Commit graph

12398 commits

Author SHA1 Message Date
Petr Špaček
9e3f5fb775 Fix link to TXT RRtype specification
The odd-looking "\ " escape is required to italicize <character-string>
without italicizing the final "s". See reStructuredText Markup
Specification, sections "Inline markup recognition rules" and "Escaping
Mechanism". Most importantly:

Escaped whitespace characters are removed from the output document
together with the escaping backslash. This allows for character-level
inline markup.

(cherry picked from commit 43c5b9aeb4)
2025-06-02 14:23:05 +00:00
Petr Špaček
98efb42643 Add exhaustive examples for named-rrchecker
(cherry picked from commit 46173778ce)
2025-06-02 14:23:05 +00:00
Petr Špaček
316a69a87d Clarify named-rrchecker return codes
(cherry picked from commit c986d37f24)
2025-06-02 14:23:05 +00:00
Petr Špaček
233599b5ae Clarify named-rrchecker command line parameters
(cherry picked from commit c440c418db)
2025-06-02 14:23:05 +00:00
Petr Špaček
9eb528f1e0 Clarify named-rrchecker input format
(cherry picked from commit 5c370d9e6b)
2025-06-02 14:23:05 +00:00
Michal Nowak
5419a563d8 Use "digit" class instead of character range in rndc_dumpdb()
The tr range did not work on Solaris 11.4. Let's use a class that is
defined in POSIX.

(cherry picked from commit baa5ccd795)
2025-06-02 11:04:02 +00:00
Nicki Křížek
a2591c8b38 Add dynamic update facility to NamedInstance
Deduplicate the code for dynamic updates and increase code clarity by
using an actual dns.update.UpdateMessage rather than an undefined
intermediary format passed around as a list of arguments.

(cherry picked from commit c00121b4c2)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
5a5944a9ce Convert csk rollover test cases to pytest
Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and
convert CSK rollover tests to pytest.

The DS swap spans multiple steps. Only the first time we should check
if the "CDS is now published" log is there, and only the first time we
should run 'rndc dnssec -checkds' on the keys. Add a new key to the
step dictionary to disable the DS swap checks.

This made me realize that we need to check for "is not None" in case
the value in the dictionary is False. Update check_rollover_step()
accordingly, and also add a log message which step/zone we are currently
checking.

(cherry picked from commit fd290f391f)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
4602ffae7c Convert the 'three is a crowd' test case to pytest
This test shows similarities with the Double KSK rollover method, so
put the test in there.

(cherry picked from commit 46800e407e)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
fd9f966d5a Convert ksk rollover test case to pytest
Move the 'ksk-doubleksk' zones to the rollover test dir and convert KSK
rollover test to pytest.

Since the 'ksk-doubleksk' policy publishes different CDNSKEY/CDS RRsets,
update the 'check_rollover_step' to check which CDNSKEY/CDS RRsets should
be published and which should be prohibited. Update 'isctest.kasp'
accordingly.

We are changing the ZSK lifetime to unlimited in this test case as it
is of no importance (this actually discovered a bug in setting the
next time the keymgr should run).

(cherry picked from commit 9ff7609614)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
239a37946b Convert zsk rollover test case to pytest
Move the 'zsk-prepub' zones to the rollover test dir and convert ZSK
rollover test to pytest.

We need a way to signal a smooth rollover is going on. Signatures are
being replaced gradually during a ZSK rollover, so the existing
signatures of the predecessor ZSK are still being used. Add a smooth
operator to set the right expectations on what signatures are being
used.

Setting expected key relationships is a bit crude: a list of two
elements where the first element is the index of the expected keys that
is the predecessor, and the second element is the index of the expected
keys that is the successor.

We are changing the KSK lifetime to unlimited in this test case as it
is of no importance.

(cherry picked from commit bd6c70bd67)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
ee4199f22a Convert enable dnssec test case to pytest
Move the 'enable-dnssec' to the rollover test dir and convert to pytest.

This requires new test functionality to check that "CDS is published"
messages are logged (or prohibited).

The setup part is slightly adapted such that it no longer needs to
set the '-P sync' value in most cases (this is then set by 'named'),
and to adjust for the inappropriate safety intervals fix.

(cherry picked from commit 233fdb8d52)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
fc0533b9f5 Convert kasp multi-signer tests to pytest
Move the multi-signer test scenarios to the rollover directory and
convert tests to pytest.

- If the KeyProperties set the "legacy" to True, don't set expected
  key times, nor check them. Also, when a matching key is found, set
  key.external to True.
- External keys don't show up in the 'rndc dnssec -status' output so
  skip them in the 'check_dnssecstatus' function. External keys never
  sign RRsets, so also skip those keys in the '_check_signatures'
  function.
- Key properties strings now can set expected key tag ranges, and if
  KeyProperties have tag ranges set, they are checked.

(cherry picked from commit 8ee02190a5)
2025-06-02 09:22:07 +00:00
Matthijs Mekking
ba71be8ed1 Move rollover test cases to separate test dir
In order to keep the kasp system test somewhat approachable, let's
move all rollover scenarios to its own test directory. Starting with
the manual rollover test cases.

A new test function is added to 'isctest.kasp', to verify that the
relationship metadata (Predecessor, Successor) is set correctly.

The configuration and setup for the zone 'manual-rollover.kasp' are
almost copied verbatim, the only exception is the keytimes. Similar
to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in
the setup script. In addition to that, the offset is changed from one
day ago to one week ago, so that the key states match the timing
metadata (one day is too short to move a key from "hidden" to
"omnipresent").

(cherry picked from commit 4d08ec50d1)
2025-06-02 09:22:07 +00:00
Michał Kępień
db8b22433b
Use isctest.asyncserver in the "chain" test
Replace the custom DNS servers used in the "chain" system test with
new code based on the isctest.asyncserver module.

For ans3, replace the sequence of logical conditions present in Perl
code with zone files and a limited amount of custom logic applied on top
of them where necessary.

For ans4, replace the ctl_channel() and create_response() functions with
a custom control command handler coupled with a dynamically instantiated
response handler, making the code more robust and readable.

Migrate sendcmd() and its uses to the new way of sending control queries
to custom servers used in system tests.

(cherry picked from commit c3d3c9955d)
2025-05-30 20:43:33 +02:00
Michał Kępień
f93d783ec6
Improve readability of sendcmd() calls
To improve readability of sendcmd() calls used for controlling
isctest.asyncserver-based custom DNS servers, pass the command's name
and arguments as separate parameters.

(cherry picked from commit 9a230c16ff)
2025-05-30 20:43:33 +02:00
Michał Kępień
f39864d3ec Force manual DNAME handling to be acknowledged
Adding proper DNAME support to AsyncDnsServer would add complexity to
its code for little gain: DNAME use in custom system test servers is
limited to crafting responses that attempt to trigger bugs in named.

This fact will not be obvious to AsyncDnsServer users as it
automatically loads all zone files it finds and handles CNAME records
like a normal authoritative DNS server would.

Therefore, to prevent surprises:

  - raise an exception whenever DNAME records are found in any of the
    zone files loaded by AsyncDnsServer,

  - add a new optional argument to the AsyncDnsServer constructor that
    enables suppressing this new behavior, enabling zones with DNAME
    records to be loaded anyway.

This enables response handlers to use the DNAME records present in zone
files in arbitrary ways without complicating the "base" code.

(cherry picked from commit 8a562526f6)
2025-05-30 16:19:05 +00:00
Michał Kępień
8acd4c685c Drop unused AsyncDnsServer constructor argument
The constructor for the AsyncDnsServer class takes a 'load_zones'
argument that is not used anywhere and is not expected to be useful in
the future: zone files are not required for an AsyncDnsServer instance
to start and, if necessary, zone-based answers can be suppressed or
modified by installing a custom response handler.

(cherry picked from commit 5110278008)
2025-05-30 16:19:04 +00:00
Michał Kępień
e3f75d1a44 Properly handle CNAMEs when preparing responses
dnspython does not treat CNAME records in zone files in any special way;
they are just RRsets belonging to zone nodes.  Process CNAMEs when
preparing zone-based responses just like a normal authoritative DNS
server would.

(cherry picked from commit 1b8ceec580)
2025-05-30 16:19:04 +00:00
Michał Kępień
717f334daf Add debug logs for outgoing DNS messages
Since AsyncDnsServer logs incoming DNS messages as seen on the wire, do
the same for the responses sent by the server.

(cherry picked from commit 2a9c74546d)
2025-05-30 16:19:04 +00:00
Matthijs Mekking
d2a6af1906 Fix intermittent kasp pytest failures
The pytest cases checks if a zone is signed by looking at the NSEC
record at the apex. If that has an RRSIG record, it is considered
signed. But 'named' signs zones incrementally (in batches) and so
the zone may still lack some signatures. In other words, the tests
may consider a zone signed while in fact signing is not yet complete,
then performs additional checks such as is a subdomain signed with the
right key. If this check happens before the zone is actually fully
signed, the check will fail.

Fix this by using 'check_dnssec_verify' instead of
'check_is_zone_signed'. We were already doing this check, but we now
move it up. This will transfer the zone and then run 'dnssec-verify'
on the response. If the zone is partially signed, the check will fail,
and it will retry for up to ten times.

(cherry picked from commit 7a31fd57e2)
2025-05-29 12:35:22 +00:00
Nicki Křížek
1c08636cbc Ensure supported version of hypothesis is available
On FIPS-enabled platforms, we need to ensure a minimal version of
hypothesis which no longer uses MD5. This doesn't need to be enforced
for other platforms.

Move the import magic to a utility module to avoid copy-pasting the
boilerplate code around.

(cherry picked from commit 0aff715f40)
2025-05-29 09:04:30 +00:00
Ondřej Surý
1945fbc0dc
Set name for all the isc_mem context
The memory context for managers and dlz_dlopen_driver units had no name
and that was causing trouble with the statistics channel output.  Set
the name for the two memory context that were missing a proper name.

(cherry picked from commit 5d264b3329)
2025-05-29 05:45:12 +02:00
Aram Sargsyan
fa974811a9
Emit a ISC_R_CANCELED result instead of ISC_R_SHUTTINGDOWN
When request manager shuts down, it also shuts down all its ongoing
requests. Currently it calls their callback functions with a
ISC_R_SHUTTINGDOWN result code for the request. Since a request
manager can shutdown not only during named shutdown but also during
named reconfiguration, instead of sending ISC_R_SHUTTINGDOWN result
code send a ISC_R_CANCELED code to avoid confusion and errors with
the expectation that a ISC_R_SHUTTINGDOWN result code can only be
received during actual shutdown of named.

All the callback functions which are passed to either the
dns_request_create() or the dns_request_createraw() functions have
been analyzed to confirm that they can process both the
ISC_R_SHUTTINGDOWN and ISC_R_CANCELED result codes. Changes were
made where it was necessary.

(cherry picked from commit f4cd307c6b)
2025-05-28 19:18:19 +02:00
Aram Sargsyan
20eb80333e
Test named reconfiguration during zone transfer's SOA request
This new test checks that named can correctly process an interrupted
SOA request during zone transfer, caused by reconfiguration.

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit aa6ca3e776)
2025-05-28 19:18:19 +02:00
Colin Vidal
d85610f07d enable shell-based rndc system tests
Enable existing rndc system tests (the python test function calling the
shell file was missing). Also update the extra artifacts list to remove
one generated file which was left behind.

(cherry picked from commit f84065a32c)
2025-05-28 15:44:58 +00:00
Petr Špaček
4650a1b065 Use Pytest mark to guard dnstap features
(cherry picked from commit 889b360167)
2025-05-28 13:27:44 +02:00
Petr Špaček
a6e16b76b2 Fix DNSTAP feature detection for pytest
(cherry picked from commit 313a985dfc)
2025-05-28 13:27:42 +02:00
Petr Špaček
ddbcf9192c Port dnstap test to use isctest utilities
(cherry picked from commit f176acdfcc)
2025-05-28 11:17:30 +00:00
Nicki Křížek
e77b1275a0 Add a bad TSIG algorithm hypothesis python test
Co-authored-by: Petr Špaček <pspacek@isc.org>
(cherry picked from commit 96b0621de4)
2025-05-23 11:31:42 +00:00
Aram Sargsyan
a90e3b9e6f Implement a new 'notify-defer' configuration option
This new option sets the delay, in seconds, to wait before sending
a set of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending will be deferred for this duration.

(cherry picked from commit e42d6b4810)
2025-05-16 09:58:48 +00:00
Aram Sargsyan
cdd8f5f966 Fix more catz system test errors
A quick grep check discovered a couple of more errors similar to the
one fixed in the previous commit. Fix them too.

(cherry picked from commit 52ac03f064)
2025-05-15 12:20:19 +00:00
Aram Sargsyan
1930dbf749 Fix catz system test error
The '|| ret=1' is omitted from the check. This was introduced in the
b171cacf4f commit. Fix the error.

(cherry picked from commit f200b1ac18)
2025-05-15 12:20:19 +00:00
Michał Kępień
9e6c8f1637 Mark test_idle_timeout as flaky on FreeBSD 13
The test_idle_timeout check in the "timeouts" system test has been
failing often on FreeBSD 13 AWS hosts.  Adding timestamped debug logging
shows that the time.sleep() calls used in that check are returning
significantly later than asked to on that platform (e.g. after 4 seconds
when just 1 second is requested), breaking the test's timing assumptions
and triggering false positives.  These failures are not an indication of
a bug in named and have not been observed on any other platform.  Mark
the problematic check as flaky, but only on FreeBSD 13, so that other
failure modes are caught appropriately.

(cherry picked from commit cb76b3729e)
2025-05-14 17:18:53 +00:00
Michal Nowak
3682ccecb5 Revert "Ignore .hypothesis files created by system tests"
This reverts commit f413ddbe5f.

(cherry picked from commit 84c565878e)
2025-05-13 16:26:24 +00:00
Mark Andrews
c3ec565f74 Fix a typo in a test description
The test description "checking delv -c CH is ignored, and
treated like IN" in digdelv was garbled.

(cherry picked from commit 5424b30d7a)
2025-05-07 00:00:10 -07:00
Mark Andrews
75ef402296 Check EDNS CLIENT-TAG and SERVER-TAG are emitted using valid YAML
Check that when an EDNS CLIENT-TAG or EDNS SERVER-TAG option is
present in the message, the emitted YAML is valid.

(cherry picked from commit 2efb15b54a)
2025-05-07 00:00:10 -07:00
Mark Andrews
082f22b2ff Check EDNS EXPIRE option is emitted using valid YAML
Check that when an EDNS EXPIRE option is present in the message,
the emitted YAML is valid.

(cherry picked from commit e611e2044a)
2025-05-07 00:00:10 -07:00
Mark Andrews
c0748d071f Check EDNS CLIENT-SUBNET option is emitted using valid YAML
Check that when there is an EDNS CLIENT-SUBNET option in the
message, the emitted YAML is valid.

(cherry picked from commit 641ca9044f)
2025-05-07 00:00:10 -07:00
Mark Andrews
d5b9e6790f Fix EDNS TCP-KEEPALIVE option YAML output
There was missing white space between the option name and its value.

(cherry picked from commit 07c28652a3)
2025-05-07 00:00:10 -07:00
Mark Andrews
246fadfef2 Fix EDNS LLQ option YAML output
The EDNS LLQ option was not being emitted as valid YAML. Correct
the output to be valid YAML with each field of the LLQ being
individually selectable.

(cherry picked from commit 81334113c3)
2025-05-07 00:00:10 -07:00
Mark Andrews
758f5e6892 Change the EDNS KEY-TAG YAML output format
When using YAML, print the EDNS KEY-TAG as an array of integers
for easier machine parsing. Check the validity of the YAML output.

(cherry picked from commit 27e8732c17)
2025-05-07 00:00:10 -07:00
Mark Andrews
b02ff4c501 Use YAML comments for durations rather than parentheses
This will allow the values to be parsed using standard yaml processing
tools, and still provide the value in a human friendly form.

(cherry picked from commit 378bc7cfa6)
2025-05-07 00:00:10 -07:00
Mark Andrews
09893287c2 Change the name and YAML format of EDNS UL
The offical EDNS option name for "UL" is "UPDATE-LEASE".  We now
emit "UPDATE-LEASE" instead of "UL", when printing messages, but
"UL" has been retained as an alias on the command line.

Update leases consist of 1 or 2 values, LEASE and KEY-LEASE.  These
components are now emitted separately so they can be easily extracted
from YAML output.  Tests have been added to check YAML correctness.

(cherry picked from commit 68cdc4774c)
2025-05-07 00:00:10 -07:00
Mark Andrews
44fc37033e Add YAML escaping where needed
When rendering text, such as domain names or the EXTRA-TEXT
field of the EDE option, backslashes and quotation marks must
be escaped to ensure that the emitted message is valid YAML.

(cherry picked from commit 280e9b7cf4)
2025-05-07 00:00:10 -07:00
Evan Hunt
858b3f763b refactor, add missing EDNS options, and fix option names
some EDNS option names, including DAU, DHU, N3U, and CHAIN,
were not printed in dns_message_pseudosectiontotext() or
_psuedosectiontoyaml(); they were displayed as unknown options.
this has been corrected.

that code was also refactored to use switch instead of if/else,
and to look up the option code names in a table to prevent
inconsistencies between the two formats. one such inconsistency
was corrected: the "TCP-KEEPALIVE" option is now always printed
with a hyphen, instead of being "TCP KEEPALIVE" when not using
YAML. the keepalive system test has been updated to expect this.

EDNS options that print DNS names (i.e., CHAIN and Report-Channel)
now enclose them in quotation marks to ensure YAML correctness.
the auth system test has been updated to expect this when grepping
for Report-Channel options.

(cherry picked from commit e2393ba27b)
2025-05-07 00:00:10 -07:00
Evan Hunt
b202ecc7ca add missing EDNS option mnemonics to dig
Report-Channel and ZONEVERSION EDNS options can now be sent
using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for
short), and `dig +ednsopt=zoneversion`.

(cherry picked from commit c30754f28b)
2025-05-07 00:00:10 -07:00
Mark Andrews
5a7274cbd6 Don't depend on keys being sorted
Extract each section of the bundle and check that the expected
records are there.  The old code was assuming that the records in
each section where in a particular order which didn't happen in
practice.

(cherry picked from commit 92a50dab28)
2025-05-02 07:13:33 +00:00
Matthijs Mekking
ca0ae03488 Convert kasp inheritance tests
These tests ensure that if dnssec-policy is set on a higher level, the
zone is still signed (or unsigned) as expected. Or if a higher level
has an override, the new policy is honored as expected.

(cherry picked from commit 2e4cc70626)
2025-04-30 07:56:31 +00:00
Matthijs Mekking
dc74bc8051 Convert reload/restart kasp test case
This test checks that the SOA SERIAL and TTL are adjusted correctly
after a reload/restart.

(cherry picked from commit bff7453e50)
2025-04-30 07:56:31 +00:00