The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.
This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.
Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.
(cherry picked from commit 14a243a81d)
The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.
(cherry picked from commit a8339be0f8)
When creating keys, set Publish and Activate times so that keys will
be initialized as omnipresent. This way we start with a safe DNSSEC
state. In most cases at least, because some tests depend on special
key timings.
The ttl[1-4].example cases have become incorrect. With dnssec-policy
we require the TTL to match the dnskey-ttl from the policy.
The delzsk.example will have a ZSK removed from the zone. It also
requires that the DNSKEY RRset is already published. This means
that for the existing keys the, no longer "is now published"
messages will be logged.
The nsec-only.example and reconf.example zones are fixed to have a
correct matching policy.
This all means the expected count of log messages changes slightly.
(cherry picked from commit c756b8a505)
This test case enables DNSSEC and has a mismatch in policy. Fix the
policy so that it matches the existing key set, and adjust the
expected answer count because no longer a new key is generated.
(cherry picked from commit 67ea0e656b)
If the keymgr state machine is in an invalid state, it tries to move
it self to a valid state. But when you do key rollovers during an
invalid state, and the next state is also an invalid state, the keymgr
will happily do the transition.
It would be good to not do key rollovers if there is not a KSK and ZSK
fully omnipresent. But also it would be good to safeguard against
unexpected transitions.
This commit does that by not moving things to unretentive (which is
the state where we would remove the corresponding record from the zone)
if the state machine is currently in an invalid state.
(cherry picked from commit b19871f8a2)
Test a manual rollover when zone signatures have not become omnipresent
yet. This should not immediately remove the predecessor key.
(cherry picked from commit 149ca5d46a)
previously, there were over 40 separate definitions of CHECK macros, of which most used "goto cleanup", and the rest "goto failure" or "goto out". there were another 10 definitions of RETERR, of which most were identical to CHECK, but some simply returned a result code instead of jumping to a cleanup label.
this has now been standardized throughout the code base: RETERR is for returning an error code in the case of an error, and CHECK is for jumping to a cleanup tag, which is now always called "cleanup". both macros are defined in isc/util.h.
Backport of MR !10472
Merge branch 'each-check-and-cleanup-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11069
previously, there were over 40 separate definitions of CHECK macros, of
which most used "goto cleanup", and the rest "goto failure" or "goto
out". there were another 10 definitions of RETERR, of which most were
identical to CHECK, but some simply returned a result code instead of
jumping to a cleanup label.
this has now been standardized throughout the code base: RETERR is for
returning an error code in the case of an error, and CHECK is for jumping
to a cleanup tag, which is now always called "cleanup". both macros are
defined in isc/util.h.
(cherry picked from commit 52bba5cc34)
Closes#5648
Backport of MR !11265
Merge branch 'backport-5648-need-dump-instead-of-sending-notifies-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11312
In some cases we wait for the log message "sending notifies" before
proceeding with the test case. Notifies are rate limited. They are not
sent on every change to the zone. The "zone_needdump" messages happen on
every change.
(cherry picked from commit c17ac42608)
Backport of MR !11082
Merge branch 'backport-matthijs-pytestify-multisigner-system-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11307
We are not actually retrieving these records from the other provider,
they are available as key files to us and we are using those files
to send a dynamic update to the server.
(cherry picked from commit 11578aa219)
This test is similar to model2.multisigner, but now the two providers
are both secondary, both using the same hidden primary. The DNSKEY,
CDNSKEY, and CDS records need to be published at the hidden primary,
ns5, the zone is transferred to both secondaries, ns3 and ns4.
To avoid intermittent test failures, we wait for the line
"zone {zone}/IN (signed): serial {serial2} (unsigned {serial1})" in
the secondary server logs. This is a signal that the unsigned zone
with serial <serial1> has a signed version ready with serial <serial2>.
To speed up the test, disable 'notify-delay'.
(cherry picked from commit c96f896482)
When testing multi-signer as bump-in-the-wire (upcoming test), we want
to be able to do dynamically updates to a hidden primary. Update the
test functions such that we can set a specific primary server.
(cherry picked from commit fdf8a171c5)
The initial test code only allowed for one additional provider. Update
the test function such that more extra keys can be tested.
(cherry picked from commit 9ae449afd1)
This converts the model2.multisigner tests from the multisigner system
test to pytest based code. Crappy shell test functions such as
'zsks_are_published', 'records_published' and others are replaced with
the standard test code from isctest.kasp and by setting 'private=False'
and 'legacy=True' on the keys from the other providers so we don't do
any key file testing.
(cherry picked from commit 773ce8d99b)
Provide more information about the failure when the memory allocation fails.
Backport of MR !11272
Merge branch 'backport-ondrej/print-helpful-message-on-oom-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11304
Instead of just crashing when memory allocation fails, also print a
message saying "Out of memory!", the size of the allocation that failed,
total allocated memory from all memory contexts and value of errno.
(cherry picked from commit b0194004d9)
Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.
Backport of MR !11303
Merge branch 'backport-colin/getipandkeylist-uinitstate' into 'bind-9.20'
See merge request isc-projects/bind9!11306
Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.
(cherry picked from commit 954503b9f5)
The :any:`remote-servers` clause enable the following pattern using a named ``server-list``:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, such configuration was wrongly rejected, with an "unexpected token 'foo'" error. Such configuration is now accepted.
Closes#5646
Backport of MR !11252
Merge branch 'backport-5646-fix-named-remote-servers-key-tls-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11300
Add checkconf system test to cover usage of `remote-servers` with a
named server-list and a `key` and/or a `tls` option.
(cherry picked from commit 4bc435ab10)
If a `key` or `tls` is associated to an IP address inside a server-list,
only the `tls` existence in the configuration was checked. Also, if
`key` or `tls` is associated to a named server-list inside a
server-list, there was no check at all.
Add the check for making sure a `key` is defined in the configuration,
as well as the check for `key` and `tls` when used on a named
server-list.
(cherry picked from commit 2956e4fc45)
`check.c` only checks if `remote-servers`, `primaries`, etc. are not
duplicated inside the configuration file, but does not check the
correctness of its definition. This commit fixes this by calling
`validate_remotes()` for each `remote-servers` (and other aliases),
which validates the correctness of the definition itself (this is the
same call done to validate other cases like `also-notify`, etc.).
(cherry picked from commit 1a732b6b8e)
Function `named_config_getipandkeylist()` processes the nested lists by
overriding the current local variable of the function, jumping back to
the beginning of the list processing. Of course, in order to go back to
the previous state and process the remaining items of the current list,
a "stack" array is used in order to put and get back the next list
element and associated values.
This makes the logic quite complex and error prone. Instead, this commit
changes the logic by recursing into the nested list (while sharing a
state between all the invocations). The processing is fundamentally
identical, but instead of "manually" handling the stack to go back to
the previous state (and process remaining elements of the current list),
takes advantage of recursion.
(cherry picked from commit ccb82ea85d)
The following case
remote-servers foo { 10.53.0.5; };
remote-servers bar { foo key fookey; };
did not work: the `fookey` was silently ignored. No matter how `bar` was
used, the server `10.53.0.5` wouldn't be contacted using the TSIG key
`fookey`. The problem is the same the for `tls` property.
The reason of the problem was that when `named_config_getipandkeylist()`
reached a named server-list (here, `foo`), it modified the current
context in order to immediately process what is inside `foo`, but forgot
to look at the fields `key` and `tls`, to associate those with `foo`
addresses.
Fix the problem by wrapping the `key` and `tls` from the "caller" list
inside the existing `lists` struct which is used to figure out if a
list is already processed or not. That way, the `key` and `tls` values
can be read when adding the addresses of the nested list.
(cherry picked from commit e732a8d25a)
Even though `remote-servers` now allows using named server-list with `key`
(or `tls`), the `key` or `tls` is not used, in the context of a named
server-list, when configuring the server.
For instance,
remote-servers foo { 10.53.0.5; };
also-notify { foo key fookey; };
won't use `fookey`.
Add a system test highlighting the problem.
(cherry picked from commit 32a4aa95ae)
The remote-servers clause enables the following pattern:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, `check.c` was explicitly throwing an error if a `key` or `tls`
was provided after a named server-list. Remove this check, as this is a
valid use case.
(cherry picked from commit 046c6819b2)
Python has been required to run the system test suite for quite a while.
Remove the dated checks inside system tests which are no longer needed.
Backport of MR !11292
Merge branch 'backport-nicki/cleanup-python-checks-system-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11301
dnspython has been mandatory to run system test for quite a while.
Remove all extraneous checks for this module from prereq.sh scipts.
(cherry picked from commit b1ffc80f26)
The timeouts test already checks for dnspython>=2.0.0 in
test_tcp_timeouts.py and the prereq.sh file is not needed.
(cherry picked from commit 156b213d62)
Python has been required to run the system test suite for quite a while.
Remove the dated checks inside system tests which are no longer needed.
(cherry picked from commit fe92341fd3)
Sometimes the loops in the resolving (e.g. to resolve or validate ns1.example.com we need to resolve ns1.example.com) were not properly detected leading to spurious 10 seconds delay. This has been fixed and such loops are properly detected.
Closes#3033, #5578
Backport of MR !11138
Merge branch 'backport-5578-tracker-parent-fetch-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11298
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.
(cherry picked from commit 4d307ac67a)
:iscman:`named` could terminate unexpectedly when reconfiguring or
reloading, and if client-side TLS transport was in use (for example,
when forwarding queries to a DoT server). This has been fixed.
Closes#5653
Backport of MR !11295
Merge branch 'backport-5653-tlsctx_cache-reference-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11299
When named is being reconfigured, it detaches from the old
'isc_tlsctx_cache_t' TLS context cache object and creates a
new one. This can cause an assertion failure within the
resolver when the object is destroyed while still in use,
because the resolver is using the object without getting
attached to it.
Add an attach/detach so that the 'isc_tlsctx_cache_t' doesn't
get destroyed while still being in use.
(cherry picked from commit ed7b08c0c4)
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Backport of MR !11201
Merge branch 'backport-nicki/pytest-add-trust-anchor-template-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11294
DSDigest class isn't available prior to dnspython 2.0.0 and prior to Add
an isctest.compat.DSDigest compatibility hack to support those versions.
(cherry picked from commit 2f2be20547)
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
(cherry picked from commit f6cb154b65)
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
(cherry picked from commit 0bf20f8d68)
Upstream has removed the atomics implementation of CMM_LOAD_SHARED and
CMM_STORE_SHARED as these can be used also with non-stdatomics types.
As we only use the CMM api with stdatomics types, we can restore the
previous behaviour to prevent ThreadSanitizer warnings.
Closes#5660
Backport of MR !11288
Merge branch 'backport-5660-use-atomics-for-CMM-api-with-thread-sanitizer-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11290
