a system test which checks that a server authoritative on zone which
is not fully signed (here, it is missing the DNSKEY records as well as the
RRSIG on the RR `b`) still return the RRSIG associated with an RR if
provided in the zone.
In some cases we wait for the log message "sending notifies" before
proceeding with the test case. Notifies are rate limited. They are not
sent on every change to the zone. The "zone_needdump" messages happen on
every change.
We are not actually retrieving these records from the other provider,
they are available as key files to us and we are using those files
to send a dynamic update to the server.
This test is similar to model2.multisigner, but now the two providers
are both secondary, both using the same hidden primary. The DNSKEY,
CDNSKEY, and CDS records need to be published at the hidden primary,
ns5, the zone is transferred to both secondaries, ns3 and ns4.
To avoid intermittent test failures, we wait for the line
"zone {zone}/IN (signed): serial {serial2} (unsigned {serial1})" in
the secondary server logs. This is a signal that the unsigned zone
with serial <serial1> has a signed version ready with serial <serial2>.
To speed up the test, disable 'notify-delay'.
When testing multi-signer as bump-in-the-wire (upcoming test), we want
to be able to do dynamically updates to a hidden primary. Update the
test functions such that we can set a specific primary server.
This converts the model2.multisigner tests from the multisigner system
test to pytest based code. Crappy shell test functions such as
'zsks_are_published', 'records_published' and others are replaced with
the standard test code from isctest.kasp and by setting 'private=False'
and 'legacy=True' on the keys from the other providers so we don't do
any key file testing.
In !11121, a .merge member was added to cfg_clausedef_t. This caused
a build failure with -Werror,-Wmissing-field-initializers enabled.
Add the missing initializer and set them all to NULL to match the
intent.
Even though `remote-servers` now allows using named server-list with `key`
(or `tls`), the `key` or `tls` is not used, in the context of a named
server-list, when configuring the server.
For instance,
remote-servers foo { 10.53.0.5; };
also-notify { foo key fookey; };
won't use `fookey`.
Add a system test highlighting the problem.
In !9155, the QNAME minimization was changed to not leak the query type
to the parent name server. This violates RFC 9156 Section 3, step (3)
and it is not necessary. It also breaks some (weird) authoritative DNS
setups, especially when CNAMEs are involved. Also there is really no
privacy leak with query type.
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
If the primary has been updated, but the secondary has not been
notified, the journal will go out of date. An 'rndc retransfer' causes
the zone to force an AXFR, removing and rebuilding zone and journal
files.
This test reproduces a bug that in such scenario, an NSEC3 signed zone
falls back to NSEC.
The "no root hints for view X" message must not be shown for the default
_bind/CH view. However, it is shown since 27c4f68dcc (part of effective
configuration changes).
The reason is that since 27c4f68dcc, `configure_views()` now processes
a single list of views, which contains both builtin and user views as
they are both part of the effective configuration. Those changes omitted
the `need_hints` bool that disabled the warning for the builtin view.
This commit silences the log message again.
