Commit graph

42959 commits

Author SHA1 Message Date
Michal Nowak
cb96d9c8e2 Import isc/list.h after cmocka to avoid redefinition errors
In file included from diff_test.c:25:
    /usr/local/include/cmocka.h:2333:1: error: unknown attribute '_Noreturn' ignored [-Werror,-Wunknown-attributes]
     2333 | CMOCKA_NORETURN void _fail(const char * const file, const int line);
          | ^~~~~~~~~~~~~~~
    /usr/local/include/cmocka.h:129:41: note: expanded from macro 'CMOCKA_NORETURN'
      129 | #define CMOCKA_NORETURN __attribute__ ((noreturn))
          |                                         ^~~~~~~~
    /usr/include/stdnoreturn.h:36:19: note: expanded from macro 'noreturn'
       36 | #define noreturn                _Noreturn
          |                                 ^~~~~~~~~
2025-07-29 14:07:05 +02:00
Petr Špaček
da561d6b28 [9.20] new: test: Robust tests for NSEC3 nonexistent QNAME proof
Related to #5292

Backport of MR !10416

Merge branch 'backport-5292-wrong-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10788
2025-07-29 10:52:36 +00:00
Michał Kępień
55979e4566 Adjust type hints for the "nsec3-answer" test
Add missing type hints in the tests_nsec3.py module.  Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.

(cherry picked from commit adb931f700)
2025-07-29 11:31:56 +02:00
Petr Špaček
c8ec836fe1 Add more empty non-terminals to test zone
I don't know exactly why, I just have a feeling there might be
interesting corner cases somewhere.

(cherry picked from commit fc3d5e5918)
2025-07-29 11:31:56 +02:00
Petr Špaček
67a8ada1b7 Randomize NSEC3 salt
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.

(cherry picked from commit 46781845ea)
2025-07-29 11:31:56 +02:00
Petr Špaček
4680f50dc5 Test proof of nonexistance of DS in insecure referrals
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.

(cherry picked from commit 548632b18a)
2025-07-29 11:31:56 +02:00
Petr Špaček
f1e885bee8 Test dangling DNAME answers come with NXDOMAIN proofs
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.

(cherry picked from commit 73e4201331)
2025-07-29 11:31:56 +02:00
Petr Špaček
785009354c Test dangling CNAMEs come with NXDOMAIN proofs
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.

(cherry picked from commit d0e413dd57)
2025-07-29 11:31:56 +02:00
Petr Špaček
8926c20af7 Move query outside of check_() functions
This allows better check() code reuse.

(cherry picked from commit cc6544b417)
2025-07-29 11:31:56 +02:00
Petr Špaček
f0b5967f10 Separate test into a new directory
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.

(cherry picked from commit ac58b58002)
2025-07-29 11:31:56 +02:00
Petr Špaček
6f37f5dc85 Test simple NODATA answers with NSEC3
(cherry picked from commit a92391f60f)
2025-07-29 11:31:56 +02:00
Petr Špaček
827258fb37 Detect extraneous NSEC3 RRs in responses
We expect minimal possible answers which prove what they have to
according to DNSSEC protocol.

(cherry picked from commit b854d5a3f5)
2025-07-29 11:31:56 +02:00
Petr Špaček
a76fa47bda Move proof checking into a NSEC3Checker class
(cherry picked from commit c45ad51860)
2025-07-29 11:31:56 +02:00
Petr Špaček
f05b396193 Add consistency checks to responses with NSEC3
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
  By definition, the type bitmap describes state of the unhashed name
  but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
  Unless the response crosses zone boundary, parent zone has insecure
  delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
  RFC 5155 section 7.2, last paragraph - at least when we don't cross
  zone boundary.

(cherry picked from commit cfaf5c997f)
2025-07-29 11:31:56 +02:00
Petr Špaček
1c906025e8 Split NXDOMAIN/NOERROR/NODATA test cases
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases.  Wildcard
NODATA answer was added.

(cherry picked from commit 9ca2077274)
2025-07-29 11:31:56 +02:00
Petr Špaček
c45c748d50 Extract closest encloser and source of synthesis logic into ZoneAnalyzer
As a side-effect, we now have set of all existing names in a zone with a
test, too. These parts should be shared with new NSEC tests.

(cherry picked from commit f0592de608)
2025-07-29 11:31:56 +02:00
Petr Špaček
27fc20bfeb Use isctest library to check hypothesis version
Side-effect of importing from isctest.hypothesis first is a version
check and clean Pytest skip if version is too old.

(cherry picked from commit 9cea2af25c)
2025-07-29 11:31:56 +02:00
Petr Špaček
15126a6315 Generate comprehensive tests for ZoneAnalyzer utility class
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.

Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.

For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.

(cherry picked from commit 42b60a3819)
2025-07-29 11:31:56 +02:00
Petr Špaček
47bea54971 Test ZoneAnalyzer utility class
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.

(cherry picked from commit cad48e56ab)
2025-07-29 11:31:56 +02:00
Petr Špaček
26bd3f2019 Separate zone analyzer from NSEC3 test
Code to generate ENTs, detect wildcards, occlusion etc. is generic
enough to be in an utility module.

(cherry picked from commit dbba59f48b)
2025-07-29 11:31:56 +02:00
Petr Špaček
b6b6b6f45b Shorten syntax to access Name object
dns.name all over the place does not make it easier to read the code at
all, and I'm going to add lot more code here.

(cherry picked from commit 3fb6b990af)
2025-07-29 11:31:56 +02:00
Petr Špaček
fa9ca7f3ee Move multi-subdomain name generator into shared utilities
(cherry picked from commit bd8be10329)
2025-07-29 11:31:56 +02:00
Evan Hunt
6931586fad Add property based test for nsec3hash utility
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.

(cherry picked from commit e263df8848)
2025-07-29 11:31:56 +02:00
Petr Špaček
0472b39835 Test also with subdomains of existing names
Composite strategy makes sure we always test with a subdomain of an
existing name.

(cherry picked from commit 84ad35e7af)
2025-07-29 11:31:56 +02:00
Petr Špaček
09856ee296 Dedup NSEC3 get_next_name function
(cherry picked from commit f9e12a840d)
2025-07-29 11:31:56 +02:00
Matthijs Mekking
0b9a129990 Add a property based test for NSEC3 proofs for non-existent QNAMEs
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.

(cherry picked from commit 955e3ccf3e)
2025-07-29 11:31:56 +02:00
Mark Andrews
4b2eeca477 Check that correct NSEC3 proofs are returned
(cherry picked from commit 132e68fddb)
2025-07-29 11:31:52 +02:00
Michal Nowak
848262808e [9.20] new: ci: Add AlmaLinux 10 FIPS
Backport of MR !10722

Merge branch 'backport-mnowak/add-almalinux-10-fips-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10781
2025-07-28 20:55:16 +02:00
Michal Nowak
b0949d960b
Add AlmaLinux 10 FIPS
(cherry picked from commit 1f45947088)
2025-07-28 19:38:24 +02:00
Michal Nowak
b35b501f8d Do not add AlmaLinux 8 FIPS unit and system test in MR pipelines
(cherry picked from commit 3b274e5993)
2025-07-28 17:30:32 +00:00
Štěpán Balážik
3c80f205ae [9.20] chg: test: Use isctest.asyncserver in the "dispatch" test
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.

Backport of MR !10689

Merge branch 'backport-stepan/dispatch-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10773
2025-07-24 13:52:19 +00:00
Michał Kępień
576e41a853 Account for idle timeouts in the "dispatch" test
When the tests-connreset.py module was initially implemented in commit
5c17919019, the dispatch code did not
properly apply the idle timeout to TCP connections.  This allowed the
check in that test module to reset the TCP connection after 5 seconds as
named did not attempt to tear the connection down earlier than that.
However, as the dispatch code was improved, the idle timeout started
being enforced for TCP dispatches; the exact value it is set to in the
current code depends on a given server's SRTT, but it defaults to about
1.2 seconds for responsive servers.  This means that the code paths
triggered by the "dispatch" system test are now different than the ones
it was originally supposed to trigger because it is now named itself
that shuts the TCP connection down cleanly before the ans3 server gets a
chance to reset it.

Account for the above by lowering the amount of time after which the
ans3 server in the "dispatch" system test resets TCP connections to just
1 second, so that the test actually does what its name implies.

(cherry picked from commit 48e705d738)
2025-07-24 13:17:07 +00:00
Štěpán Balážik
c6c149f0b6 Use isctest.asyncserver in the "dispatch" test
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.

(cherry picked from commit 316b7d5590)
2025-07-24 13:17:07 +00:00
Michał Kępień
746fc9701c Enable resetting TCP connections
Add a TCP connection handler, ConnectionReset, which enables closing TCP
connections without emptying the client socket buffer, causing the
kernel to send an RST segment to the client.  This relies on a horrible
asyncio hack that can break at any point in the future due to abusing
implementation details in the Python Standard Library.  Despite the eye
bleeding this code may cause, the approach it takes was still deemed
preferable to implementing an asyncio transport from scratch just to
enable triggering connection resets.

(cherry picked from commit e407888507)
2025-07-24 13:17:07 +00:00
Štěpán Balážik
a7be55a3f0 Add support for TCP connection handlers
Add a new abstract class, ConnectionHandler, instances of which can be
installed on AsyncDnsServer to manipulate TCP connections upon
accepting.

(cherry picked from commit b4d53e7287)
2025-07-24 13:17:07 +00:00
Michał Kępień
74805453ee Enable requesting TCP connections to be closed
In response to client queries, AsyncDnsServer users can currently only
make the server either send a reply or silently ignore the query.  In
the case of TCP queries, neither of these actions causes the client's
connection to be closed - the onus of doing that is on the client.
However, in some cases the server may be required to close the
connection on its own, so AsyncDnsServer users need to have some way of
requesting such an action.

Add a new ResponseAction subclass, ResponseDropAndCloseConnection, which
enables AsyncDnsServer users to conveniently request TCP connections to
be closed.  Instead of returning the response to send,
ResponseDropAndCloseConnection raises a custom exception that
AsyncDnsServer._handle_tcp() handles accordingly.

(cherry picked from commit 06b0800df8)
2025-07-24 13:17:07 +00:00
Matthijs Mekking
ed37c7825e [9.20] fix: usr: Stale RRsets in a CNAME chain were not always refreshed
With serve-stale enabled, a CNAME chain that contains a stale RRset, the refresh query doesn't always properly refresh the stale RRsets. This has been fixed.

Closes #5243

Backport of MR !10720

Merge branch 'backport-5243-stale-refresh-as-prefetch-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10767
2025-07-23 12:46:58 +00:00
Matthijs Mekking
c8ed25560b Add reproducer as test case
The issue provided a reproducer that can be easily converted into a
test case.

(cherry picked from commit dc649735ad)
2025-07-23 12:12:51 +00:00
Matthijs Mekking
03eb9aabe1 Special case refresh stale ncache data
When refreshing stale ncache data, the qctx->rdataset is NULL and
requires special processing.

(cherry picked from commit 7774f16ed5)
2025-07-23 12:12:51 +00:00
Matthijs Mekking
667d81b52b Make serve-stale refresh behave as prefetch
A serve-stale refresh is similar to a prefetch, the only difference
is when it triggers. Where a prefetch is done when an RRset is about
to expire, a serve-stale refresh is done when the RRset is already
stale.

This means that the check for the stale-refresh window needs to
move into query_stale_refresh(). We need to clear the
DNS_DBFIND_STALEENABLED option at the same places as where we clear
DNS_DBFIND_STALETIMEOUT.

Now that serve-stale refresh acts the same as prefetch, there is no
worry that the same rdataset is added to the message twice. This makes
some code obsolete, specifically where we need to clear rdatasets from
the message.

(cherry picked from commit a66b04c8d4)
2025-07-23 12:12:51 +00:00
Michał Kępień
9e57035eda [9.20] chg: test: Use isctest.asyncserver in the "zero" test
The original `ans.pl` server was a copy of the one in `fetchlimit`, so
there are some changes:

- The server now only responds with A replies (which is the only thing
  needed).
- The incrementing of the IP address goes beyond the least significant
  octet (so, after 192.0.2.255 it will yield 192.0.3.0).

Backport of MR !10597

Merge branch 'backport-stepan/zero-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10768
2025-07-23 14:06:42 +02:00
Štěpán Balážik
a208e17a8d Use isctest.asyncserver in the "zero" test
The original `ans.pl` server was based on a copy of the one in
`fetchlimit`, so there are some changes:

- The server now only responds with A replies (which is the only thing
  needed).
- The incrementing of the IP address goes beyond the least significant
  octet (so, after 192.0.2.255 it will yield 192.0.3.0).

(cherry picked from commit ec5729bee3)
2025-07-23 11:24:00 +00:00
Ondřej Surý
e016242c24 [9.20] fix: nil: Disable clang-format for Local IPv6 Unicast Addresses strings
The LSP server (using clangd) was always complaining about:

    Suspicious string literal, probably missing a comma

for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines.  Disable clang-format for these two lines.

Backport of MR !10764

Merge branch 'backport-ondrej/fix-suspicious-string-literal-probably-missing-comma-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10765
2025-07-23 09:09:29 +02:00
Ondřej Surý
63c5083039 Disable clang-format for Local IPv6 Unicast Addresses strings
The LSP server (using clangd) was always complaining about:

    Suspicious string literal, probably missing a comma

for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines.  Disable clang-format for these two lines.

(cherry picked from commit 6b7c99027d)
2025-07-23 09:09:18 +02:00
Ondřej Surý
7f25d92c5d [9.20] fix: dev: Rename variable called 'free' to prevent the clash with free()
Backport of MR !10756

Merge branch 'backport-ondrej/rename-variable-called-free-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10757
2025-07-23 07:48:08 +02:00
Ondřej Surý
485aac9213
Rename 'free' variable to 'nfree' to not clash with free()
The beauty and horrors of the C - the compiler properly detects variable
shadowing, but you can freely shadow a standard function 'free()' with
variable called 'free'.  And if you reference 'free()' just as 'free'
you get the function pointer which means you can do also pointer
arithmetics, so 'free > 0' is always valid even when you delete the
local variable.

Replace the local variables 'free' with a name that doesn't shadow the
'free()' function to prevent future hard to detect bugs.

(cherry picked from commit 855960ce46)
2025-07-22 14:28:15 +02:00
Štěpán Balážik
920874ea58 [9.20] chg: test: Use isctest.asyncserver in the "fetchlimit" test
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.

Backport of MR !10614

Merge branch 'backport-stepan/fetchlimit-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10755
2025-07-22 10:16:17 +00:00
Štěpán Balážik
87a0dfde67 Use isctest.asyncserver in the "fetchlimit" test
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.

(cherry picked from commit 9ffc833919)
2025-07-22 07:09:52 +00:00
Mark Andrews
bc54f059e0 [9.20] fix: usr: synth-from-dnssec was not working in some scenarios
Aggressive use of DNSSEC-Validated cache with NSEC was not working in scenarios when no parent NSEC was not in cache.  This has been fixed.

Closes #5422

Backport of MR !10736

Merge branch 'backport-5422-aggressive-nsec-not-working-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10754
2025-07-22 02:22:07 +10:00
Mark Andrews
15031f32e6 test synth-from-dnssec with no cached parent NSECs
Add \007.no-apex-covering as an owner name so that the cache does
not get primed with a parent NSEC RRset to test the case where
dns_qp_lookup returns ISC_R_NOTFOUND.

(cherry picked from commit df04924209)
2025-07-21 17:46:02 +02:00