- Replace named-altX.conf.in with namedX.conf.j2 to stick with the same
naming convention across the entire code base. Note than due to
named1.conf being the first (default) config, the numbers for the altX
are incremented.
- Turn alt9 into named7 to stick with the same number sequence. Adjust
the related file names accordingly.
(cherry picked from commit 7f3b0afb09)
Render the bad-tsig.db file using jinja2 template to get rid of
copy_setports.
Since the zone is using @ character, use the raw directive to avoid
interpreting it as a variable start.
(cherry picked from commit b23301ec55)
- Replace named*.conf.in files with jinja2 templates.
- When applying the files use plain cp command to copy the rendered
files.
(cherry picked from commit 0f37603b1a)
The following tests use multiple named configs. Previously, these have
been rendered with copy_setports in tests.sh when needed. Transform
these into jinja2 templates and render them during setup. In the tests,
the copy_setports invocations can be then replaced with a simple cp.
(cherry picked from commit 9d3279a542)
Use jinja2 templates instead of *.in templates for named.conf and remove
the copy_setports invocations from setup.sh which are no longer needed.
(cherry picked from commit fc10cb686d)
This allows rendering multiple named*.conf files using the jinja2
template engine at test start and then simply copying the required
config to named.conf as needed.
(cherry picked from commit d6d6db52e3)
Pytest sets the test names as `test_foo` and the old test runner spits
out `bin/tests/system/foo`.
Normalize this to match the new test runner.
Merge branch 'stepan/match-pytest-junit-names' into 'bind-9.20'
See merge request isc-projects/bind9!11085
This is a fixup for MR !11345. The variable for --extended-ds-digest was
accidentally backported - 9.20 doesn't have this feature check.
Merge branch 'nicki/featuretest-env-backport-fixup' into 'bind-9.20'
See merge request isc-projects/bind9!11357
A catalog zone's member zone could fail to load in some rare cases, when
the internally generated zone configuration string was exceeding 512
bytes. That condition only was not enough for the issue to arise, but it
was a necessary condition. This could happen, for example, if the catalog
zone's default primary servers list contained a large number of items.
This has been fixed.
Closes#5658
Backport of MR !11281
Merge branch 'backport-5658-dns_catz_generate_zonecfg-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11349
Use a member zone with a long list of primaries with long key
names to trigger the issue that was fixed by the previous commit.
(cherry picked from commit 2622140482)
The dns_catz_generate_zonecfg() function generates a zone configuration
string to use with a new catalog zone member zone. The buffer for the
string is 512 bytes initially (ISC_BUFFER_INCR), but can be reallocated
when required, when using corresponding isc_buffer functions like
isc_buffer_reserve(), isc_buffer_putstr(), isc_buffer_copyregion(), etc.
However, the dns_name_totext() function, which expects the buffer as an
argument, doesn't automatically resize it if the name doesn't fit there,
but instead just returns ISC_R_NOSPACE.
The chance of this occurring increases when the configuration string is
large due to, for example, long zone name, long list of primary servers
which have keys configured and/or TLS configured.
Use dns_name_format() accompanied with isc_buffer_putstr() instead of
dns_name_totext().
(cherry picked from commit 684d7e008a)
The dns module does have it.
Backport of MR !11348
Merge branch 'backport-mnowak/enable-selftest-system-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11350
The purpose of these variables is to be able to detect feature support
without calling feature-test. This becomes useful when detecting feature
support in jinja2 templates.
Backport of MR !11316
Merge branch 'backport-nicki/featurest-system-test-env-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11345
The purpose of these variables is to be able to detect feature support
without calling feature-test. This becomes useful when detecting feature
support in jinja2 templates.
(cherry picked from commit 19af19b31c)
Improve and unify the handling of regular expressions when searching in logs, files and command output in system tests.
- Use `Re()` for constructing regular expressions, which is an imported shorthand for `re.compile()` (imported as `from re import compile as Re`
- Add new `isctest.text.Text` interface which is a text wrapper that supports the `in` operator for line matching operation for both strings and regular expressions, e.g.:
- `assert "running" in ns1.log`
- `assert Re("a.example..*10.0.0.1") in response.out`
- Use the new `isctest.text.Text` for:
- `isctest.run.cmd()` output, where `.out` and `.err` can be used for stdout and stderr contents
- `NamedInstance.log` rather than the previous log interface (`.expect()` and `.prohibit()` is no longer available or needed. The `in` operator along with an `assert` statement can be used now instead.)
- `NamedInstance.rndc()` output, which returns identical output as `isctest.run.cmd()`
Backport of MR !11054
Merge branch 'backport-nicki/pytest-grep-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11342
To unify the command handling, utilize EnvCmd() to handle rndc commands:
1. Remove isctest.rndc abstractions. They were intended for an upcoming
python-only implementation. A couple of years later, it doesn't seem
to be coming any time soon, so let's stick with the interface that
makes sense today, i.e. use the same command handling interface
everywhere.
2. Remove the specialized rndc.log in favor of the generic logging
already implemented by isctest.run.cmd(). I believe the cause of the
many rndc(log=False) invocations was that nobody wanted this extra
file. Yet, logging everything by default makes sense for debugging,
unless there's a good reason not to. In almost all cases, logging was
switched to the default (enabled).
3. With the NamedInstance.rndc() call now returning CmdResult rather
than combined stdout+stderr string, adjust all the invocations to use
`.out` or `.err` as necessary.
4. Replace some manual rndc invocation and its base argument
construction with the standardized nsX.rndc() call.
5. In cases where rndc is expected to fail, utilize
raise_on_exception=False and check the `.rc` from the result, rather
than handling an exception.
6. In addzone/tests_rndc_deadlock.py, refactor the test slightly to
avoid using EnvCmd() entirely to avoid spamming the logs. This test
calls rndc in a loop from multiple threads and such test case is an
exception which doesn't warrant changing the `isctest.run.cmd()`
implementation.
(cherry picked from commit f33e2b6d87)
A generic helper that calls the environment-specified binaries in a
developer-friendly manner, i.e. passing arguments as strings rather than
having to split them first.
The isctest.run.cmd() remains as the basis which provides a clean and
robust interface, while the isctest.run.EnvCmd() can be used as a
convenient wrapper for tests, or when there are some shared default
parameters.
The isctest.run.Dig() is superseded with the isctest.run.EnvCmd(). In
the future, we might revisit adding Dig() or command-specific helpers
again, but it probably only makes sense if they offer command-aware
attributes / methods, rather than just being shortcuts to
isctest.run.EnvCmd().
(cherry picked from commit ff613a72d7)
Refactor the file handling to write to a file directly when calling
isctest.run.cmd().
Refactor the existing code to use CmdResult rather than out and err
separately.
(cherry picked from commit 9bad9491a1)
When commands are executed using the isctest.run.cmd() command, allow
the output to be Grep-able like logs and text files.
(cherry picked from commit 4b6a86b029)
Add a new Grep-like interface which can be used for searching for
regular expressions in files. Replace the prior LogFile used for named
logs with the new TextFile interface.
(cherry picked from commit 7743bab5fc)
Add a new module for working with text and keep the isctest.log.watchlog
module focused on its purpose. Move LogFile and LineReader into the new
module. Add compile_pattern() helper which will be useful in subsequent
commits.
(cherry picked from commit be6bae2a75)
It's a fairly common pattern to use regular expression in our tests.
Instead of using the fairly verbose re.compile(), import that function
as Re() instead to allow for more brevity in the test syntax.
(cherry picked from commit ac7127d620)
Avoid repeating the .decode("utf-8") snippet when processing command
output and provide a helper instead, which leads to more concise code.
(cherry picked from commit ac998da3f6)
When creating an NSEC3 opt-out chain, a node in the chain could be removed too soon, causing the previous NSEC3 being unable to be found, resulting in invalid NSEC3 records to be left in the zone. This has been fixed.
Closes#5671
Backport of MR !11328
Merge branch 'backport-5671-fix-dbiterator-prev-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11340
dns_rbtnodechain_prev requires the current node to still be valid
which was not always the case after dereference_iter_node was called.
Move the call to dereference_iter_node to after the dns_rbtnodechain_prev
to preserve the node.
dns_qpiter_{prev,next} requires the current iterator node to still be
valid which might not always the case after dereference_iter_node was
called. Currently, this is ensured via closeversion() mechanism, but it
is not guaranteed to be true in the future.
Move the call to dereference_iter_node to after the dns_qpiter_prev()
and dns_qpiter_next() to prevent a possible use-after-free of the
current iterator node.
(cherry picked from commit 9914bd383e)
`padding` is incompatible with TSIG and SIG(0), not with "no" TSIG
and SIG(0).
Backport of MR !11333
Merge branch 'backport-each-fix-padding-doc-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11335
A manual rollover when the zone is in an invalid DNSSEC state causes predecessor keys to be removed too quickly. Additional safeguards to prevent this have been added. DNSSEC records will not be removed from the zone until the underlying state machine has moved back into a valid DNSSEC state.
Closes#5458
Backport of MR !10813
Merge branch 'backport-5458-safeguard-against-key-rollovers-when-in-invalid-state-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11329
The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.
This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.
Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.
(cherry picked from commit 14a243a81d)
The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.
(cherry picked from commit a8339be0f8)
When creating keys, set Publish and Activate times so that keys will
be initialized as omnipresent. This way we start with a safe DNSSEC
state. In most cases at least, because some tests depend on special
key timings.
The ttl[1-4].example cases have become incorrect. With dnssec-policy
we require the TTL to match the dnskey-ttl from the policy.
The delzsk.example will have a ZSK removed from the zone. It also
requires that the DNSKEY RRset is already published. This means
that for the existing keys the, no longer "is now published"
messages will be logged.
The nsec-only.example and reconf.example zones are fixed to have a
correct matching policy.
This all means the expected count of log messages changes slightly.
(cherry picked from commit c756b8a505)
This test case enables DNSSEC and has a mismatch in policy. Fix the
policy so that it matches the existing key set, and adjust the
expected answer count because no longer a new key is generated.
(cherry picked from commit 67ea0e656b)
If the keymgr state machine is in an invalid state, it tries to move
it self to a valid state. But when you do key rollovers during an
invalid state, and the next state is also an invalid state, the keymgr
will happily do the transition.
It would be good to not do key rollovers if there is not a KSK and ZSK
fully omnipresent. But also it would be good to safeguard against
unexpected transitions.
This commit does that by not moving things to unretentive (which is
the state where we would remove the corresponding record from the zone)
if the state machine is currently in an invalid state.
(cherry picked from commit b19871f8a2)
Test a manual rollover when zone signatures have not become omnipresent
yet. This should not immediately remove the predecessor key.
(cherry picked from commit 149ca5d46a)