From: Evan Hunt Date: Wed, 2 Jul 2025 04:37:58 +0000 (-0700) Subject: convert TAT tests to python X-Git-Tag: v9.21.11~13^2~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0fabb0fbb66285d956233aa021aabafd16098d7c;p=thirdparty%2Fbind9.git convert TAT tests to python the trust-anchor-telemetry tests have been moved to a new python subtest, dnssec/tests_tat.py. --- diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 6bfd910da73..dc5f77bb742 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2510,54 +2510,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "check that trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" -ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" -ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" -ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 -stop_server ns1 || ret=1 -nextpart ns1/named.run >/dev/null -start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "waiting for root server to finish reloading ($n)" -ret=0 -wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 diff --git a/bin/tests/system/dnssec/tests_tat.py b/bin/tests/system/dnssec/tests_tat.py new file mode 100644 index 00000000000..5f527d0964c --- /dev/null +++ b/bin/tests/system/dnssec/tests_tat.py @@ -0,0 +1,61 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import re + +from dns import edns + +import isctest + + +def test_tat_queries(servers): + ns1 = servers["ns1"] + ns6 = servers["ns6"] + + # check that trust-anchor-telemetry queries are logged + with ns6.watch_log_from_start() as watcher: + watcher.wait_for_line("sending trust-anchor-telemetry query '_ta-") + + # check that _ta-XXXX trust-anchor-telemetry queries are logged + with ns1.watch_log_from_start() as watcher: + watcher.wait_for_line("trust-anchor-telemetry '_ta-") + + # check that _ta-AAAA trust-anchor-telemetry are not sent when disabled + ns1.log.prohibit("sending trust-anchor-telemetry query '_ta") + + # check that KEY-TAG (ednsopt 14) trust-anchor-telemetry queries are + # logged. this matches "dig . dnskey +ednsopt=KEY-TAG:ffff": + msg = isctest.query.create(".", "DNSKEY") + opt = edns.GenericOption(14, b"\xff\xff") + msg.use_edns(edns=True, options=[opt]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65535") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + watcher.wait_for_line(pattern) + + # check that multiple KEY-TAG trust-anchor-telemetry options don't + # leak memory, by stopping and restarting the server (a memory leak + # would trigger a core dump). + msg = isctest.query.create(".", "DNSKEY") + opt1 = edns.GenericOption(14, b"\xff\xff") + opt2 = edns.GenericOption(14, b"\xff\xfe") + msg.use_edns(edns=True, options=[opt2, opt1]) + pattern = re.compile("trust-anchor-telemetry './IN' from .* 65534") + with ns1.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, "10.53.0.1") + isctest.check.noerror(res) + watcher.wait_for_line(pattern) + + ns1.stop() + with ns1.watch_log_from_here() as watcher: + ns1.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + watcher.wait_for_line("all zones loaded")