Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
(cherry picked from commit adb931f700)
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.
(cherry picked from commit 46781845ea)
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.
(cherry picked from commit 548632b18a)
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit 73e4201331)
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit d0e413dd57)
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.
(cherry picked from commit ac58b58002)
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
(cherry picked from commit cfaf5c997f)
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases. Wildcard
NODATA answer was added.
(cherry picked from commit 9ca2077274)
As a side-effect, we now have set of all existing names in a zone with a
test, too. These parts should be shared with new NSEC tests.
(cherry picked from commit f0592de608)
Side-effect of importing from isctest.hypothesis first is a version
check and clean Pytest skip if version is too old.
(cherry picked from commit 9cea2af25c)
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.
Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.
For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.
(cherry picked from commit 42b60a3819)
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.
(cherry picked from commit cad48e56ab)
dns.name all over the place does not make it easier to read the code at
all, and I'm going to add lot more code here.
(cherry picked from commit 3fb6b990af)
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.
(cherry picked from commit e263df8848)
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.
(cherry picked from commit 955e3ccf3e)
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.
Backport of MR !10689
Merge branch 'backport-stepan/dispatch-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10773
When the tests-connreset.py module was initially implemented in commit
5c17919019, the dispatch code did not
properly apply the idle timeout to TCP connections. This allowed the
check in that test module to reset the TCP connection after 5 seconds as
named did not attempt to tear the connection down earlier than that.
However, as the dispatch code was improved, the idle timeout started
being enforced for TCP dispatches; the exact value it is set to in the
current code depends on a given server's SRTT, but it defaults to about
1.2 seconds for responsive servers. This means that the code paths
triggered by the "dispatch" system test are now different than the ones
it was originally supposed to trigger because it is now named itself
that shuts the TCP connection down cleanly before the ans3 server gets a
chance to reset it.
Account for the above by lowering the amount of time after which the
ans3 server in the "dispatch" system test resets TCP connections to just
1 second, so that the test actually does what its name implies.
(cherry picked from commit 48e705d738)
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.
(cherry picked from commit 316b7d5590)
Add a TCP connection handler, ConnectionReset, which enables closing TCP
connections without emptying the client socket buffer, causing the
kernel to send an RST segment to the client. This relies on a horrible
asyncio hack that can break at any point in the future due to abusing
implementation details in the Python Standard Library. Despite the eye
bleeding this code may cause, the approach it takes was still deemed
preferable to implementing an asyncio transport from scratch just to
enable triggering connection resets.
(cherry picked from commit e407888507)
Add a new abstract class, ConnectionHandler, instances of which can be
installed on AsyncDnsServer to manipulate TCP connections upon
accepting.
(cherry picked from commit b4d53e7287)
In response to client queries, AsyncDnsServer users can currently only
make the server either send a reply or silently ignore the query. In
the case of TCP queries, neither of these actions causes the client's
connection to be closed - the onus of doing that is on the client.
However, in some cases the server may be required to close the
connection on its own, so AsyncDnsServer users need to have some way of
requesting such an action.
Add a new ResponseAction subclass, ResponseDropAndCloseConnection, which
enables AsyncDnsServer users to conveniently request TCP connections to
be closed. Instead of returning the response to send,
ResponseDropAndCloseConnection raises a custom exception that
AsyncDnsServer._handle_tcp() handles accordingly.
(cherry picked from commit 06b0800df8)
With serve-stale enabled, a CNAME chain that contains a stale RRset, the refresh query doesn't always properly refresh the stale RRsets. This has been fixed.
Closes#5243
Backport of MR !10720
Merge branch 'backport-5243-stale-refresh-as-prefetch-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10767
A serve-stale refresh is similar to a prefetch, the only difference
is when it triggers. Where a prefetch is done when an RRset is about
to expire, a serve-stale refresh is done when the RRset is already
stale.
This means that the check for the stale-refresh window needs to
move into query_stale_refresh(). We need to clear the
DNS_DBFIND_STALEENABLED option at the same places as where we clear
DNS_DBFIND_STALETIMEOUT.
Now that serve-stale refresh acts the same as prefetch, there is no
worry that the same rdataset is added to the message twice. This makes
some code obsolete, specifically where we need to clear rdatasets from
the message.
(cherry picked from commit a66b04c8d4)
The original `ans.pl` server was a copy of the one in `fetchlimit`, so
there are some changes:
- The server now only responds with A replies (which is the only thing
needed).
- The incrementing of the IP address goes beyond the least significant
octet (so, after 192.0.2.255 it will yield 192.0.3.0).
Backport of MR !10597
Merge branch 'backport-stepan/zero-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10768
The original `ans.pl` server was based on a copy of the one in
`fetchlimit`, so there are some changes:
- The server now only responds with A replies (which is the only thing
needed).
- The incrementing of the IP address goes beyond the least significant
octet (so, after 192.0.2.255 it will yield 192.0.3.0).
(cherry picked from commit ec5729bee3)
The LSP server (using clangd) was always complaining about:
Suspicious string literal, probably missing a comma
for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines. Disable clang-format for these two lines.
Backport of MR !10764
Merge branch 'backport-ondrej/fix-suspicious-string-literal-probably-missing-comma-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10765
The LSP server (using clangd) was always complaining about:
Suspicious string literal, probably missing a comma
for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines. Disable clang-format for these two lines.
(cherry picked from commit 6b7c99027d)
The beauty and horrors of the C - the compiler properly detects variable
shadowing, but you can freely shadow a standard function 'free()' with
variable called 'free'. And if you reference 'free()' just as 'free'
you get the function pointer which means you can do also pointer
arithmetics, so 'free > 0' is always valid even when you delete the
local variable.
Replace the local variables 'free' with a name that doesn't shadow the
'free()' function to prevent future hard to detect bugs.
(cherry picked from commit 855960ce46)
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.
Backport of MR !10614
Merge branch 'backport-stepan/fetchlimit-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10755
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.
(cherry picked from commit 9ffc833919)
Aggressive use of DNSSEC-Validated cache with NSEC was not working in scenarios when no parent NSEC was not in cache. This has been fixed.
Closes#5422
Backport of MR !10736
Merge branch 'backport-5422-aggressive-nsec-not-working-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10754
Add \007.no-apex-covering as an owner name so that the cache does
not get primed with a parent NSEC RRset to test the case where
dns_qp_lookup returns ISC_R_NOTFOUND.
(cherry picked from commit df04924209)