Commit graph

43422 commits

Author SHA1 Message Date
Nicki Křížek
ce00f2d059 Use jinja2 templates in runtime test
- Replace named-altX.conf.in with namedX.conf.j2 to stick with the same
  naming convention across the entire code base. Note than due to
  named1.conf being the first (default) config, the numbers for the altX
  are incremented.
- Turn alt9 into named7 to stick with the same number sequence. Adjust
  the related file names accordingly.

(cherry picked from commit 7f3b0afb09)
2025-12-10 13:43:52 +01:00
Nicki Křížek
f16c679360 Use jinja2 templates in checkzone test
Render the bad-tsig.db file using jinja2 template to get rid of
copy_setports.

Since the zone is using @ character, use the raw directive to avoid
interpreting it as a variable start.

(cherry picked from commit b23301ec55)
2025-12-10 13:43:52 +01:00
Nicki Křížek
a6d9804ad8 Use jinja2 templates in autosign test
- Include ns3/nsec-only.conf conditionally and always render it.

(cherry picked from commit 13bd0d689a)
2025-12-10 13:43:52 +01:00
Nicki Křížek
425af8d0b1 Use jinja2 templates in tsiggss
- The ns1/named.conf.j2 contains "@" which is a special jinja character,
  use the raw directive to escape it.

(cherry picked from commit 1aa2f7249a)
2025-12-10 13:43:52 +01:00
Nicki Křížek
38c779740f Use jinja2 templates in transport-change test
- Replace named*.conf.in files with jinja2 templates.
- When applying the files use plain cp command to copy the rendered
  files.

(cherry picked from commit 0f37603b1a)
2025-12-10 13:43:52 +01:00
Nicki Křížek
8dde4093aa Replace .in with .j2 templates for cases with namedX.conf
The following tests use multiple named configs. Previously, these have
been rendered with copy_setports in tests.sh when needed. Transform
these into jinja2 templates and render them during setup. In the tests,
the copy_setports invocations can be then replaced with a simple cp.

(cherry picked from commit 9d3279a542)
2025-12-10 13:43:52 +01:00
Nicki Křížek
ea10064b95 Replace .in with .j2 templates for simple copy_setports cases
Use jinja2 templates instead of *.in templates for named.conf and remove
the copy_setports invocations from setup.sh which are no longer needed.

(cherry picked from commit fc10cb686d)
2025-12-10 13:43:52 +01:00
Nicki Křížek
d92b1fa169 Allow any named*.conf file as a system test artifact
This allows rendering multiple named*.conf files using the jinja2
template engine at test start and then simply copying the required
config to named.conf as needed.

(cherry picked from commit d6d6db52e3)
2025-12-10 13:43:52 +01:00
Štěpán Balážik
2c076fff0e fix: test: Match JUnit test names of system tests in the legacy test runner
Pytest sets the test names as `test_foo` and the old test runner spits
out `bin/tests/system/foo`.

Normalize this to match the new test runner.

Merge branch 'stepan/match-pytest-junit-names' into 'bind-9.20'

See merge request isc-projects/bind9!11085
2025-12-10 12:43:08 +00:00
Štěpán Balážik
9d402aa100 Match JUnit test names of system tests in the legacy test runner
Pytest sets the test names as `test_foo` and the old test runner spits
out `bin/tests/system/foo`.

Normalize this to match the new test runner.
2025-12-10 12:04:02 +00:00
Nicki Křížek
e192a81c3d [9.20] chg: nil: Remove system test env var for nonexistent feature
This is a fixup for MR !11345. The variable for --extended-ds-digest was
accidentally backported - 9.20 doesn't have this feature check.

Merge branch 'nicki/featuretest-env-backport-fixup' into 'bind-9.20'

See merge request isc-projects/bind9!11357
2025-12-09 17:26:10 +01:00
Nicki Křížek
13205c8a56 Remove system test env var for nonexistent feature
This is a fixup for MR!11345. The variable for --extended-ds-digest was
accidentally backported - 9.20 doesn't have this feature check.
2025-12-09 16:30:36 +01:00
Michal Nowak
6c5e5238c4 [9.20] new: ci: Add Alpine Linux 3.23
Backport of MR !11321

Merge branch 'backport-mnowak/alpine-3.23-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11351
2025-12-09 13:31:24 +01:00
Michal Nowak
2a5863af5a Add Alpine Linux 3.23
(cherry picked from commit 492256643d)
2025-12-09 13:30:54 +01:00
Arаm Sаrgsyаn
95cbc2c327 [9.20] fix: usr: Fix a catalog zones issue when a member zone could fail to load
A catalog zone's member zone could fail to load in some rare cases, when
the internally generated zone configuration string was exceeding 512
bytes. That condition only was not enough for the issue to arise, but it
was a necessary condition. This could happen, for example, if the catalog
zone's default primary servers list contained a large number of items.
This has been fixed.

Closes #5658

Backport of MR !11281

Merge branch 'backport-5658-dns_catz_generate_zonecfg-bug-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11349
2025-12-09 11:12:32 +00:00
Mark Andrews
89d4d90244 log failing buffer
(cherry picked from commit 066847af25)
2025-12-09 11:12:24 +00:00
Aram Sargsyan
b21b698405 Add a check to the catz test to confirm that the issue is fixed
Use a member zone with a long list of primaries with long key
names to trigger the issue that was fixed by the previous commit.

(cherry picked from commit 2622140482)
2025-12-09 11:12:24 +00:00
Aram Sargsyan
59e9dfc5b4 Fix a bug in dns_catz_generate_zonecfg()
The dns_catz_generate_zonecfg() function generates a zone configuration
string to use with a new catalog zone member zone. The buffer for the
string is 512 bytes initially (ISC_BUFFER_INCR), but can be reallocated
when required, when using corresponding isc_buffer functions like
isc_buffer_reserve(), isc_buffer_putstr(), isc_buffer_copyregion(), etc.

However, the dns_name_totext() function, which expects the buffer as an
argument, doesn't automatically resize it if the name doesn't fit there,
but instead just returns ISC_R_NOSPACE.

The chance of this occurring increases when the configuration string is
large due to, for example, long zone name, long list of primary servers
which have keys configured and/or TLS configured.

Use dns_name_format() accompanied with isc_buffer_putstr() instead of
dns_name_totext().

(cherry picked from commit 684d7e008a)
2025-12-09 11:12:24 +00:00
Michal Nowak
e471eb02ff [9.20] fix: test: dns.name module does not have minversion attribute
The dns module does have it.

Backport of MR !11348

Merge branch 'backport-mnowak/enable-selftest-system-test-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11350
2025-12-09 12:10:27 +01:00
Michal Nowak
acd6d5f954 dns.name module does not have minversion attribute
The dns module does have it.

(cherry picked from commit ed33f44829)
2025-12-09 10:22:03 +00:00
Nicki Křížek
1987a84de4 [9.20] new: test: Add FEATURE_* environment variables to system tests
The purpose of these variables is to be able to detect feature support
without calling feature-test. This becomes useful when detecting feature
support in jinja2 templates.

Backport of MR !11316

Merge branch 'backport-nicki/featurest-system-test-env-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11345
2025-12-08 21:58:34 +01:00
Nicki Křížek
b612786d5f Add FEATURE_* environment variables to system tests
The purpose of these variables is to be able to detect feature support
without calling feature-test. This becomes useful when detecting feature
support in jinja2 templates.

(cherry picked from commit 19af19b31c)
2025-12-08 20:14:36 +01:00
Nicki Křížek
46189a254b Remove unused dlz-filesystem feature check
There isn't any system test that uses this feature check.

(cherry picked from commit 2bb840bbc7)
2025-12-08 18:54:30 +01:00
Nicki Křížek
69851297ad Remove unused ipv6only feature check
There isn't any system test that uses this feature check.

(cherry picked from commit 789e40bd4c)
2025-12-08 18:54:29 +01:00
Nicki Křížek
50900e2490 [9.20] new: test: Regex support for logs and cmd output in pytest
Improve and unify the handling of regular expressions when searching in logs, files and command output in system tests.
- Use `Re()` for constructing regular expressions, which is an imported shorthand for `re.compile()` (imported as `from re import compile as Re`
- Add new `isctest.text.Text` interface which is a text wrapper that supports the `in` operator for line matching operation for both strings and regular expressions, e.g.:
  - `assert "running" in ns1.log`
  - `assert Re("a.example..*10.0.0.1") in response.out`
- Use the new `isctest.text.Text` for:
  - `isctest.run.cmd()` output, where `.out` and `.err` can be used for stdout and stderr contents
  - `NamedInstance.log` rather than the previous log interface (`.expect()` and `.prohibit()` is no longer available or needed. The `in` operator along with an `assert` statement can be used now instead.)
  - `NamedInstance.rndc()` output, which returns identical output as `isctest.run.cmd()`

Backport of MR !11054

Merge branch 'backport-nicki/pytest-grep-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11342
2025-12-08 17:55:54 +01:00
Nicki Křížek
6f51eeb8ef Refactor NamedInstance.rndc() to use EnvCmd() interface
To unify the command handling, utilize EnvCmd() to handle rndc commands:

1. Remove isctest.rndc abstractions. They were intended for an upcoming
   python-only implementation. A couple of years later, it doesn't seem
   to be coming any time soon, so let's stick with the interface that
   makes sense today, i.e. use the same command handling interface
   everywhere.
2. Remove the specialized rndc.log in favor of the generic logging
   already implemented by isctest.run.cmd(). I believe the cause of the
   many rndc(log=False) invocations was that nobody wanted this extra
   file. Yet, logging everything by default makes sense for debugging,
   unless there's a good reason not to. In almost all cases, logging was
   switched to the default (enabled).
3. With the NamedInstance.rndc() call now returning CmdResult rather
   than combined stdout+stderr string, adjust all the invocations to use
   `.out` or `.err` as necessary.
4. Replace some manual rndc invocation and its base argument
   construction with the standardized nsX.rndc() call.
5. In cases where rndc is expected to fail, utilize
   raise_on_exception=False and check the `.rc` from the result, rather
   than handling an exception.
6. In addzone/tests_rndc_deadlock.py, refactor the test slightly to
   avoid using EnvCmd() entirely to avoid spamming the logs. This test
   calls rndc in a loop from multiple threads and such test case is an
   exception which doesn't warrant changing the `isctest.run.cmd()`
   implementation.

(cherry picked from commit f33e2b6d87)
2025-12-08 17:07:57 +01:00
Nicki Křížek
0f64e490bb Add generic isctest.run.EnvCmd helper to pytest
A generic helper that calls the environment-specified binaries in a
developer-friendly manner, i.e. passing arguments as strings rather than
having to split them first.

The isctest.run.cmd() remains as the basis which provides a clean and
robust interface, while the isctest.run.EnvCmd() can be used as a
convenient wrapper for tests, or when there are some shared default
parameters.

The isctest.run.Dig() is superseded with the isctest.run.EnvCmd(). In
the future, we might revisit adding Dig() or command-specific helpers
again, but it probably only makes sense if they offer command-aware
attributes / methods, rather than just being shortcuts to
isctest.run.EnvCmd().

(cherry picked from commit ff613a72d7)
2025-12-08 17:05:46 +01:00
Nicki Křížek
1b3e2f004f Add pylint check for re.compile() alias
Ensure that Re() is used consistently across our code base.

(cherry picked from commit a8bf53411d)
2025-12-08 17:05:38 +01:00
Nicki Křížek
b7a0aedd54 Improve file handling in ksr test
Refactor the file handling to write to a file directly when calling
isctest.run.cmd().

Refactor the existing code to use CmdResult rather than out and err
separately.

(cherry picked from commit 9bad9491a1)
2025-12-08 17:05:30 +01:00
Nicki Křížek
634b1a56a8 Use Text with Grep support in isctest.run.cmd()
When commands are executed using the isctest.run.cmd() command, allow
the output to be Grep-able like logs and text files.

(cherry picked from commit 4b6a86b029)
2025-12-08 17:05:08 +01:00
Nicki Křížek
249dbeddf8 Refactor LogFile into TextFile with Grep support
Add a new Grep-like interface which can be used for searching for
regular expressions in files. Replace the prior LogFile used for named
logs with the new TextFile interface.

(cherry picked from commit 7743bab5fc)
2025-12-08 17:04:39 +01:00
Nicki Křížek
98f5c5774d Move text-related operations into isctest.text module
Add a new module for working with text and keep the isctest.log.watchlog
module focused on its purpose. Move LogFile and LineReader into the new
module. Add compile_pattern() helper which will be useful in subsequent
commits.

(cherry picked from commit be6bae2a75)
2025-12-08 17:03:43 +01:00
Nicki Křížek
631e366dcf Use Re() for creating regular expressions
It's a fairly common pattern to use regular expression in our tests.
Instead of using the fairly verbose re.compile(), import that function
as Re() instead to allow for more brevity in the test syntax.

(cherry picked from commit ac7127d620)
2025-12-08 17:03:29 +01:00
Nicki Křížek
182c7c83a8 Use CmdResult to decode stdout/stderr from isctest.run.cmd()
Avoid repeating the .decode("utf-8") snippet when processing command
output and provide a helper instead, which leads to more concise code.

(cherry picked from commit ac998da3f6)
2025-12-08 16:58:13 +01:00
Nicki Křížek
e34e744bb7 Utilize nsX.rndc() helper
Remove the duplicated code and replace it with nsX.rndc() call.

(cherry picked from commit ac2be27f8f)
2025-12-08 16:51:06 +01:00
Ondřej Surý
1b90296e1f [9.20] fix: usr: Adding NSEC3 opt-out records could leave invalid records in chain
When creating an NSEC3 opt-out chain, a node in the chain could be removed too soon, causing the previous NSEC3 being unable to be found, resulting in invalid NSEC3 records to be left in the zone. This has been fixed.

Closes #5671

Backport of MR !11328

Merge branch 'backport-5671-fix-dbiterator-prev-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11340
2025-12-08 11:04:37 +01:00
Mark Andrews
b677d31fca
In dbiterator_prev, dereference_iter_node was being called too soon
dns_rbtnodechain_prev requires the current node to still be valid
which was not always the case after dereference_iter_node was called.
Move the call to dereference_iter_node to after the dns_rbtnodechain_prev
to preserve the node.
2025-12-08 10:25:17 +01:00
Ondřej Surý
89478d95c3
In dns_qpiter_{prev,next}, defer dereference_iter_node call
dns_qpiter_{prev,next} requires the current iterator node to still be
valid which might not always the case after dereference_iter_node was
called.  Currently, this is ensured via closeversion() mechanism, but it
is not guaranteed to be true in the future.

Move the call to dereference_iter_node to after the dns_qpiter_prev()
and dns_qpiter_next() to prevent a possible use-after-free of the
current iterator node.

(cherry picked from commit 9914bd383e)
2025-12-08 10:25:05 +01:00
Evan Hunt
b23a364be9 [9.20] fix: doc: correct a double negative in the padding doc
`padding` is incompatible with TSIG and SIG(0), not with "no" TSIG
and SIG(0).

Backport of MR !11333

Merge branch 'backport-each-fix-padding-doc-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11335
2025-12-05 23:09:20 +00:00
Evan Hunt
2d18b0da46 correct a double negative in the padding doc
`padding` is incompatible with TSIG and SIG(0), not with "no" TSIG
and SIG(0).

(cherry picked from commit d054741d92)
2025-12-05 22:32:07 +00:00
Matthijs Mekking
7a70d05b5d [9.20] fix: usr: Make key rollovers more robust
A manual rollover when the zone is in an invalid DNSSEC state causes predecessor keys to be removed too quickly. Additional safeguards to prevent this have been added. DNSSEC records will not be removed from the zone until the underlying state machine has moved back into a valid DNSSEC state.

Closes #5458

Backport of MR !10813

Merge branch 'backport-5458-safeguard-against-key-rollovers-when-in-invalid-state-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11329
2025-12-05 13:07:22 +00:00
Matthijs Mekking
da8cef5ade Fix statschannel system test
The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.

This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.

Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.

(cherry picked from commit 14a243a81d)
2025-12-05 13:22:30 +01:00
Matthijs Mekking
5b85b93847 Fix nsec3 system test
The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.

(cherry picked from commit a8339be0f8)
2025-12-05 13:22:23 +01:00
Matthijs Mekking
fe84bb6056 Fix autosign system test
When creating keys, set Publish and Activate times so that keys will
be initialized as omnipresent. This way we start with a safe DNSSEC
state. In most cases at least, because some tests depend on special
key timings.

The ttl[1-4].example cases have become incorrect. With dnssec-policy
we require the TTL to match the dnskey-ttl from the policy.

The delzsk.example will have a ZSK removed from the zone. It also
requires that the DNSKEY RRset is already published. This means
that for the existing keys the, no longer "is now published"
messages will be logged.

The nsec-only.example and reconf.example zones are fixed to have a
correct matching policy.

This all means the expected count of log messages changes slightly.

(cherry picked from commit c756b8a505)
2025-12-05 13:22:16 +01:00
Matthijs Mekking
21c99687a6 Fix views system test
This test case enables DNSSEC and has a mismatch in policy. Fix the
policy so that it matches the existing key set, and adjust the
expected answer count because no longer a new key is generated.

(cherry picked from commit 67ea0e656b)
2025-12-05 13:22:09 +01:00
Matthijs Mekking
45448fc383 Make keymgr state machine more robust
If the keymgr state machine is in an invalid state, it tries to move
it self to a valid state. But when you do key rollovers during an
invalid state, and the next state is also an invalid state, the keymgr
will happily do the transition.

It would be good to not do key rollovers if there is not a KSK and ZSK
fully omnipresent. But also it would be good to safeguard against
unexpected transitions.

This commit does that by not moving things to unretentive (which is
the state where we would remove the corresponding record from the zone)
if the state machine is currently in an invalid state.

(cherry picked from commit b19871f8a2)
2025-12-05 13:22:00 +01:00
Matthijs Mekking
aeaa5f12c1 Rollover test case for rumoured zone signatures
Test a manual rollover when zone signatures have not become omnipresent
yet. This should not immediately remove the predecessor key.

(cherry picked from commit 149ca5d46a)
2025-12-05 12:08:22 +00:00
Matthijs Mekking
5124cd115e [9.20] fix: doc: Fix sig-signing-* duplicate documentation
Backport of MR !11324

Merge branch 'backport-matthijs-doc-sig-signing-options-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11326
2025-12-05 11:28:51 +00:00
Matthijs Mekking
1d2d23549d Fix sig-signing-* duplicate documentation
(cherry picked from commit c3951cdec0)
2025-12-05 10:53:31 +00:00
Andoni Duarte
4cd0c93dc2 chg: doc: Set up version for BIND 9.20.18
Merge branch 'andoni/set-up-version-for-bind-9.20.18' into 'bind-9.20'

See merge request isc-projects/bind9!11318
2025-12-04 08:56:37 +00:00