Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
Merge branch 'nicki/fix-isctest-name-import-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10822
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Merge branch 'ondrej/rescan-the-interface-on-time-0' into 'bind-9.18'
See merge request isc-projects/bind9!10758
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.
References #3014
Backport of MR !5578
Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10816
Spurious validation failures were traced back to check_signer looping
over val->event->sigrdataset directly. Cloning val->event->sigrdataset
prevents check_signer from interacting with callers that are also
looping over val->event->sigrdataset.
(cherry picked from commit 8aa130f253)
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Closes#5456
Backport of MR !10808
Merge branch 'backport-5456-coverity-scan-drop-fs-capture-search-option-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10811
This reverts commit e1a463e98d.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
(cherry picked from commit 310884c259)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Backport of MR !10760
Merge branch 'backport-each-isctest-helpers-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10794
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
(cherry picked from commit 64143ea077)
Make the query helper function more universal and reusable across our
system tests -- default to using EDNS and sending AD=1.
(cherry picked from commit 989e64b9b0)
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
(cherry picked from commit efd60348b9)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
(cherry picked from commit b69097f139)
Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
(cherry picked from commit adb931f700)
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.
(cherry picked from commit 46781845ea)
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.
(cherry picked from commit 548632b18a)
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit 73e4201331)
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit d0e413dd57)
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.
(cherry picked from commit ac58b58002)
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
(cherry picked from commit cfaf5c997f)
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases. Wildcard
NODATA answer was added.
(cherry picked from commit 9ca2077274)
As a side-effect, we now have set of all existing names in a zone with a
test, too. These parts should be shared with new NSEC tests.
(cherry picked from commit f0592de608)
Side-effect of importing from isctest.hypothesis first is a version
check and clean Pytest skip if version is too old.
(cherry picked from commit 9cea2af25c)
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.
Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.
For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.
(cherry picked from commit 42b60a3819)
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.
(cherry picked from commit cad48e56ab)
dns.name all over the place does not make it easier to read the code at
all, and I'm going to add lot more code here.
(cherry picked from commit 3fb6b990af)
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.
(cherry picked from commit e263df8848)
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.
(cherry picked from commit 955e3ccf3e)
The LSP server (using clangd) was always complaining about:
Suspicious string literal, probably missing a comma
for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines. Disable clang-format for these two lines.
Backport of MR !10764
Merge branch 'backport-ondrej/fix-suspicious-string-literal-probably-missing-comma-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10766
