Mark Andrews [Tue, 9 Jan 2024 01:22:21 +0000 (12:22 +1100)]
Add regression test data for [GL #4517]
An obscured DNSKEY RRset at a delegation was incorrectly added to
the NSEC/NSEC3 type bit map leading to zone verification failures.
This adds such a RRset to the test zone.
Mark Andrews [Tue, 9 Jan 2024 06:01:07 +0000 (17:01 +1100)]
Fail if there are non apex DNSKEYs
DNSSEC only works when DNSKEYs are self signed. This only occurs
when the DNSKEY RRset is at the apex. Cause dnssec-signzone to
fail if it attempts to sign an non-apex DNSKEY RRset.
Ondřej Surý [Fri, 19 Jan 2024 09:27:41 +0000 (10:27 +0100)]
Properly attach/detach isc_httpd in case read ends earlier than send
An assertion failure would be triggered when sending the TCP data ends
after the TCP reading gets closed. Implement proper reference counting
for the isc_httpd object.
Evan Hunt [Mon, 13 May 2024 22:56:15 +0000 (15:56 -0700)]
Fix QP chain on partial match
When searching for a requested name in dns_qp_lookup(), we may add
a leaf node to the QP chain, then subsequently determine that the
branch we were on was a dead end. When that happens, the chain can be
left holding a pointer to a node that is *not* an ancestor of the
requested name.
We correct for this by unwinding any chain links with an offset
value greater or equal to that of the node we found.
Matthijs Mekking [Fri, 10 May 2024 15:19:15 +0000 (17:19 +0200)]
Refactor fix_iterator
The code below the if/else construction could only be run if the 'if'
code path was taken. Move the code into the 'if' code block so that
it is more easier to read.
Aydın Mercan [Fri, 10 May 2024 20:37:52 +0000 (23:37 +0300)]
Expand list in chaos authors response
The list isn't exactly maintained but it helped with some BIND history
tracking and is basically harmless so it might be worth holding onto it.
I have adapted the name to ASCII so IDN support won't be necessary.
Aydın Mercan [Mon, 22 Apr 2024 14:01:16 +0000 (17:01 +0300)]
Keep track of the recursive clients highwater
The high-water allows administrators to better tune the recursive
clients limit without having to to poll the statistics channel in high
rates to get this number.
Aydın Mercan [Tue, 30 Apr 2024 11:37:26 +0000 (14:37 +0300)]
Return the old counter value in `isc_stats_increment`
Returning the value allows for better high-water tracking without
running into edge cases like the following:
0. The counter is at value X
1. Increment the value (X+1)
2. The value is decreased multiple times in another threads (X+1-Y)
3. Get the value (X+1-Y)
4. Update-if-greater misses the X+1 value which should have been the
high-water
Tom Krizek [Mon, 25 Mar 2024 13:56:08 +0000 (14:56 +0100)]
Use a dedicated file for each autoconf variable
To avoid any escaping issues or messing with a language-specific format
when the variable has to be parsed, create a dedicated file for each
variable that is obtained from autoconf.
Tom Krizek [Wed, 28 Feb 2024 16:04:40 +0000 (17:04 +0100)]
Move env var initialization to isctest.vars
Make sure all initialization takes place in isctest.vars.__init__ and
export the initial env vars there. Remove the no longer needed env
fixture and use os.environ instead.
Tom Krizek [Wed, 28 Feb 2024 09:44:58 +0000 (10:44 +0100)]
Don't export openssl-related env vars unless set
If OPENSSL_CONF is exported as an empty string, it will cause issues on
rhel9fips. Allow the environment variables to be set and exported, but
make sure to only export them if they have been set by the user.
Tom Krizek [Mon, 26 Feb 2024 12:52:55 +0000 (13:52 +0100)]
Parse openssl-related vars in pytest
The openssl config needs to be parsed for some tests that use SoftHSM2.
Rewrite the parsing to python and ensure the required variables are
properly set test-wide.
Tom Krizek [Thu, 4 Jan 2024 13:48:04 +0000 (14:48 +0100)]
Coalesce system test variables
Provide a single point of access to all the variables used by tests. Use
a custom dict-like structure to access the underlying data without
making a copy. This allows the individual modules to update the contents
at runtime, which is used for some variables.
Tom Krizek [Thu, 29 Feb 2024 13:49:38 +0000 (14:49 +0100)]
Load env vars in shell-only processing of conf.sh
While this isn't required for pytest operation and execution of the
system test suite, it can be handy to allow test script development and
debugging. Especially setup scripts often source conf.sh and expect
environment variables to be loaded. If these scripts are executed
stand-alone, the environment variables need to be loaded from the python
package.
Tom Krizek [Thu, 29 Feb 2024 13:51:54 +0000 (14:51 +0100)]
Move environment variables from conf.sh to pytest
Remove conf.sh.in and move the environment variables into isctest/vars
python package. This enabled the removal of an ugly pytest hack which
loaded and parsed these variables from the environment.
Mark Andrews [Thu, 2 May 2024 05:31:18 +0000 (15:31 +1000)]
Address qp/rbtdb backup file style differences
qp and rbtdb produce stylistically different backup files. This
was causing the xferquota system test to fail. This has been
addressed by making the test independent of the stylistic differences.
Petr Špaček [Tue, 7 May 2024 11:24:43 +0000 (13:24 +0200)]
Update KSK root sentinel references
The mechanism was published as RFC 8509. I've briefly looked at diff
between versions -08 and the RFC and did not find significant protocol
change. Quick manual check confirms what we seem to comply with the
published protocol.
Petr Špaček [Tue, 7 May 2024 11:11:03 +0000 (13:11 +0200)]
Mention RFC 9276 Guidance for NSEC3 Parameter Settings
Draft was eventually published as RFC 9276 but we did not update our
docs. Also add couple mentions in relevant places in the ARM and
dnssec-signzone man page, mainly around "do not touch" places.
Mark Andrews [Thu, 18 Jan 2024 07:54:09 +0000 (18:54 +1100)]
Remove infinite loop on ISC_R_NOFILE
When parsing a zonefile named-checkzone (and others) could loop
infinitely if a directory was $INCLUDED. Record the error and treat
as EOF when looking for multiple errors.
Mark Andrews [Fri, 19 Jan 2024 01:37:10 +0000 (12:37 +1100)]
Address infinite loop when processing $GENERATE
In nibble mode if the value to be converted was negative the parser
would loop forever. Process the value as an unsigned int instead
of as an int to prevent sign extension when shifting.
Matthijs Mekking [Wed, 31 Jan 2024 12:55:29 +0000 (13:55 +0100)]
Update hours-vs-days test
This test is outdated because it tested the 'sig-validity-interval'
option that has been replaced by dnssec-policy's 'signatures-validity',
'signatures-refresh', and 'signatures-jitter' options.
Nevertheless, it tests if the jitter is spread correctly.
Update the test to make use of 'signatures-jitter', set the value
to 1 day (meaning resign in 499 days since 'signatures-validity' is
set to 500 days).
Note that this previously changed erroneously the refresh value to
449 days (should have been 499 days, but that is not allowed by
checkconf, since it is above 90% of 'signatures-validity').
Matthijs Mekking [Tue, 30 Jan 2024 16:21:34 +0000 (17:21 +0100)]
Fix dnssec system test iterations too high
After we have changed the maximum allowed iterations to 51 for signing,
the NSEC3 chain has changed and requires one more NSEC to be returned
in the answer (plus corresponding RRSIG). So the expected number or
records in the authority section is now 8.
Matthijs Mekking [Tue, 30 Jan 2024 16:10:28 +0000 (17:10 +0100)]
Offline KSK and dnssec-policy not yet supported
If the key is offline and the keymgr runs, it will treat it as a missing key,
and generate a new key (according to the policy). Fix the test by putting
back the KSK temporarily when we run 'rndc loadkeys'.
Matthijs Mekking [Tue, 30 Jan 2024 15:16:47 +0000 (16:16 +0100)]
Fix ZSK rollovers in dnssec system test
1. When generating keys, don't set timing metadata. Otherwise keys
are considered to be in use and won't be selected when dnssec-policy
starts a new key rollover.
2. Add an extra check to make sure the new ZSK (zsk2) is prepublished.
Also add a check to make sure it has become active.
3. When using dnssec-settime, add -s to also write to key state files.
Tom Krizek [Fri, 19 Jan 2024 15:01:47 +0000 (16:01 +0100)]
Ensure dnssec test doesn't leak queries to root servers
The config was recently modified to ensure ns4 won't leak any queries to
root servers. However, the test wasn't executed and it turns out the way
this was handled actually broke the test case. Add our custom root hint
to both of the views to ensure the test can still pass without leaking
any queries.
An RPZ response's SOA record TTL is set to 1 instead of the SOA TTL,
a boolean value is passed on to query_addsoa, which is supposed to be
a TTL value. I don't see what value is appropriate to be used for
overriding, so we will pass UINT32_MAX.
Now that this function also creates the DNSKEY record for the KSKs,
as well as other associated records such as CDS and CDNSKEY, rename
the function to something slightly better.
Creating the KSR happens on the "ZSK side". The KSK is offline and while
the public key and state file may be present, draft-icann-dnssec-keymgmt-01.txt
suggest that the KSR only contains ZSKs.
This is also what knot dns does, so it would also be in the spirit of
interoperability.
projects / thirdparty / bind9.git / log
