DSDigest class isn't available prior to dnspython 2.0.0 and prior to Add
an isctest.compat.DSDigest compatibility hack to support those versions.
(cherry picked from commit 2f2be20547)
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
(cherry picked from commit f6cb154b65)
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
(cherry picked from commit 0bf20f8d68)
The dns_resolver mode of operation is to resolve all the domains as it
iterates the DNS tree to fill up the cache as quickly as possible.
This commit reduces the number of outgoing queries by reducing the
number of remote fetches started for the nameserver addresses resolution
via dns_adb_createfind() to a smaller number per depth of the recursion
since the delegation point (3 2 1 0) - where 0 means only create fetch
on demand if we don't have any addresses yet.
(cherry picked from commit 1b90d2ffdb)
If the primary has been updated, but the secondary has not been
notified, the journal will go out of date. An 'rndc retransfer' causes
the zone to force an AXFR, removing and rebuilding zone and journal
files.
This test reproduces a bug that in such scenario, an NSEC3 signed zone
falls back to NSEC.
(cherry picked from commit be3e4c83d0)
To check if the key managing for a zone is done, we check a log message.
On some machines, with many zones this may take some time.
Increate the timeout to a minute. Note that most zones will continue
their test case much faster, but with many zones there may be some
straggling.
(cherry picked from commit ba211de912)
In order to make the tests run reliable, first make sure the key
managing for all the zones has finished before doing running the
reconfig command.
(cherry picked from commit 8cfccb9eac)
When all zones are configured, regardless of whether the test module
actually uses them, it makes debugging the logs needlessly more
complicated, as there is a bunch of stuff going on that is completely
unrelated to the test.
Define a list of tested zones in each test module and only render the
named.conf with those zones defined.
(cherry picked from commit 66e4146a88)
This zone has a specific corner case to be tested during the setup.
Move it to a separate module so it is less convoluted.
(cherry picked from commit 9ee62467a6)
With the nsec and nsec3 test cases being nearly identical for all
modules, these can be be unified and moved to common.py.
(cherry picked from commit 7762b2391e)
Convert the final nsec3 system test case that deals with empty
non-terminals. This is a regression test case for GL #5108.
(cherry picked from commit 3f5d295e29)
This converts two test cases:
1. A zone that previously failed to load is now fixed. Make sure the
zone is signed correctly with the right NSEC3 parameters.
2. Test case to ensure the salt is the same after a restart, i.e. no
re-salting takes place. Previously we only tested with salt length
0, this commit adds a test case for salt length 8 as well.
(cherry picked from commit f98f6ee3d6)
This converts the nsec3 system test cases after to reconfiguring the
name server.
Two extra test for nsec3-change.kasp is updated. It depends on the
zone being updated, and a reconfig. This test code is moved to
tests_nsec3_reconfig.py.
Furthermore, an additional 'rndc signing -nsec3param' error test
case has been added.
(cherry picked from commit 2c7190609b)
Since we know the salt after checking the NSEC3PARAM, we might as well
check the NSEC3 records on the NXDOMAIN response that the salt matches.
(cherry picked from commit ba1ffe56e4)
Some constants and test functionality are the same for test cases
prior and after reconfiguration. Move these into a common module.
(cherry picked from commit 85eea3db37)
Change the named.conf templating to make use of jinja template
rendering. The ns2 server is trivial. The ns3 server configuration
structure has changed:
The common configuration is moved out of named-fips.conf.
The main named.conf file is in named.conf.j2. It always includes the
common part, named-common.conf.j2, and the FIPS part,
named-fips.conf.j2.
The named-fips.conf.j2 and named-rsasha1.conf.j2 templates are
rendered differently depending on the reconfiged status. Mainly the
dnssec-policy for zones are different after reconfiguration, but there
are some other changes to, for example some zones change their
inline-signing setting.
Some zones only exist prior or after the configuration.
Finally, this is a bit hackish: If RSASHA1 is supported, named.conf
includes "named-rsasha1.conf", otherwise it includes the deliberately
empty "named-rsasha0.conf".
(cherry picked from commit 4a404dd806)
This converts all the nsec3 system test cases prior to reconfiguring the
name server. There are two main classes, one that tests the zone is
correctly signed with NSEC, the other with NSEC3.
Two extra tests for nsec3-dynamic-update-inline.kasp and
nsec3-change.kasp are also rewritten. For the former, we need to
change the 'nsupdate' definition to be able to set the expected RCODE.
(cherry picked from commit e81cc1520a)
Add a utility function to check for EDE options present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Rather than using the convenience .extended_errors() method
introduced in dnspython 2.7.0, iterate over the options and find
EDEOption types, which is supported from 2.2.0 onwards.
To work around the issue of using dns.edns.EDECode to specify EDE codes
in our tests, create an isctest.compat.EDECode wrapper. This can be used
even with dnspython versions prior to 2.2.0 and will simply result in
no-op, since EDE isn't supported in the older dnspython anyway.
(cherry picked from commit 61b3b415d5)
a94aab9440 removed importorskip call from
isctest.name on which the functionality of this test relied.
Add an explicit importorskip call to the test.
(cherry picked from commit 35923a952e)
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
(cherry picked from commit 072a82a6c5)
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.
Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
(cherry picked from commit a94aab9440)
The case where there would be one supported algorithm and one already
unsupported (like RSAMD5 or RSASHA1) was missing.
(cherry picked from commit488d7bfc75f2988c6e461b8677bc0e27e58bd82e)
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
(cherry picked from commit 0e8c547e5b)
Reimplement the custom server using the asyncserver Python module.
Behavior change: The new server doesn't copy CD and DO flags and a
client cookie to responses.
(cherry picked from commit 2ba3726207)
Add a new ResponseHandler subclass, QnameHandler, which enables
conveniently matching specific QNAMEs (without also matching their
subdomains like DomainHandler does).
(cherry picked from commit a556199c7b)
This is mostly for cases where no zone is set up and all response stubs
come to response handler with REFUSED as RCODE.
This commit allows to override the RCODE before QueryContext is passed
to response handlers.
(cherry picked from commit 848b721d1d)
Replace the custom DNS servers in the "cookie" system test with new code
based on the isctest.asyncserver module. The convoluted test logic is
split into multiple response handlers which are shared between the two
servers.
Behavior change: returned SOA records have the zone name set properly.
(cherry picked from commit 02c2f76e30)
Reimplement the custom server using isctest.asyncserver. Factor most of
the logic out of the server code to two (identical) zones and only
implement the non-standard behavior.
Behavior changes:
- RRSIG Expiration and Inception is now static and covering the whole
timeline instead of being calculated everytime.
- NXDOMAIN is returned where suitable by standard.
- Returned SOA records have properly set zone names.
(cherry picked from commit ade2e995a9)
Replace the custom server with new implementation using the
AsyncDnsServer class.
Behavior changes:
- DNS cookie is not copied to the responses.
- CD, DO flags aren't set on responses.
(cherry picked from commit 1faf5c47a5)
The traffic-json.pl and traffic-xml.pl scripts that were used in the
"statschannel" system test in the past became dead code when commit
1202fd912a rewrote parts of that test to
Python. Remove those scripts.
(cherry picked from commit 5110dbacb9)
Inspecting XML data using sed and grep is error-prone, overly lax in
some ways, overly strict in others, and neither accurate nor expressive.
Use xmllint and XPath expressions for inspecting XML data in the
"statistics", "statschannel", and "synthfromdnssec" system tests to
address these deficiencies.
(cherry picked from commit 5872000d9e)
Detect whether and where the xmllint utility is available at build time,
so that it can be used in system tests. If the tool is not found,
specific checks employing it will be skipped.
(cherry picked from commit 85773d4d21)
Inspecting JSON data using grep is error-prone, overly lax in some ways,
overly strict in others, and neither accurate nor expressive. Use jq
for inspecting JSON data in the "statschannel" and "synthfromdnssec"
system tests to address these deficiencies.
(cherry picked from commit b494e02761)
Detect whether and where the jq utility is available at build time, so
that it can be used in system tests. If the tool is not found, specific
checks employing it will be skipped.
(cherry picked from commit 273b4bbfd7)
Add a TCP connection handler, IgnoreAllConnections that allows
establishing TCP connection but not reading anything from it.
This re-uses the horrible hack from ConnectionReset handler and might
break at any point in the future.
See the comments and e407888507 for more
details.
(cherry picked from commit 4042b805ff)
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
(cherry picked from commit 377724c26d)
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
(cherry picked from commit fb4345afd4)
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
(cherry picked from commit 7474d38295)
'nextpart file | grep -q' doesn't work as expected. 'grep -q' is not
required to read all of the input and that causes 'nextpart' to fail.
(cherry picked from commit 5beba4d292)
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
(cherry picked from commit 2ecbe46e0d)
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
The configuration should also take into account the built-in
DNSSEC policies when verifying the keys in the key-directory match the
given policy. Update the code accordingly and add some good and
failure test cases.
(cherry picked from commit dcd49f2ead)
