version: 2.1
commands:
+ checkout-shallow:
+ description: "Do a shallow checkout of the repository"
+ steps:
+ - run:
+ name: Install git and openssh
+ command: apt-get update && apt-get -qq -y install openssh-client git
+ - run:
+ name: Store the keyid for the git repo
+ command: mkdir -p $HOME/.ssh && ssh-keyscan $(echo ${CIRCLE_REPOSITORY_URL} | sed 's,.*@\([^:]*\):.*,\1,') > $HOME/.ssh/known_hosts
+ - run:
+ name: Clone the repo
+ command: |
+ if [ -n "$CIRCLE_PR_NUMBER" ]
+ then
+ echo === Checking out PR "$CIRCLE_PR_NUMBER" from "$CIRCLE_REPOSITORY_URL"
+ git clone --depth 1 $CIRCLE_REPOSITORY_URL ~/project
+ cd ~/project
+ git fetch --depth 1 origin +refs/pull/${CIRCLE_PR_NUMBER}/merge
+ git checkout -qf FETCH_HEAD
+ else
+ echo === Checking out branch "${CIRCLE_BRANCH}" from "$CIRCLE_REPOSITORY_URL"
+ git clone --depth 1 --branch $CIRCLE_BRANCH $CIRCLE_REPOSITORY_URL ~/project
+ fi
+ git show -s
+
+ auth-regress-setup:
+ description: Prepare the environment for auth regression tests
+ steps:
+ - run:
+ name: ensure ca-certificates is installed
+ command: apt-get update && apt-get -qq -y install ca-certificates
+ - attach_workspace:
+ at: /opt
+ - install-auth-deps
+ - run:
+ name: Install test dependencies
+ command: |
+ apt-get -y -qq install \
+ bc \
+ bind9utils \
+ default-jre-headless \
+ dnsutils \
+ ldnsutils \
+ libnet-dns-perl \
+ unbound-host
+ - run:
+ name: Install jdnssectools
+ command: |
+ if [ ! -e /usr/bin/jdnssec-verifyzone ]; then
+ apt-get install -qq -y wget
+ wget https://github.com/dblacka/jdnssec-tools/releases/download/0.14/jdnssec-tools-0.14.tar.gz
+ tar xfz jdnssec-tools-0.14.tar.gz --strip-components=1 -C /
+ rm jdnssec-tools-0.14.tar.gz
+ fi
+ - checkout-shallow
+ - run:
+ name: Allow missing tools in verify-dnssec-zone
+ command: touch regression-tests/tests/verify-dnssec-zone/allow-missing
+
auth-regress:
- description: "run one auth regression context"
+ description: Run one auth regression context
parameters:
skip:
type: string
default: ""
+ rootskip:
+ type: string
+ default: ""
+ doroot:
+ type: boolean
+ default: true
context:
type: string
default: ""
+ prefix:
+ type: string
+ default: "/opt/pdns-auth/"
+ steps:
+ - run:
+ workdir: ~/project/regression-tests
+ name: Run << parameters.context >> tests
+ command: |
+ [ -e ./vars ] && . ./vars
+ rm -rf tests/*/skip
+ for t in << parameters.skip >>
+ do
+ touch tests/$t/skip
+ done
+ PDNS=<< parameters.prefix >>sbin/pdns_server \
+ PDNS2=<< parameters.prefix >>sbin/pdns_server \
+ SDIG=<< parameters.prefix >>bin/sdig \
+ NOTIFY=<< parameters.prefix >>bin/pdns_notify \
+ NSEC3DIG=<< parameters.prefix >>bin/nsec3dig \
+ SAXFR=<< parameters.prefix >>bin/saxfr \
+ ZONE2SQL=<< parameters.prefix >>bin/zone2sql \
+ ZONE2LDAP=<< parameters.prefix >>bin/zone2ldap \
+ PDNSUTIL=<< parameters.prefix >>bin/pdnsutil \
+ PDNSCONTROL=<< parameters.prefix >>bin/pdns_control \
+ ./start-test-stop 5300 << parameters.context >>
+ - when:
+ condition: << parameters.doroot >>
+ steps:
+ - run:
+ workdir: ~/project/regression-tests.rootzone
+ name: Run << parameters.context >> tests for the root zone
+ command: |
+ [ -e ../regression-tests/vars ] && . ../regression-tests/vars
+ rm -rf tests/*/skip
+ for t in << parameters.rootskip >>
+ do
+ touch tests/$t/skip
+ done
+ PDNS=<< parameters.prefix >>sbin/pdns_server \
+ PDNS2=<< parameters.prefix >>sbin/pdns_server \
+ SDIG=<< parameters.prefix >>bin/sdig \
+ NOTIFY=<< parameters.prefix >>bin/pdns_notify \
+ NSEC3DIG=<< parameters.prefix >>bin/nsec3dig \
+ SAXFR=<< parameters.prefix >>bin/saxfr \
+ ZONE2SQL=<< parameters.prefix >>bin/zone2sql \
+ ZONE2LDAP=<< parameters.prefix >>bin/zone2ldap \
+ PDNSUTIL=<< parameters.prefix >>bin/pdnsutil \
+ PDNSCONTROL=<< parameters.prefix >>bin/pdns_control \
+ ./start-test-stop 5300 << parameters.context >>
+
+ install-recursor-deps:
+ description: "Install all libraries needed for the recursor"
+ steps:
+ - run: apt-get update
+ - run:
+ command: |
+ apt-get install -qq -y \
+ libluajit-5.1 \
+ libboost-all-dev \
+ libcap2 \
+ libssl1.1 \
+ libsystemd0 \
+ libsodium18 \
+ libprotobuf10
+
+ install-auth-deps:
+ description: Install all libraries needed to run the auth
steps:
- run: |
- cd regression-tests
- [ -e ./vars ] && . ./vars
- rm -rf tests/*/skip
- for t in << parameters.skip >>
- do
- touch tests/$t/skip
- done
- ./start-test-stop 5300 << parameters.context >>
+ apt-get install -qq -y --no-install-recommends \
+ libboost-all-dev \
+ libcdb1 \
+ libkrb5-3 \
+ libldap-2.4-2 \
+ liblmdb0 \
+ libpq5 \
+ libssl1.1 \
+ libsodium18 \
+ libsystemd0 \
+ default-libmysqlclient-dev \
+ unixodbc
-jobs:
- build:
- docker:
- - image: debian:stretch
- - image: mcr.microsoft.com/mssql/server:2019-CTP2.2-ubuntu
- environment:
- - ACCEPT_EULA: Y
- - SA_PASSWORD: 'SAsa12%%'
+ install-auth-dev-deps:
+ description: Install all packages needed to build the auth
+ steps:
+ - run: apt-get update
+ - run:
+ command: |
+ apt-get install -qq -y --no-install-recommends \
+ autoconf \
+ automake \
+ bison \
+ default-libmysqlclient-dev \
+ flex \
+ g++ \
+ git \
+ libboost-all-dev \
+ libcdb-dev \
+ libkrb5-dev \
+ libldap2-dev \
+ liblmdb-dev \
+ libpq-dev \
+ libsodium-dev \
+ libsqlite3-dev \
+ libssl-dev \
+ libtool \
+ make \
+ pkg-config \
+ ragel \
+ sqlite3 \
+ unixodbc-dev \
+ virtualenv \
+ wget
+
+ add-auth-repo:
+ description: "Add the debian repo for the auth"
+ parameters:
+ version:
+ type: string
+ default: "42"
+ distro:
+ type: string
+ default: "debian"
+ release:
+ type: string
+ default: "stretch"
+ steps:
+ - run:
+ name: "Install dependencies"
+ command: "apt-get update && apt-get install -qq -y curl gnupg2"
+ - run:
+ name: "Install apt-keys"
+ command: |
+ if [ "<< parameters.version >>" = "master" ]; then
+ curl https://repo.powerdns.com/CBC8B383-pub.asc | apt-key add -
+ else
+ curl https://repo.powerdns.com/FD380FBB-pub.asc | apt-key add -
+ fi
+ - run:
+ name: "Add repository"
+ command: |
+ echo 'deb [arch=amd64] http://repo.powerdns.com/<< parameters.distro >> << parameters.release >>-auth-<< parameters.version>> main' >> /etc/apt/sources.list.d/pdns.list
+ - run:
+ name: "add pinning"
+ command: |
+ echo 'Package: pdns-*' > /etc/apt/preferences.d/pdns
+ echo 'Pin: origin repo.powerdns.com' >> /etc/apt/preferences.d/pdns
+ echo 'Pin-Priority: 600' >> /etc/apt/preferences.d/pdns
+ - run:
+ name: update apt cache
+ command: apt-get update
+ setup-ccache:
+ description: Install .ccache and set $PATH
+ steps:
+ - run:
+ name: Install ccache
+ command: apt-get update && apt-get -qq -y install ccache
+ - run:
+ name: Setup ccache in $PATH
+ command: echo 'export PATH=/usr/lib/ccache:$PATH' >> $BASH_ENV
+
+ save-ccache-cache:
+ description: Store the .ccache directory
+ parameters:
+ product:
+ type: string
+ default: ""
steps:
- - checkout
+ - save_cache:
+ key: ccache-cache-{{ arch }}-<< parameters.product >>-{{ .Branch }}
+ paths:
+ - ~/.ccache
+ restore-cache-ccache:
+ description: Restore the .ccache directory
+ parameters:
+ product:
+ type: string
+ default: ""
+ steps:
+ - setup-ccache
- run:
- name: install dependencies
- command: ./build-scripts/circleci.sh debian-stretch-deps
+ name: ensure ca-certificates is installed
+ command: apt-get update && apt-get -qq -y install ca-certificates
+ - restore_cache:
+ keys:
+ - ccache-cache-{{ arch }}-<< parameters.product >>-{{ .Branch }}
+ - ccache-cache-{{ arch }}-<< parameters.product >>-
+
+jobs:
+ build-auth:
+ docker:
+ - image: debian:stretch
+ steps:
+ - checkout-shallow
+ - install-auth-dev-deps
+ - restore-cache-ccache:
+ product: auth
- run:
name: autoconf
- command: autoreconf -vfi
-
+ command: BUILDER_VERSION=0.0.0-git1 autoreconf -vfi
- run:
name: configure
- command: ./configure --disable-lua-records --with-modules='bind gmysql godbc random'
-
+ command: |
+ CFLAGS="-O1 -Werror=vla" \
+ CXXFLAGS="-O1 -Werror=vla" \
+ ./configure \
+ --disable-lua-records \
+ --with-modules='bind lmdb ldap gmysql gsqlite3 gpgsql godbc mydns random tinydns' \
+ --enable-tools \
+ --with-lmdb=/usr \
+ --with-libsodium \
+ --prefix=/opt/pdns-auth
- run:
name: build
command: make -j3 -k
-
+ - save-ccache-cache:
+ product: auth
- run:
- name: test gsqlite3 odbc
- command: ./build-scripts/circleci.sh configure-odbc-sqlite; cd regression-tests ; touch tests/verify-dnssec-zone/allow-missing ; GODBC_SQLITE3_DSN=pdns-sqlite3-1 ./start-test-stop 5300 godbc_sqlite3-nsec3
+ name: Install the binaries
+ command: make install
+ - persist_to_workspace:
+ root: /opt
+ paths:
+ - pdns-auth
+ test-auth-regress-odbc-sqlite3:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
- run:
- name: set up mssql odbc
- command: ./build-scripts/circleci.sh configure-odbc-mssql ; echo 'create database pdns' | isql -v pdns-mssql-docker-nodb sa SAsa12%%
-
+ name: Configure ODBC for sqlite
+ command: |
+ cat >> ~/.odbc.ini \<<- __EOF__
+ [pdns-sqlite3-1]
+ Driver = SQLite3
+ Database = ${PWD}/regression-tests/pdns.sqlite3
+ [pdns-sqlite3-2]
+ Driver = SQLite3
+ Database = ${PWD}/regression-tests/pdns.sqlite32
+ __EOF__
- run:
- name: set up mssql odbc testing
+ name: Install ODBC deps
command: |
- cd regression-tests
- echo 'export GODBC_MSSQL_PASSWORD=SAsa12%% GODBC_MSSQL_USERNAME=sa GODBC_MSSQL_DSN=pdns-mssql-docker' > ./vars
+ apt-get install -qq -y \
+ unixodbc \
+ libsqliteodbc \
+ sqlite3
+ - run:
+ name: Set up sqlite3 odbc testing
+ command: echo 'export GODBC_SQLITE3_DSN=pdns-sqlite3-1' > ./vars
+ workdir: ~/project/regression-tests
+ - auth-regress:
+ context: godbc_sqlite3-nsec3
+ doroot: false # Broken at the moment
+ test-auth-regress-odbc-mssql:
+ docker:
+ - image: debian:stretch
+ - image: mcr.microsoft.com/mssql/server:2019-CTP2.2-ubuntu
+ environment:
+ - ACCEPT_EULA: Y
+ - SA_PASSWORD: 'SAsa12%%'
+ steps:
+ - auth-regress-setup
+ - run:
+ name: Install ODBC deps
+ command: |
+ apt-get install -qq -y \
+ freetds-bin \
+ tdsodbc \
+ unixodbc
+ - run:
+ name: set up mssql odbc
+ command: |
+ cat >> ~/.odbc.ini \<<- __EOF__
+ [pdns-mssql-docker]
+ Driver=FreeTDS
+ Trace=No
+ Server=127.0.0.1
+ Port=1433
+ Database=pdns
+ TDS_Version=7.1
+ [pdns-mssql-docker-nodb]
+ Driver=FreeTDS
+ Trace=No
+ Server=127.0.0.1
+ Port=1433
+ TDS_Version=7.1
+ __EOF__
+ - run:
+ command: cat /usr/share/tdsodbc/odbcinst.ini >> /etc/odbcinst.ini
+ - run:
+ name: create database
+ command: echo 'create database pdns' | isql -v pdns-mssql-docker-nodb sa SAsa12%%
+ - run:
+ name: Set up mssql odbc testing
+ command: echo 'export GODBC_MSSQL_PASSWORD=SAsa12%% GODBC_MSSQL_USERNAME=sa GODBC_MSSQL_DSN=pdns-mssql-docker' > ./vars
+ workdir: ~/project/regression-tests
- auth-regress:
context: godbc_mssql-nodnssec
skip: 8bit-txt-unescaped
skip: 8bit-txt-unescaped
- auth-regress:
context: godbc_mssql-nsec3-optout
- skip: 8bit-txt-unescaped verify-dnssec-zone
+ skip: 8bit-txt-unescaped
- auth-regress:
context: godbc_mssql-nsec3-narrow
skip: 8bit-txt-unescaped
+
+ test-auth-regress-gsqlite3:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
+ - run:
+ command: apt-get install -qq -y sqlite3
+ - auth-regress:
+ context: gsqlite3-nodnssec-both
+ - auth-regress:
+ context: gsqlite3-both
+ - auth-regress:
+ context: gsqlite3-nsec3-both
+ - auth-regress:
+ context: gsqlite3-nsec3-optout-both
+ - auth-regress:
+ context: gsqlite3-nsec3-narrow
+
+ test-auth-regress-bind:
+ docker:
+ - image: debian:stretch
+ - image: circleci/mysql:5 # for the hybrid test
+ steps:
+ - auth-regress-setup
+ - run:
+ command: apt-get install -qq -y sqlite3
+ - auth-regress:
+ context: bind-both
+ - auth-regress:
+ context: bind-dnssec-both
+ - auth-regress:
+ context: bind-dnssec-nsec3-both
+ - auth-regress:
+ context: bind-dnssec-nsec3-optout-both
+ - auth-regress:
+ context: bind-dnssec-nsec3-narrow
+ - run:
+ command: apt-get install -qq -y default-mysql-client
+ - run:
+ command: |
+ cat >> ~/.my.cnf \<<- __EOF__
+ [client]
+ protocol=TCP
+ __EOF__
+ - auth-regress:
+ context: bind-hybrid-nsec3
+
+ test-auth-regress-mydns:
+ docker:
+ - image: debian:stretch
+ - image: circleci/mysql:5
+ steps:
+ - auth-regress-setup
+ - run:
+ command: apt-get install -qq -y default-mysql-client
+ - run:
+ command: |
+ cat >> ~/.my.cnf \<<- __EOF__
+ [client]
+ protocol=TCP
+ __EOF__
+ - auth-regress:
+ context: mydns
+ doroot: false
+
+ test-auth-regress-gmysql:
+ docker:
+ - image: debian:stretch
+ - image: circleci/mysql:5
+ steps:
+ - auth-regress-setup
+ - run:
+ command: apt-get install -qq -y default-mysql-client
+ - run:
+ command: |
+ cat >> ~/.my.cnf \<<- __EOF__
+ [client]
+ protocol=TCP
+ __EOF__
+ - auth-regress:
+ context: gmysql-nodnssec-both
+ - auth-regress:
+ context: gmysql-both
+ - auth-regress:
+ context: gmysql-nsec3-both
+ - auth-regress:
+ context: gmysql-nsec3-optout-both
+ - auth-regress:
+ context: gmysql-nsec3-narrow
+
+ test-auth-regress-gpgsql:
+ docker:
+ - image: debian:stretch
+ - image: circleci/postgres:9
+ environment:
+ POSTGRES_USER: root
+ steps:
+ - auth-regress-setup
+ - run:
+ command: apt-get install -qq -y postgresql-client
+ - run:
+ name: Use TCP for Postgresql connections
+ command: |
+ cat >> ./vars \<<- __EOF__
+ export PGHOST=127.0.0.1
+ export PGPORT=5432
+ __EOF__
+ workdir: ~/project/regression-tests
+ - auth-regress:
+ context: gpgsql-nodnssec-both
+ - auth-regress:
+ context: gpgsql-both
+ - auth-regress:
+ context: gpgsql-nsec3-both
+ - auth-regress:
+ context: gpgsql-nsec3-optout-both
+ - auth-regress:
+ context: gpgsql-nsec3-narrow
+
+ test-auth-regress-ldap:
+ docker:
+ - image: debian:stretch
+ environment:
+ LDAPHOST: ldap://ldapserver/
+ - image: powerdns/ldap-regress:1.2.4-0 # OpenLDAP 2.4.47
+ name: ldapserver
+ command: '--loglevel debug'
+ environment:
+ LDAP_LOG_LEVEL: 0
+ steps:
+ - auth-regress-setup
+ - run: DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ldap-utils
+ - auth-regress:
+ context: ldap-tree
+ doroot: false
+ - auth-regress:
+ context: ldap-simple
+ doroot: false
+ - auth-regress:
+ context: ldap-strict
+ doroot: false
+
+ test-auth-regress-tinydns:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
+ - auth-regress:
+ context: tinydns
+ doroot: false
+
+ test-auth-regress-lmdb:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
+ - run: apt-get install -y -qq jq curl
+ - auth-regress:
+ context: lmdb-nodnssec-both
+ - auth-regress:
+ context: lmdb-both
+ - auth-regress:
+ context: lmdb-nsec3-both
+ - auth-regress:
+ context: lmdb-nsec3-optout-both
+ - auth-regress:
+ context: lmdb-nsec3-narrow
+
+ test-auth-algorithms:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
+ - run:
+ name: Test all algorithms
+ command: /opt/pdns-auth/bin/pdnsutil test-algorithms
+
+ test-auth-api:
+ docker:
+ - image: debian:stretch
+ steps:
+ - auth-regress-setup
+ - run: apt-get -y -qq install virtualenv sqlite3
+ - run:
+ name: Run API tests
+ workdir: ~/project/regression-tests.api
+ command: |
+ PDNSSERVER="/opt/pdns-auth/sbin/pdns_server" \
+ PDNSUTIL="/opt/pdns-auth/bin/pdnsutil" \
+ SDIG="/opt/pdns-auth/bin/sdig" \
+ ZONE2SQL="/opt/pdns-auth/bin/zone2sql" \
+ ./runtests authoritative
+
+ build-recursor:
+ docker:
+ - image: debian:stretch
+ steps:
+ - restore-cache-ccache:
+ product: recursor
+ - run:
+ name: Install dependencies
+ command: |
+ apt-get update && apt-get -qq --no-install-recommends install \
+ autoconf \
+ automake \
+ ca-certificates \
+ curl \
+ bison \
+ flex \
+ g++ \
+ git \
+ libboost-all-dev \
+ libcap-dev \
+ libluajit-5.1-dev \
+ libprotobuf-dev \
+ libsodium-dev \
+ libssl-dev \
+ libsystemd-dev \
+ libtool \
+ make \
+ pkg-config \
+ protobuf-compiler \
+ ragel \
+ virtualenv
+ - checkout-shallow
+ - run:
+ name: autoconf
+ command: BUILDER_VERSION=0.0.0-git1 autoreconf -vfi
+ working_directory: ~/project/pdns/recursordist
+ - run:
+ name: configure
+ command: |
+ CFLAGS="-O1 -Werror=vla" \
+ CXXFLAGS="-O1 -Werror=vla" \
+ ./configure \
+ --enable-unit-tests \
+ --prefix=/opt/pdns-recursor \
+ --with-libsodium \
+ --with-lua=luajit \
+ --with-libcap \
+ --with-protobuf=yes \
+ --without-net-snmp
+ working_directory: ~/project/pdns/recursordist
+ - run:
+ name: build
+ command: make -j3 -k
+ working_directory: ~/project/pdns/recursordist
+ - save-ccache-cache:
+ product: recursor
+ - run:
+ name: Run unit tests
+ command: make check || (cat test-suite.log; false)
+ working_directory: ~/project/pdns/recursordist
+ - run:
+ name: Install resulting binaries
+ command: make install
+ working_directory: ~/project/pdns/recursordist
+ - persist_to_workspace:
+ root: /opt
+ paths:
+ - pdns-recursor
+
+ test-recursor-regression:
+ docker:
+ - image: debian:stretch
+ steps:
+ - add-auth-repo
+ - run: apt-get --no-install-recommends install -qq -y pdns-server pdns-backend-bind pdns-tools daemontools authbind jq libfaketime lua-posix moreutils bc virtualenv protobuf-compiler
+ - install-recursor-deps
+ - run:
+ name: Set up authbind
+ command: |
+ touch /etc/authbind/byport/53
+ chmod 755 /etc/authbind/byport/53
+ - checkout-shallow
+ - attach_workspace:
+ at: /opt
+ - run:
+ name: Run regression tests
+ workdir: ~/project
+ command: |
+ PDNSRECURSOR=/opt/pdns-recursor/sbin/pdns_recursor \
+ RECCONTROL=/opt/pdns-recursor/bin/rec_control \
+ ./build-scripts/test-recursor
+
+ test-recursor-bulk:
+ docker:
+ - image: debian:stretch
+ steps:
+ - add-auth-repo
+ - run: apt-get --no-install-recommends install -qq -y pdns-tools moreutils time
+ - install-recursor-deps
+ - checkout-shallow
+ - attach_workspace:
+ at: /opt
+ - run:
+ name: Get the majestic million list
+ workdir: ~/project/regression-tests
+ command: |
+ apt-get install -qq -y unzip && \
+ curl -LO http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip && \
+ unzip top-1m.csv.zip -d .
+ - run:
+ name: Run bulktests
+ command: |
+ DNSBULKTEST=/usr/bin/dnsbulktest \
+ RECURSOR=/opt/pdns-recursor/sbin/pdns_recursor \
+ THRESHOLD=95 \
+ TRACE=no \
+ ./timestamp ./recursor-test 5300 50000 || \
+ (cat recursor.log; false)
+ workdir: ~/project/regression-tests
+
+ test-recursor-api:
+ docker:
+ - image: debian:stretch
+ steps:
+ - add-auth-repo
+ - run: apt-get --no-install-recommends install -qq -y virtualenv pdns-tools
+ - install-recursor-deps
+ - checkout-shallow
+ - attach_workspace:
+ at: /opt
+ - run:
+ name: Run API tests
+ workdir: ~/project/regression-tests.api
+ command: |
+ PDNSRECURSOR="/opt/pdns-recursor/sbin/pdns_recursor" \
+ ./runtests recursor
+
+workflows:
+ version: 2
+ build-and-test-all:
+ jobs:
+ - build-auth
+ - test-auth-api:
+ requires:
+ - build-auth
+ - test-auth-algorithms:
+ requires:
+ - build-auth
+ - test-auth-regress-odbc-sqlite3:
+ requires:
+ - build-auth
+ - test-auth-regress-odbc-mssql:
+ requires:
+ - build-auth
+ - test-auth-regress-gmysql:
+ requires:
+ - build-auth
+ - test-auth-regress-mydns:
+ requires:
+ - build-auth
+ - test-auth-regress-bind:
+ requires:
+ - build-auth
+ - test-auth-regress-gsqlite3:
+ requires:
+ - build-auth
+ - test-auth-regress-gpgsql:
+ requires:
+ - build-auth
+ - test-auth-regress-lmdb:
+ requires:
+ - build-auth
+ - test-auth-regress-ldap:
+ requires:
+ - build-auth
+ - test-auth-regress-tinydns:
+ requires:
+ - build-auth
+ - build-recursor
+ - test-recursor-regression:
+ requires:
+ - build-recursor
+ - test-recursor-bulk:
+ requires:
+ - build-recursor
+ - test-recursor-api:
+ requires:
+ - build-recursor
+++ /dev/null
-#!/bin/sh
-set -e
-
-case $1 in
- debian-stretch-deps)
- apt-get update && apt-get -qq --no-install-recommends install \
- autoconf \
- automake \
- bc \
- bind9utils \
- bison \
- default-jre-headless \
- default-libmysqlclient-dev \
- dnsutils \
- flex \
- freetds-bin \
- g++ \
- git \
- ldnsutils \
- libboost-all-dev \
- libsqliteodbc \
- libssl-dev \
- libtool \
- make \
- pkg-config \
- ragel \
- sqlite3 \
- tdsodbc \
- unbound-host \
- unixodbc \
- unixodbc-dev \
- virtualenv \
- wget
-
- wget https://github.com/dblacka/jdnssec-tools/releases/download/0.14/jdnssec-tools-0.14.tar.gz
- tar xfz jdnssec-tools-0.14.tar.gz --strip-components=1 -C /
- rm jdnssec-tools-0.14.tar.gz
-
- ;;
- configure-odbc-sqlite)
- cat >> ~/.odbc.ini << __EOF__
-[pdns-sqlite3-1]
-Driver = SQLite3
-Database = ${PWD}/regression-tests/pdns.sqlite3
-
-[pdns-sqlite3-2]
-Driver = SQLite3
-Database = ${PWD}/regression-tests/pdns.sqlite32
-
-__EOF__
- ;;
- configure-odbc-mssql)
- cat >> ~/.odbc.ini << __EOF__
-[pdns-mssql-docker]
-Driver=FreeTDS
-Trace=No
-Server=127.0.0.1
-Port=1433
-Database=pdns
-TDS_Version=7.1
-
-[pdns-mssql-docker-nodb]
-Driver=FreeTDS
-Trace=No
-Server=127.0.0.1
-Port=1433
-TDS_Version=7.1
-
-__EOF__
-
- cat /usr/share/tdsodbc/odbcinst.ini >> /etc/odbcinst.ini
- ;;
- *)
- echo unknown command "$1"
- exit 1
- ;;
-esac
\ No newline at end of file
--- /dev/null
+ARG VERSION
+FROM osixia/openldap:$VERSION
+ADD bootstrap /container/service/slapd/assets/config/bootstrap
+RUN rm -rf /container/service/slapd/assets/config/bootstrap/schema/mmc
+RUN mkdir -p /var/lib/ldap-powerdns
+RUN chown openldap:openldap /var/lib/ldap-powerdns
--- /dev/null
+NAME = powerdns/ldap-regress
+VERSION = 1.2.4
+REVISION = 0
+
+.PHONY: all build build-nocache dep
+
+all: build
+
+dep:
+ mkdir -p bootstrap/schema
+ cp ../../../modules/ldapbackend/*.schema bootstrap/schema
+
+build: dep
+ docker build --build-arg VERSION=$(VERSION) -t $(NAME):$(VERSION)-$(REVISION) --rm .
+
+build-nocache: dep
+ docker build --build-arg VERSION=$(VERSION) -t $(NAME):$(VERSION)-$(REVISION) --no-cache --rm .
+
+push: build
+ docker push powerdns/ldap-regress:$(VERSION)-$(REVISION)
\ No newline at end of file
-dn: olcDatabase=hdb,cn=config
+dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
-olcDatabase: hdb
-olcDbDirectory: /var/lib/ldap/powerdns
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbDirectory: /var/lib/ldap-powerdns
olcSuffix: o=power
olcLastMod: TRUE
olcRootDN: uid=testuser,o=power
olcDbCheckpoint: 512 30
-olcDbConfig: {0}set_cachesize 0 2097152 0
-olcDbConfig: {1}set_lk_max_objects 1500
-olcDbConfig: {2}set_lk_max_locks 1500
-olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: associatedDomain eq
olcRootPW: secret
+olcDbMaxSize: 1073741824
dn: o=power
objectClass: organization
libyaml-cpp-dev \
libmaxminddb-dev"
- # ldap-backend
- run "sudo apt-get -qq --no-install-recommends install \
- libldap-dev"
-
# lmdb-backend
run "sudo apt-get -qq --no-install-recommends install \
liblmdb-dev"
run 'echo ${HOME}/.odbc.ini'
run 'cat ${HOME}/.odbc.ini'
- # ldap-backend test setup
- run "sudo apt-get -qq --no-install-recommends install \
- slapd \
- ldap-utils"
- run "mkdir /tmp/ldap-dns"
- run "pushd /tmp/ldap-dns"
- run 'for schema in /etc/ldap/schema/{core,cosine}.schema ${TRAVIS_BUILD_DIR}/modules/ldapbackend/{dnsdomain2,pdns-domaininfo}.schema ; do echo include $schema ; done > ldap.conf'
- run "mkdir slapd.d"
- run "slaptest -f ldap.conf -F slapd.d"
- run "sudo cp slapd.d/cn=config/cn=schema/cn={*dns*.ldif /etc/ldap/slapd.d/cn=config/cn=schema/"
- run "sudo chown -R openldap:openldap /etc/ldap/slapd.d/"
- run "sudo service slapd restart"
- run "popd"
- run "sudo -u openldap mkdir -p /var/lib/ldap/powerdns"
- run "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./modules/ldapbackend/testfiles/add.ldif"
-
# remote-backend tests requirements
run "sudo apt-get -qq --no-install-recommends install \
ruby-json \
run "autoreconf -vi"
run "./configure \
${sanitizerflags} \
- --with-dynmodules='bind gmysql geoip gpgsql gsqlite3 ldap lmdb lua mydns opendbx pipe random remote tinydns godbc lua2' \
+ --with-dynmodules='bind gmysql geoip gpgsql gsqlite3 lmdb lua mydns opendbx pipe random remote tinydns godbc lua2' \
--with-modules='' \
--with-sqlite3 \
--with-libsodium \
#travis unbound is too old for this test (unbound 1.6.0 required)
run "touch tests/ent-asterisk/fail.nsec"
- run "./timestamp ./start-test-stop 5300 ldap-tree"
- run "./timestamp ./start-test-stop 5300 ldap-simple"
- run "./timestamp ./start-test-stop 5300 ldap-strict"
-
run "./timestamp ./start-test-stop 5300 bind-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-both"
- run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 bind-hybrid-nsec3"
#ecdsa - ./timestamp ./start-test-stop 5300 bind-dnssec-pkcs11
run "./timestamp ./start-test-stop 5300 gmysql-nodnssec-both"
run "./timestamp ./start-test-stop 5300 gmysql-both"
run "./timestamp ./start-test-stop 5300 gmysql-nsec3-both"
- run "./timestamp ./start-test-stop 5300 gmysql-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 gmysql-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 gmysql-nsec3-narrow"
run "export GODBC_SQLITE3_DSN=pdns-sqlite3-1"
run "./timestamp ./start-test-stop 5300 gsqlite3-nodnssec-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-both"
- run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 mydns"
run "./timestamp ./start-test-stop 5300 lmdb-nodnssec-both"
run "./timestamp ./start-test-stop 5300 lmdb-both"
run "./timestamp ./start-test-stop 5300 lmdb-nsec3-both"
- run "./timestamp ./start-test-stop 5300 lmdb-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 lmdb-nsec3-optout-both"
run "rm tests/ent-asterisk/fail.nsec"
run "./timestamp ./start-test-stop 5300 bind-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-both"
- run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 bind-hybrid-nsec3"
run "./timestamp ./start-test-stop 5300 gmysql-nodnssec-both"
run "./timestamp ./start-test-stop 5300 gmysql-both"
run "./timestamp ./start-test-stop 5300 gmysql-nsec3-both"
- run "./timestamp ./start-test-stop 5300 gmysql-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 gmysql-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 gmysql-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 gpgsql-nodnssec-both"
run "./timestamp ./start-test-stop 5300 gpgsql-both"
run "./timestamp ./start-test-stop 5300 gpgsql-nsec3-both"
- run "./timestamp ./start-test-stop 5300 gpgsql-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 gpgsql-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 gpgsql-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 gsqlite3-nodnssec-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-both"
- run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-optout-both"
run "./timestamp ./start-test-stop 5300 gsqlite3-nsec3-narrow"
run "./timestamp ./start-test-stop 5300 lua2"
run "./timestamp ./start-test-stop 5300 lmdb-both"
run "./timestamp ./start-test-stop 5300 lmdb-nodnssec-both"
run "./timestamp ./start-test-stop 5300 lmdb-nsec3-both"
- run "./timestamp ./start-test-stop 5300 lmdb-nsec3-optout-both"
+ # run "./timestamp ./start-test-stop 5300 lmdb-nsec3-optout-both"
run "cd .."
Package: pdns-recursor
Architecture: any
Depends: adduser,
- dns-root-data,
${misc:Depends},
${shlibs:Depends}
Description: PowerDNS Recursor
-e 's!# quiet=.*!quiet=yes!' \
-e 's!# setgid=.*!setgid=pdns!' \
-e 's!# setuid=.*!setuid=pdns!' \
- -e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \
> debian/tmp/etc/powerdns/recursor.conf
override_dh_strip:
# See: https://github.com/moby/moby/issues/33733
#RUN mv /root/rpmbuild/RPMS/* /dist/
RUN cp -R /root/rpmbuild/RPMS/* /dist/
+RUN cp -R /root/rpmbuild/SRPMS/* /dist/
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`LDAP <ldap>` | Yes | No | No | No | No | No | ``ldap`` |
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`LMDB <lmdb>` | Yes | Yes | Yes | No | Yes | Yes | ``lmdb`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`Lua <lua>` | Yes | Yes | No | No | Yes | Yes | ``lua`` |
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`Lua2 <lua2>` | Yes | Yes | No | No | Yes | Yes | ``lua2`` |
--- /dev/null
+LMDB backend
+============
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: No
+* Case: All lower
+* DNSSEC: Yes
+* Disabled data: No
+* Comments: No
+* Module name: lmdb
+* Launch name: ``lmdb``
+
+Enabling the backend
+--------------------
+
+When building PowerDNS yourself, append ``lmdb`` to ``--with-modules`` or ``--with-dynmodules``. It is expected that most pre-built packages contain this backend or be separately installable.
+
+
+Settings
+--------
+
+.. _setting-lmdb-filename:
+
+``lmdb-filename``
+^^^^^^^^^^^^^^^^^
+
+Path to the LMDB file (e.g. */var/spool/powerdns/pdns.lmdb*)
+
+.. warning::
+ On systemd systems,
+ When running PowerDNS via the provided systemd service file, `ProtectSystem <http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_ is set to ``full``, this means PowerDNS is unable to write to e.g. ``/etc`` and ``/home``, possibly being unable to write to the LMDB database.
+
+.. _setting-lmdb-shards:
+
+``lmdb-shards``
+^^^^^^^^^^^^^^^^^
+
+Records database will be split into this number of shards e.g. lmdb-shards=64
+Default is 2 on 32 bits systems, and 64 on 64 bits systems.
+
+.. _setting-lmdb-sync-mode:
+
+``lmdb-sync-mode``
+^^^^^^^^^^^^^^^^^
+
+Synchronisation mode: sync, nosync, nometasync, mapasync
+Default: mapasync
+
+* ``sync``: LMDB synchronous mode. Safest option, but also slightly slower. Can also be enabled with ``lmdb-sync-mode=``
+* ``nosync``: don't flush systems buffers to disk when committing a transation.
+ This means a system crash can corrupt the database or lose the last transactions if buffers are not yet flushed to disk.
+* ``nometasync``: flush system buffers to disk only once per transaction, omit the metadata flush. This maintains database integrity, but can potentially lose the last committed transaction if the operating system crashes.
+* ``mapasync``: (default). Use asynchronous flushes to disk. As with nosync, a system crash can then corrupt the database or lose the last transactions.
+
+
+LMDB Structure
+--------------
+
+PowerDNS will create the database structure, no need to manually create the database schema.
+Also, it is not possible to directly query the LMDB DB, so recommendation is to use either the API, or pdnsutil.
:property string content: The content of this record
:property bool disabled: Whether or not this record is disabled
:property bool set-ptr: If set to true, the server will find the matching reverse zone and create a PTR there. Existing PTR records are replaced. If no matching reverse :json:object:`Zone`, an error is thrown. Only valid in client bodies, only valid for A and AAAA types. Not returned by the server.
+ This feature (set-ptr) is deprecated and will be removed in 4.3.0.
Comment
description: 'Whether or not this record is disabled'
set-ptr:
type: boolean
- description: 'If set to true, the server will find the matching reverse zone and create a PTR there. Existing PTR records are replaced. If no matching reverse Zone, an error is thrown. Only valid in client bodies, only valid for A and AAAA types. Not returned by the server.'
+ description: 'If set to true, the server will find the matching reverse zone and create a PTR there. Existing PTR records are replaced. If no matching reverse Zone, an error is thrown. Only valid in client bodies, only valid for A and AAAA types. Not returned by the server. This feature is deprecated and will be removed in 4.3.0.'
Comment:
title: Comment
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042601 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019050701 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
recursor-4.1.11.security-status 60 IN TXT "1 OK"
recursor-4.1.12.security-status 60 IN TXT "1 OK"
recursor-4.2.0-alpha1.security-status 60 IN TXT "1 OK"
+recursor-4.2.0-beta1.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
AS_IF([test "x$with_net_snmp" != "xno"], [
AS_IF([test "x$with_net_snmp" = "xyes" -o "x$with_net_snmp" = "xauto"], [
AC_CHECK_PROG([NET_SNMP_CFLAGS], [net-snmp-config], [`net-snmp-config --cflags`])
- AC_CHECK_PROG([NET_SNMP_LIBS], [net-snmp-config], [`net-snmp-config --agent-libs`])
+ AC_CHECK_PROG([NET_SNMP_LIBS], [net-snmp-config], [`net-snmp-config --netsnmp-agent-libs`])
AC_CHECK_DECLS([snmp_select_info2], [ : ], [ : ],
[AC_INCLUDES_DEFAULT
#include <net-snmp/net-snmp-config.h>
+toomuchinfo-b.example.com:192.168.99.90:120
+usa-ns1.usa.example.com:192.168.4.1:120
+usa-ns2.usa.example.com:192.168.4.2:120
-3ipv6.example.com:200106a80000000102104bfffe4b4c61:120
:_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120
:dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120
:escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
:hightype.example.com:65534:\007\355\046\000\001:120
:host-0.example.com:108:\000PV\233\000\347:120
:host-1.example.com:109:\000PV\233\000\347\176W:120
-:hostmaster.mb.example.com:8:\004phil\303\231:120
-:hostmaster.mb.example.com:8:\006sheila\303\231:120
+:hostmaster.mb.example.com:8:\004phil\303\263:120
+:hostmaster.mb.example.com:8:\006sheila\303\263:120
:hwinfo.example.com:13:\003abc\003def:120
+:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120
:location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120
:location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120
:location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120
:location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120
:multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
-:phil.mb.example.com:7:\002pc\303\231:120
-:philip.mb.example.com:9:\303\250:120
-:sheila.mb.example.com:7:\004bill\303\231:120
+:phil.mb.example.com:7:\002pc\303\263:120
+:philip.mb.example.com:9:\303\302:120
+:sheila.mb.example.com:7:\004bill\303\263:120
:text.example.com:16:\025Hi\054\040this\040is\040some\040text:120
:text0.example.com:16:\014k\075rsa\073\040p\075one:120
:text1.example.com:16:\014k\075rsa\073\040p\075one:120
C\052.w2.example.com:x.y.z.w3.example.com.:120
C\052.w3.example.com:x.y.z.w4.example.com.:120
C\052.w4.example.com:x.y.z.w5.example.com.:120
+Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120
Cexternal.example.com:somewhere.else.net.:120
Cloop1.example.com:loop2.example.com.:120
Cloop2.example.com:loop3.example.com.:120
&dnssec-parent.com::ns1.dnssec-parent.com.:3600
&dnssec-parent.com::ns2.dnssec-parent.com.:3600
&insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600
+&insecure.dnssec-parent.com::ns.example.com.:3600
&secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600
&secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600
+dnssec-parent.com:9.9.9.9:3600
+ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600
+something1.auth-ent.dnssec-parent.com:1.1.2.3:3600
:secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600
+Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600
Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
+#2000081501 auto axfr-get
+&insecure.dnssec-parent.com::ns1.example.com.:120
+&insecure.dnssec-parent.com::ns2.example.com.:120
++www.insecure.dnssec-parent.com:192.0.2.88:120
+Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120
#2005092501 auto axfr-get
&delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600
&delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600
Carbon export
=============
-.. function:: carbonServer(serverIP [, ourname], [interval])
+.. function:: carbonServer(serverIP [, ourname[, interval[, namespace,[ instance]]]])
Exort statistics to a Carbon / Graphite / Metronome server.
:param string serverIP: Indicates the IP address where the statistics should be sent
:param string ourname: An optional string specifying the hostname that should be used
:param int interval: An optional unsigned integer indicating the interval in seconds between exports
+ :param string namespace: An optional string specifying the namespace name that should be used
+ :param string instance: An optional string specifying the instance name that should be used
PacketCache
~~~~~~~~~~~
-A Pool can have a packet cache to answer queries directly in stead of going to the backend.
+A Pool can have a packet cache to answer queries directly instead of going to the backend.
See :doc:`../guides/cache` for a how to.
.. function:: newPacketCache(maxEntries[, maxTTL=86400[, minTTL=0[, temporaryFailureTTL=60[, staleTTL=60[, dontAge=false[, numberOfShards=1[, deferrableInsertLock=true[, maxNegativeTTL=3600[, parseECS=false]]]]]]]) -> PacketCache
Return a string describing the rules and range exclusions of this DynBlockRulesGroup.
+SuffixMatchNode
+~~~~~~~~~~~~~~~
+
+A SuffixMatchNode can be used to quickly check whether a given name belongs to a set or not. This is achieved
+using an efficient tree structure based on DNS labels, making lookups cheap.
+Be careful that Suffix Node matching will match for any sub-domain, regardless of the depth, under the name added to the set. For example,
+if 'example.com.' is added to the set, 'www.example.com.' and 'sub.www.example.com.' will match as well.
+If you are looking for exact name matching, your might want to consider using a :class:`DNSNameSet` instead.
+
+.. function:: newSuffixMatchNode()
+
+ Creates a new :class:`SuffixMatchNode`.
+
+.. class:: SuffixMatchNode
+
+ Represent a set of DNS suffixes for quick matching.
+
+ .. method:: SuffixMatchNode:add(name)
+
+ Add a suffix to the current set.
+
+ :param DNSName name: The suffix to add to the set.
+
+ .. method:: SuffixMatchNode:check(name) -> bool
+
+ Return true if the given name is a sub-domain of one of those in the set, and false otherwise.
+
+ :param DNSName name: The name to test against the set.
+
Other functions
---------------
static void doh_dispatch_query(DOHServerConfig* dsc, h2o_handler_t* self, h2o_req_t* req, std::string&& query, const ComboAddress& local, const ComboAddress& remote)
{
try {
- auto du = std::unique_ptr<DOHUnit>(new DOHUnit);
- du->self = reinterpret_cast<DOHUnit**>(h2o_mem_alloc_shared(&req->pool, sizeof(*self), on_generator_dispose));
uint16_t qtype;
DNSName qname(query.c_str(), query.size(), sizeof(dnsheader), false, &qtype);
+
+ auto du = std::unique_ptr<DOHUnit>(new DOHUnit);
du->req = req;
- du->query = std::move(query);
du->dest = local;
du->remote = remote;
du->rsock = dsc->dohresponsepair[0];
+ du->query = std::move(query);
du->qtype = qtype;
+ du->self = reinterpret_cast<DOHUnit**>(h2o_mem_alloc_shared(&req->pool, sizeof(*self), on_generator_dispose));
auto ptr = du.release();
*(ptr->self) = ptr;
try {
else
stop_at = d_recordlen;
+ /* think unsigned overflow */
+ if (stop_at < d_pos) {
+ throw std::out_of_range("getUnquotedText out of record range");
+ }
+
if(stop_at == d_pos)
return "";
boilerplate_conv(RKEY, 57,
conv.xfr16BitInt(d_flags);
conv.xfr8BitInt(d_protocol);
+ conv.xfr8BitInt(d_algorithm);
conv.xfrBlob(d_key);
)
RKEYRecordContent::RKEYRecordContent() {}
set<DNSName> authSet;
vector<DNSZoneRecord> rrset;
- bool weDone=0, weRedirected=0, weHaveUnauth=0;
+ bool weDone=0, weRedirected=0, weHaveUnauth=0, doSigs=0;
DNSName haveAlias;
uint8_t aliasScopeMask;
}
DLOG(g_log<<Logger::Error<<"We have authority, zone='"<<sd.qname<<"', id="<<sd.domain_id<<endl);
+ authSet.insert(sd.qname);
d_dnssec=(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname));
- if(d_dnssec) {
- authSet.insert(sd.qname);
- }
+ doSigs |= d_dnssec;
if(!retargetcount) r->qdomainzone=sd.qname;
break;
}
}
- if(authSet.size())
+ if(doSigs)
addRRSigs(d_dk, B, authSet, r->getRRS());
r->wrapup(); // needed for inserting in cache
Changelogs for 4.2.x
====================
+.. changelog::
+ :version: 4.2.0-beta1
+ :released: 7th of May 2019
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 7730
+
+ Move replaced negcache entries to the back of the expunge queue.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7571
+
+ Add a ``distribution-pipe-buffer-size`` setting.
+
+ .. change::
+ :tags: Bug Fixes, DNSSEC
+ :pullreq: 7714
+
+ Fix DNSSEC validation of non-expanded wildcards.
+
+ .. change::
+ :tags: Bug Fixes, DNSSEC
+ :pullreq: 6341
+ :tickets: 6318
+
+ Add DNAME support.
+
+ .. change::
+ :tags: New Features, Internals
+ :pullreq: 7480
+
+ Implement a way to disallow throttling of auths.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7508
+
+ Add ``protobuf-use-kernel-timestamp`` for sharper latencies.
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7410
+
+ Ignore path MTU discovery on UDP server socket.
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 7731
+
+ Fix the cache cleaning code being only run once for workers.
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7669
+ :tickets: 7671
+
+ Set ``--enable-option-checking=fatal`` on all package builds, enable SNMP in RPMS.
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 7708
+
+ Alternative solution to the unaligned accesses.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7649
+
+ This provides cpu usage statistics per thread (worker & distributor).
+
+ .. change::
+ :tags: Bug Fixes, Lua
+ :pullreq: 7652
+
+ ``ednsoptionview`` improvements.
+
+ .. change::
+ :tags: New Features
+ :pullreq: 7631
+
+ ECS cache limit with TTL.
+
+ .. change::
+ :tags: New Features, Internals
+ :pullreq: 7507
+
+ Use a bounded load balancing algo to distribute queries.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7574
+
+ Add a new ``ecs-minimum-ttl-override`` setting.
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7484
+
+ ``Utility::random()`` and ``srandom()`` are not used anymore.
+
+ .. change::
+ :tags: Improvements, API
+ :pullreq: 7504
+ :tickets: 7498
+
+ Add rec statistics about ECS response sizes, API endpoint to get a specific stat.
+
+ .. change::
+ :tags: Bug Fixes, Lua
+ :pullreq: 7589
+
+ Add missing ``getregisteredname`` Lua function. (Aki Tuomi)
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7583
+
+ Move back to malloc on !openbsd. Doing mmap/munmap all the time hurts…
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7540
+
+ Set ``ip(v6)_recverr`` socket option to get notified of more than just port unreachable errors on Linux.
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7502
+
+ Change the way ``getRealMemUsage()`` works on Linux (using ``statm``).
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7494
+
+ Correctly interpret an empty AXFR response to an IXFR query.
+
+ .. change::
+ :tags: New Features, DNSSEC
+ :pullreq: 7478
+ :tickets: 7445
+
+ Add a new ``max-cache-bogus-ttl`` option.
+
+ .. change::
+ :tags: Improvements, Lua
+ :pullreq: 7492
+ :tickets: 6853
+
+ Lua: expose ``dns_random`` as ``pdnsrandom``.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7476
+
+ Add an option to not override custom RPZ types with the default policy.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7433
+
+ Resync YaHTTP code to cmouse/yahttp@11be77a1fc4032. (Chris Hofstaedtler)
+
.. changelog::
:version: 4.2.0-alpha1
:released: 1st of February 2019
}
}
-static void gatherRecords(const Json container, const DNSName& qname, const QType qtype, const int ttl, vector<DNSResourceRecord>& new_records, vector<DNSResourceRecord>& new_ptrs) {
+static void gatherRecords(const string& logprefix, const Json container, const DNSName& qname, const QType qtype, const int ttl, vector<DNSResourceRecord>& new_records, vector<DNSResourceRecord>& new_ptrs) {
UeberBackend B;
DNSResourceRecord rr;
rr.qname = qname;
if ((rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) &&
boolFromJson(record, "set-ptr", false) == true) {
+
+ g_log<<Logger::Warning<<logprefix<<"API call uses deprecated set-ptr feature, please remove it"<<endl;
+
DNSResourceRecord ptr;
makePtr(rr, &ptr);
}
if (rrset["records"].is_array()) {
int ttl = intFromJson(rrset, "ttl");
- gatherRecords(rrset, qname, qtype, ttl, new_records, new_ptrs);
+ gatherRecords(req->logprefix, rrset, qname, qtype, ttl, new_records, new_ptrs);
}
if (rrset["comments"].is_array()) {
gatherComments(rrset, qname, qtype, new_comments);
// ttl shouldn't be part of DELETE, and it shouldn't be required if we don't get new records.
int ttl = intFromJson(rrset, "ttl");
// new_ptrs is merged.
- gatherRecords(rrset, qname, qtype, ttl, new_records, new_ptrs);
+ gatherRecords(req->logprefix, rrset, qname, qtype, ttl, new_records, new_ptrs);
for(DNSResourceRecord& rr : new_records) {
rr.domain_id = di.id;
python -V
pip install -r requirements.txt
-export SDIG=$(type -P sdig)
+if [ -z "${SDIG}" ]; then
+ export SDIG=$(type -P sdig)
+fi
set -e
if [ "${PDNS_DEBUG}" = "YES" ]; then
WEBPORT = 5556
DNSPORT = 5300
APIKEY = '1234567890abcdefghijklmnopq-key'
-PDNSUTIL_CMD = ["../pdns/pdnsutil", "--config-dir=."]
+PDNSUTIL_CMD = [os.environ.get("PDNSUTIL", "../pdns/pdnsutil"), "--config-dir=."]
NAMED_CONF_TPL = """
# Generated by runtests.py
if daemon == 'authoritative':
+ zone2sql = os.environ.get("ZONE2SQL", "../pdns/zone2sql")
# Prepare sqlite DB with some zones.
run_check_call(["rm", "-f", SQLITE_DB])
- run_check_call(["make", "-C", "../pdns", "zone2sql"])
+ if zone2sql == "../pdns/zone2sql":
+ run_check_call(["make", "-C", "../pdns", "zone2sql"])
with open('../modules/gsqlite3backend/schema.sqlite3.sql', 'r') as schema_file:
run_check_call(["sqlite3", SQLITE_DB], stdin=schema_file)
with open('named.conf', 'w') as named_conf:
named_conf.write(NAMED_CONF_TPL)
with tempfile.TemporaryFile() as tf:
- p = subprocess.Popen(["../pdns/zone2sql", "--transactions", "--gsqlite", "--named-conf=named.conf"], stdout=tf)
+ p = subprocess.Popen([zone2sql, "--transactions", "--gsqlite", "--named-conf=named.conf"], stdout=tf)
p.communicate()
if p.returncode != 0:
raise Exception("zone2sql failed")
class DNSDistDOHTest(DNSDistTest):
@classmethod
- def getDOHGetURL(cls, baseurl, query):
- wire = query.to_wire()
+ def getDOHGetURL(cls, baseurl, query, rawQuery=False):
+ if rawQuery:
+ wire = query
+ else:
+ wire = query.to_wire()
param = base64.urlsafe_b64encode(wire).decode('UTF8').rstrip('=')
return baseurl + "?dns=" + param
return conn
@classmethod
- def sendDOHQuery(cls, port, servername, baseurl, query, response=None, timeout=2.0, caFile=None, useQueue=True):
- url = cls.getDOHGetURL(baseurl, query)
+ def sendDOHQuery(cls, port, servername, baseurl, query, response=None, timeout=2.0, caFile=None, useQueue=True, rawQuery=False):
+ url = cls.getDOHGetURL(baseurl, query, rawQuery)
conn = cls.openDOHConnection(port, caFile=caFile, timeout=timeout)
#conn.setopt(pycurl.VERBOSE, True)
conn.setopt(pycurl.URL, url)
(_, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, caFile=self._caCert, query=query, response=None, useQueue=False)
self.assertEquals(receivedResponse, expectedResponse)
+ def testDOHInvalid(self):
+ """
+ DOH: Invalid query
+ """
+ name = 'invalid.doh.tests.powerdns.com.'
+ invalidQuery = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+ invalidQuery.id = 0
+ # first an invalid query
+ invalidQuery = invalidQuery.to_wire()
+ invalidQuery = invalidQuery[:-5]
+ (_, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, caFile=self._caCert, query=invalidQuery, response=None, useQueue=False, rawQuery=True)
+ self.assertEquals(receivedResponse, None)
+
+ # and now a valid one
+ query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+ query.id = 0
+ expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
+ expectedQuery.id = 0
+ response = dns.message.make_response(query)
+ rrset = dns.rrset.from_text(name,
+ 3600,
+ dns.rdataclass.IN,
+ dns.rdatatype.A,
+ '127.0.0.1')
+ response.answer.append(rrset)
+ (receivedQuery, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, response=response, caFile=self._caCert)
+ self.assertTrue(receivedQuery)
+ self.assertTrue(receivedResponse)
+ receivedQuery.id = expectedQuery.id
+ self.assertEquals(expectedQuery, receivedQuery)
+ self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery)
+ self.assertEquals(response, receivedResponse)
class TestDOHAddingECS(DNSDistDOHTest):
-16f36b572fcb576e465f061e417626f8 ../regression-tests/zones/example.com
+db93ba72fcc30da0f775183ee9126edf ../regression-tests/zones/example.com
fe49d2784b1bcc3b91ddd5619f0b6cc1 ../regression-tests/zones/test.com
f0df67fa656d33fd85098cbe43893395 ../regression-tests/zones/test.dyndns
dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns
e7c0fd528e8aaedb1ea3b6daaead4de2 ../regression-tests/zones/wtest.com
42b442de632686e94bde75acf66cf524 ../regression-tests/zones/nztest.com
-aeff58ea1eb6e63096e6da18337be312 ../regression-tests/zones/dnssec-parent.com
+b06133eb32c5bdf346223563501ba8f8 ../regression-tests/zones/dnssec-parent.com
+e9be89b6e5e0da8910c69e46f35d20ab ../regression-tests/zones/insecure.dnssec-parent.com
6510bf48aa3ca3501b73a1f510852a34 ../regression-tests/zones/delegated.dnssec-parent.com
a63dc120391d9df0003f2ec4f461a6af ../regression-tests/zones/secure-delegated.dnssec-parent.com
24514dc104b22206daeb973ff9303545 ../regression-tests/zones/minimal.com
b1f775045fa2cf0a3b91aa834af06e49 ../regression-tests/zones/stest.com
a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com
9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa
-dcf9536d23ecffbdb706aa7d95bfb725 ../modules/tinydnsbackend/data.cdb
+8fa20d959485419535d0406fd4df2a56 ../modules/tinydnsbackend/data.cdb
mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \
"$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
fi
- securezone $zone bind
- if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+ if [ $zone != insecure.dnssec-parent.com ]
then
- $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
- elif [ $context = bind-dnssec-nsec3-narrow ]
- then
- $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ securezone $zone bind
+ if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+ elif [ $context = bind-dnssec-nsec3-narrow ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ fi
fi
if [ "$zone" = "tsig.com" ]; then
$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
for zone in $(grep 'zone ' named.conf | cut -f2 -d\")
do
- if [ $context != ${backend}-nodnssec ]
+ if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ]
then
if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ]
then
[ -z "$LDAPPASSWD" ] && LDAPPASSWD='secret'
[ -z "$LDAPBASEDN" ] && LDAPBASEDN='ou=dns,o=power'
[ -z "$LDAPRELATTR" ] && LDAPRELATTR='ou: dns'
+ [ -z "$LDAPHOST" ] && LDAPHOST='ldap://127.0.0.1:389/'
layout=${context:5}
- ldapdelete -D $LDAPUSER -w $LDAPPASSWD -r $LDAPBASEDN || true
- ldapadd -D $LDAPUSER -w $LDAPPASSWD << __EOF__
+ ldapdelete -D $LDAPUSER -w $LDAPPASSWD -r $LDAPBASEDN -H $LDAPHOST || true
+ ldapadd -D $LDAPUSER -w $LDAPPASSWD -H $LDAPHOST << __EOF__
dn: $LDAPBASEDN
objectClass: organizationalUnit
$LDAPRELATTR
__EOF__
- $ZONE2LDAP --dnsttl=yes --basedn=$LDAPBASEDN --layout=$layout --named-conf=named.conf | ldapmodify -D $LDAPUSER -w $LDAPPASSWD -c > /dev/null || true
+ $ZONE2LDAP --dnsttl=yes --basedn=$LDAPBASEDN --layout=$layout --named-conf=named.conf | ldapmodify -D $LDAPUSER -w $LDAPPASSWD -H $LDAPHOST -c > /dev/null || true
cat > pdns-ldap.conf << __EOF__
module-dir=./modules
ldap-binddn=$LDAPUSER
ldap-secret=$LDAPPASSWD
ldap-method=$layout
+ldap-host=$LDAPHOST
__EOF__
$RUNWRAPPER $PDNS --daemon=no --local-address=$address --local-port=$port --config-dir=. \
lmdb-filename=./pdns.lmdb
__EOF__
- skipreasons="$skipreasons lmdb nodyndns"
rm -f pdns.lmdb*
for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^nztest.com$')
do
fi
if [ $context != lmdb-nodnssec ]
then
- extracontexts="dnssec lmdb"
- skipreasons="$skipreasons nodyndns"
- if [ $context = lmdb-nsec3 ]
+ if [ $zone != insecure.dnssec-parent.com ]
then
- extracontexts="dnssec nsec3 lmdb"
- $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone "1 0 1 abcd" 2>&1
- elif [ $context = lmdb-nsec3-optout ]
- then
- extracontexts="dnssec nsec3 nsec3-optout lmdb"
- skipreasons="$skipreasons optout"
- $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone "1 1 1 abcd" 2>&1
- elif [ $context = lmdb-nsec3-narrow ]
- then
- $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
- extracontexts="dnssec narrow lmdb"
- skipreasons="$skipreasons narrow"
- else
- skipreasons="$skipreasons nsec"
+ if [ $context = lmdb-nsec3 ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone "1 0 1 abcd" 2>&1
+ elif [ $context = lmdb-nsec3-optout ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone "1 1 1 abcd" 2>&1
+ elif [ $context = lmdb-nsec3-narrow ]
+ then
+ $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ fi
+ securezone $zone lmdb
fi
- securezone $zone lmdb
else
- skipreasons="$skipreasons nodnssec nodyndns"
$PDNSUTIL --config-dir=. --config-name=lmdb rectify-zone $zone 2>&1
fi
if [ "$zone" = "tsig.com" ]; then
--disable-axfr-rectify=yes --outgoing-axfr-expand-alias=yes \
--cache-ttl=$cachettl --dname-processing $lua_prequery &
+ extracontexts="lmdb"
+ skipreasons="lmdb nodyndns"
+
+ if [ $context = lmdb-nsec3 ]
+ then
+ extracontexts="$extracontexts dnssec nsec3"
+ skipreasons="$skipreasons nsec3"
+ elif [ $context = lmdb-nsec3-optout ]
+ then
+ extracontexts="$extracontexts dnssec nsec3 nsec3-optout"
+ skipreasons="$skipreasons optout"
+ elif [ $context = lmdb-nsec3-narrow ]
+ then
+ extracontexts="$extracontexts dnssec narrow"
+ skipreasons="$skipreasons narrow"
+ elif [ $context = lmdb-nodnssec ]
+ then
+ skipreasons="$skipreasons nodnssec"
+ else
+ extracontexts="$extracontexts dnssec"
+ skipreasons="$skipreasons nsec"
+ fi
+
;;
+
*)
nocontext=yes
esac
tosql ()
{
- if echo $ZONE2SQL | grep -q '../pdns'; then
+ if echo $ZONE2SQL | grep -q '\.\./pdns'; then
${MAKE} -C ../pdns zone2sql > /dev/null
fi
$ZONE2SQL --transactions --$1 --named-conf=./named.conf
file "dnssec-parent.com";
};
+zone "insecure.dnssec-parent.com"{
+ type master;
+ file "insecure.dnssec-parent.com";
+};
+
zone "delegated.dnssec-parent.com"{
type master;
file "delegated.dnssec-parent.com";
echo " do-not-query-address: 192.168.0.0/16" >> unbound-host.conf
echo ' trust-anchor-file: "trustedkeys"' >> unbound-host.conf
-if [ -e trustedkeys ]
-then
- cat trustedkeys | grep -c '.' # because wc -l is not portable enough!
-fi
+#if [ -e trustedkeys ]
+#then
+# cat trustedkeys | grep -c '.' # because wc -l is not portable enough!
+#fi
ldns-key2ds -n trustedkeys | awk -F '\t' '{print "addTA(\""$1"\", \""$5"\")"}' > recursor.trustedkeys.lua
\ No newline at end of file
dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
dnssec-parent.com. 3600 IN SOA ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.secure-delegated.dnssec-parent.com. 3600 IN A 1.2.3.4
secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com.
something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
delegated.dnssec-parent.com. 3600 IN NS ns1.delegated.dnssec-parent.com.
delegated.dnssec-parent.com. 3600 IN NS ns2.delegated.dnssec-parent.com.
-delegated.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC
+delegated.dnssec-parent.com. 86400 IN NSEC insecure.dnssec-parent.com. NS RRSIG NSEC
delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 3600 IN A 9.9.9.9
dnssec-parent.com. 3600 IN NS ns1.dnssec-parent.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 86400 IN NSEC ns1.dnssec-parent.com. NS RRSIG NSEC
+insecure.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
secure-delegated.dnssec-parent.com. 3600 IN NS ns1.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN NS ns2.secure-delegated.dnssec-parent.com.
secure-delegated.dnssec-parent.com. 3600 IN RRSIG DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
-secure-delegated.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. NS DS RRSIG NSEC
+secure-delegated.dnssec-parent.com. 86400 IN NSEC www.dnssec-parent.com. NS DS RRSIG NSEC
secure-delegated.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN A 1.1.2.3
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC delegated.dnssec-parent.com. A RRSIG NSEC
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC dnssec-parent.com. CNAME RRSIG NSEC
+www.dnssec-parent.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] NS
+insecure.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] A RRSIG
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC3 1 0 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
dnssec-parent.com. 86400 IN RRSIG NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. 3600 IN NS ns.example.com.
+insecure.dnssec-parent.com. 3600 IN NS ns.example.com.
ns1.delegated.dnssec-parent.com. 3600 IN A 4.5.6.7
ns1.dnssec-parent.com. 3600 IN A 1.2.3.4
ns1.dnssec-parent.com. 3600 IN RRSIG A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 3600 IN RRSIG A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
something1.auth-ent.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] A RRSIG
something1.auth-ent.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 3600 IN CNAME www.insecure.dnssec-parent.com.
+www.dnssec-parent.com. 3600 IN RRSIG CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com. 86400 IN NSEC3 1 1 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
-1 delegated.dnssec-parent.com. IN NSEC 86400 ns1.dnssec-parent.com. NS RRSIG NSEC
+1 delegated.dnssec-parent.com. IN NSEC 86400 insecure.dnssec-parent.com. NS RRSIG NSEC
1 delegated.dnssec-parent.com. IN RRSIG 86400 NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
--- /dev/null
+#!/bin/sh
+cleandig www.dnssec-parent.com A dnssec
+
--- /dev/null
+Signed CNAME to an A record in an unsigned child zone.
--- /dev/null
+0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com.
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
--- /dev/null
+0 www.dnssec-parent.com. IN CNAME 3600 www.insecure.dnssec-parent.com.
+0 www.dnssec-parent.com. IN RRSIG 3600 CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
--- /dev/null
+#!/bin/sh
+cleandig cname-to-insecure.example.com A dnssec
+
--- /dev/null
+Signed CNAME to an unsigned A.
--- /dev/null
+0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com.
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
--- /dev/null
+0 cname-to-insecure.example.com. IN CNAME 120 www.insecure.dnssec-parent.com.
+0 cname-to-insecure.example.com. IN RRSIG 120 CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ...
+0 www.insecure.dnssec-parent.com. IN A 120 192.0.2.88
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
#!/usr/bin/env bash
-for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$')
+for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
do
TFILE=$(mktemp tmp.XXXXXXXXXX)
drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE
RETVAL: 0
--- ldns-verify-zone -V2 dnssec-parent.com
-Error: there is no NSEC(3) for ent.auth-ent.dnssec-parent.com.
-Error: there is no NSEC(3) for ent.ent.auth-ent.dnssec-parent.com.
-There were errors in the zone
-RETVAL: 11
+RETVAL: 0
--- validns dnssec-parent.com
RETVAL: 0
ns2.secure-delegated IN A 5.6.7.8
insecure-delegated.ent.ent.auth-ent IN NS ns.example.com.
something1.auth-ent IN A 1.1.2.3
+insecure IN NS ns.example.com.
+www IN CNAME www.insecure
; Test that no out of zone data is sent
_imap._tcp IN SRV 0 1 143 blah.test.com.
+
+;
+cname-to-insecure IN CNAME www.insecure.dnssec-parent.com.
--- /dev/null
+$TTL 120
+$ORIGIN insecure.dnssec-parent.com.
+@ IN SOA ns1.example.com. ahu.example.com. (
+ 2000081501
+ 8H ; refresh
+ 2H ; retry
+ 1W ; expire
+ 1D ; default_ttl
+ )
+
+@ IN NS ns1.example.com.
+@ IN NS ns2.example.com.
+www IN A 192.0.2.88