Previously, a lot of the checking was re-implemented and duplicated from
check_rollover_step(). Use that function where possible and only
override the needed checks.
(cherry picked from commit d6dffe6603)
Move key calculations and rollover step checks into the shared
isctest.kasp module. Deduplicate the key interval calculations.
(cherry picked from commit b410710354)
Rather than using multiple slightly modified named.conf files, use a
single template which can be rendered differently based on an input
argument -- in this case, csk_roll.
(cherry picked from commit 784a252425)
- Refactor and extend the `WatchLog.wait_for_line()` API:
1. To allow for usage of one or more FlexPatterns, i.e. either plain
strings to be matched verbatim, or regular expressions. Both can be
used interchangeably to provide the caller to write simple and
readable test code, while allowing for increased complexity to allow
special cases.
2. Always return the regex match, which allows the caller to identify
which line was matched, as well as to extract any additional
information, such as individual regex groups.
- Add `WatchLog.wait_for_sequence()` and `WatchLog.wait_for_all()` helper functions
Backport of MR !10618
Merge branch 'backport-nicki/watchlog-improvements-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10749
The test is troublesome, because NamedInstance(identifier) expects that
a directory with such a name exists. While it'd be possible to mock
those directories as well, it'd make the doctest overly long and
complex, which isn't justified, given that it's only testing a couple of
options. Turn it into regular documentation instead.
(cherry picked from commit dcfb6c23da)
The buffered reading of finished lines deserves its own class to make
its function clearer, rather than bundling it within the WatchLog class.
Co-Authored-By: Michał Kępień <michal@isc.org>
(cherry picked from commit ee782fb4b1)
Various improvements for typing, naming, code deduplication and better
code organization to make the code easier to read.
(cherry picked from commit 3c8432d196)
Extend the WatchLog API with a couple of new matching options.
wait_for_sequence() can be used to check a specific sequence of lines
appears in the log file in the given order.
wait_for_all() ensure that all the provided patterns appear in the log
at least once.
Co-authored-by: Colin Vidal <colin@isc.org>
(cherry picked from commit 0a839cd0bd)
To allow re-use in upcoming functions, isolate the line matching logic
into a separate function. Use an instance-wide deadline attribute, which
is set by the calling function.
(cherry picked from commit 365f8b6af6)
Rather than using two distinct functions for matching either one pattern
(wait_for_line()), or any of multiple patterns (wait_for_lines()), use a
single function that handles both in the same way.
Extend the wait_for_line() API:
1. To allow for usage of one or more FlexPatterns, i.e. either plain
strings to be matched verbatim, or regular expressions. Both can be
used interchangeably to provide the caller to write simple and
readable test code, while allowing for increased complexity to allow
special cases.
2. Always return the regex match, which allows the caller to identify
which line was matched, as well as to extract any additional
information, such as individual regex groups.
(cherry picked from commit 5840908ead)
To simplify usage of multiple wait_for_*() calls, configure the timeout
value for the WatchLog instance, rather than specifying it for each
call.
This is a preparation/cleanup for implementing multiple wait_for_*()
calls in subsequent commits.
(cherry picked from commit f2679bff19)
Move the line buffering functionality into _readline() to improve the
readability of code. This also allows reading the file contents from
other functions, since the line buffer is now an attribute of the class.
(cherry picked from commit 67896ddde2)
Fix some broken doctest in watchlog.py (no semantic error, but API
slightly changed and broke some output messags). Also add a test for a
missing failure case.
(cherry picked from commit 9778068253)
Add missing test for the variable 'a' being empty on linux.
Closes#5423
Backport of MR !10740
Merge branch 'backport-5423-fix-ifconfig-sh-script-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10744
RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
by the IETF and should no longer be used for DNSSEC. DS digest type
1 (SHA1) has also been deprecated. Validators are now expected
to treat these algorithms and digest as unknown, resulting in
some zones being treated as insecure when they were previously treated
as secure. Warnings have been added to named and tools when these
algorithms and this digest are being used for signing.
Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated
to a different DNSKEY algorithm.
Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed.
Related to #5358
Backport of MR !10559
Merge branch 'backport-5358-add-sha1-deprecation-warnings-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10738
DNSKEY algorithms RSASHA1 and RSASHA-NSEC3-SHA1 and DS digest type
SHA1 are deprecated. Log when these are present in primary zone
files and when generating new DNSKEYs, DS and CDS records.
(cherry picked from commit cb6903c55e)
Replace the custom DNS server used in the "tsig" system test with
new code based on the isctest.asyncserver module.
Changes to isctest.asyncserver are required, previously it did not
handle TSIG signed queries at all. Now, with some hacking around
a [dnspython bug](https://github.com/rthalley/dnspython/issues/1205) it does.
Backport of MR !10566
Merge branch 'backport-stepan/tsig-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10732
Replace the custom DNS server used in the "tsig" system test with
new code based on the isctest.asyncserver module.
(cherry picked from commit e34e831cab)
Previously, upon receiving a query with TSIG, the server would log
an error and timeout. As there is no way to set up the keyring in the
class anyway (and I believe we don't need it), this commit lets such
queries parse but logs the fact that the query has TSIG.
However, there is a bug [1] in dnspython, which causes `make_response`
and `to_wire` to crash on messages constructed by `from_wire` with
`keyring=False`, so the hack with `message.__class__` is needed to work
around this.
This makes just enough changes for the tsig system test to work with
dnspython >= 2.0.0. On older version the server gives up.
[1] https://github.com/rthalley/dnspython/issues/1205
(cherry picked from commit 72ac1fe234)
The ADB memory cleaning is opportunistic even when we are under
memory pressure (in the overmem condition). Split the opportunistic
LRU cleaning and overmem cleaning and make the overmem cleaning
always cleanup double of the newly allocated adbname/adbentry to
ensure we never allocate more memory than the assigned limit.
Backport of MR !10637
Merge branch 'backport-ondrej/enforce-memory-cleanup-in-ADB-when-overmem-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10707
The purge_stale_names()/purge_stale_entries() is opportunistic even when
we are under memory pressure (overmem). Split the opportunistic LRU
cleaning and overmem cleaning. This makes the stale purging much
simpler as we don't have to try that hard and makes the overmem cleaning
always cleanup double the amount of the newly allocated ADB name/entry.
(cherry picked from commit eb0ffa0d5f)
When used with the ``+keepopen`` option with a TCP connection, iscman:`dig`
could terminate unexpectedly in rare situations. Additionally, iscman:`dig`
could hang and fail to shutdown properly when interrupted during a query.
These have been fixed.
Closes#5381
Backport of MR !10681
Merge branch 'backport-5381-dig-keepalive-crash-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10727
When send_done() is called with a ISC_R_CANCELED status (e.g. because
of a signal from ctrl+c), dig can fail to shutdown because
check_if_done() is not called in the branch. Add a check_if_done()
call.
(cherry picked from commit 5d1a8fe755)
When reusing a TCP connection (because of the '+keepopen' option),
dig detaches from the query after launching it. This can cause a
crash in dig in rare cases when the "receive" callback is called
earlier than the "send" callback.
The '_cancel_lookup()' function detaches a query only if it's
found in the 'lookup->q' list. Before this commit, with one
additional detach happening before recv_done() -> _cancel_lookup()
is called, it didn't cause problems because an earlier _query_detach()
was unlinking the query from 'lookup->q' (because it was the last
reference), so the additional detach and the skipped detach were
undoing each other.
That is unless the "receive" callback was called earlier than the
"send" callback, in which case the additional detach wasn't destroying
the query (and wasn't unlinking it from 'lookup->q') because the "send"
callback's attachment was still there, and so _cancel_lookup() was
trying to "steal" the "send" callback's attachment and causing an
assertion on 'INSIST(query->sendhandle == NULL);'.
Delete the detachment which caused the described situation.
(cherry picked from commit a2685696aa)
Responses which were dropped or slipped because of RRL (Response Rate
Limiting) were logged in the ``rate-limit`` category instead of the
``query-errors`` category, as documented in ARM. This has been fixed.
Closes#5388
Backport of MR !10676
Merge branch 'backport-5388-rrl-log-category-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10725