Matthijs Mekking [Mon, 11 May 2020 13:12:32 +0000 (15:12 +0200)]
Test keytimes on CSK rollover
This improves keytime testing on CSK rollover. It now
tests for specific times, and also tests for SyncPublish and
Removed keytimes.
Since an "active key" for ZSK and KSK means something
different, this makes it tricky to decide when a CSK is
active. An "active key" intuitively means the key is signing
so we say a CSK is active when it is creating zone signatures.
This change means a lot of timings for the CSK rollover tests
need to be adjusted.
The keymgr code needs a slight change on calculating the
prepublication time: For a KSK we need to include the parent
registration delay, but for CSK we look at the zone signing
property and stick with the ZSK prepublication calculation.
This commit adds testing keytiming metadata. In order to facilitate
this, the kasp system test undergoes a few changes:
1. When finding a key file, rather than only saving the key ID,
also save the base filename and creation date with `key_save`.
These can be used later to set expected key times.
2. Add a test function `set_addkeytime` that takes a key, which
keytiming to update, a datetime in keytiming format, and a number
(seconds) to add, and sets the new time in the given keytime
parameter of the given key. This is used to set the expected key
times.
3. Split `check_keys` in `check_keys` and `check_keytimes`. First we
need to find the keyfile before we can check the keytimes.
We need to retrieve the creation date (and sometimes other
keytimes) to determine the other expected key times.
4. Add helper functions to set the expected key times per policy.
This avoids lots of duplication.
Check for keytimes for the first test cases (all that do not cover
rollovers).
Using dnssec-setttime after dnssec-keygen in the kasp system test
can lead to off by one second failures, so reduce the usage of
dnssec-settime in the setup scripts. This commit deals with
setting the key rollover relationship (predecessor/successor).
In the kasp system test, we are going to set the keytimes on
dnssec-keygen so we can test them against the key creation time.
This prevents off by one second in the test, something that can
happen if you set those times with dnssec-settime after
dnssec-keygen.
While kasp relies on key states to determine when a key needs to
be published or be used for signing, the keytimes are used by
operators to get some expectation of key publication and usage.
Update the code such that these keytimes are set appropriately.
That means:
- Print "PublishCDS" and "DeleteCDS" times in the state files.
- The keymgr sets the "Removed" and "PublishCDS" times and derives
those from the dnssec-policy.
- Tweak setting of the "Retired" time, when retiring keys, only
update the time to now when the retire time is not yet set, or is
in the future.
This also fixes a bug in "keymgr_transition_time" where we may wait
too long before zone signatrues become omnipresent or hidden. Not
only can we skip waiting the sign delay Dsgn if there is no
predecessor, we can also skip it if there is no successor.
Finally, this commit moves setting the lifetime, reducing two calls
to one.
For testing purposes mainly, we want to allow set keytimings on
generated keys, such that we don't have to "keygen/settime" which
can result in one second off times.
Michał Kępień [Mon, 25 May 2020 10:49:36 +0000 (12:49 +0200)]
Add Danger Python to GitLab CI
Certain rules of the BIND development process are not codified anywhere
and/or are used inconsistently. In an attempt to improve this
situation, add a GitLab CI job which uses Danger Python to add comments
to merge requests when certain expectations are not met. Two categories
of feedback are used, only one of which - fail() - causes the GitLab CI
job to fail. Exclude dangerfile.py from Python QA checks as the way the
contents of that file are evaluated triggers a lot of Flake8 and PyLint
warnings.
Evan Hunt [Tue, 19 May 2020 01:09:08 +0000 (18:09 -0700)]
pass the nodename to add32() instead of calling dns_rbt_fullnamefromnode()
in addition to being more efficient, this prevents a possible crash by
looking up the node name before the tree sructure can be changed when
cleaning up dead nodes in addrdataset().
Ondřej Surý [Thu, 21 May 2020 09:50:56 +0000 (11:50 +0200)]
Update how we build bind.keys.h (both POSIX and Windows)
The code in util/bindkeys.pl was overly complicated and it could not be
reused on Windows because redirecting stdin and stdout at the same time
from perl is overly complicated.
Now the util/bindkeys.pl accepts the input file as the first and only
argument and prints the header file to stdout. This allows the same
utility to be used from automake and win32/Configure script.
Evan Hunt [Fri, 15 May 2020 23:37:44 +0000 (16:37 -0700)]
add a quick-and-dirty method of debugging a single query
when built with "configure --enable-singletrace", named will produce
detailed query logging at the highest debug level for any query with
query ID zero.
this enables monitoring of the progress of a single query by specifying
the QID using "dig +qid=0". the "client" logging category should be set
to a low severity level to suppress logging of other queries. (the
chance of another query using QID=0 at the same time is only 1 in 2^16.)
"--enable-singletrace" turns on "--enable-querytrace" as well, so if the
logging severity is not lowered, all other queries will be logged
verbosely as well. compiling with either of these options will impair
query performance; they should only be turned on when testing or
troubleshooting.
Michał Kępień [Mon, 25 May 2020 12:34:56 +0000 (14:34 +0200)]
Improve the "hint" variable comment
Replace an existing comment with a more verbose explanation of when the
"hint" variable is set in resquery_send() and how its value affects the
advertised UDP buffer size in outgoing queries.
Michał Kępień [Mon, 25 May 2020 12:34:56 +0000 (14:34 +0200)]
Ensure server-specific "edns-udp-size" is obeyed
If "edns-udp-size" is set in a "server" block matching the queried
server, it is accounted for in the process of determining the advertised
UDP buffer size, but its value may still be overridden before the query
is sent. This behavior contradicts the ARM which claims that when set,
the server-specific "edns-udp-size" value is used for all EDNS queries
sent to a given server.
Furthermore, calling dns_peer_getudpsize() with the "udpsize" variable
as an argument makes the code hard to follow as that call may either
update the value of "udpsize" or leave it untouched.
Ensure the code matches the documentation by moving the
dns_peer_getudpsize() call below all other blocks of code potentially
affecting the advertised UDP buffer size, which is where it was located
when server-specific "edns-udp-size" support was first implemented [1].
Improve code readability by calling dns_peer_getudpsize() with a helper
variable instead of "udpsize".
Michał Kępień [Mon, 25 May 2020 12:34:56 +0000 (14:34 +0200)]
Restore semantic meaning of DNS_FETCHOPT_EDNS512
When the DNS_FETCHOPT_EDNS512 flag was first introduced [1], it enforced
advertising a 512-byte UDP buffer size in an outgoing query. Ever since
EDNS processing code got updated [2], that flag has still been set upon
detection of certain query timeout patterns, but it has no longer been
affecting the calculations of the advertised UDP buffer size in outgoing
queries. Restore original semantic meaning of DNS_FETCHOPT_EDNS512 by
ensuring the advertised UDP buffer size is set to 512 bytes when that
flag is set. Update existing comments and add new ones to improve code
readability.
Michał Kępień [Mon, 25 May 2020 12:34:56 +0000 (14:34 +0200)]
Remove fctx->reason and a misleading log message
The following message:
success resolving '<name>' (in '<domain>'?) after reducing the advertised EDNS UDP packet size to 512 octets
can currently be logged even if the EDNS UDP buffer size advertised in
queries sent to a given server had already been set to 512 octets before
the fetch context was created (e.g. due to the server responding
intermittently). In other words, this log message may be misleading as
lowering the advertised EDNS UDP buffer size may not be the actual cause
of <name> being successfully resolved. Remove the log message in
question to prevent confusion.
As this log message is the only existing user of the "reason" field in
struct fetchctx, remove that field as well, along with all the code
related to it.
Michal Nowak [Fri, 3 Apr 2020 09:26:02 +0000 (11:26 +0200)]
Provide unit test driver
This adds a unit test driver for BIND with Automake. It runs the unit
test program provided as its sole command line argument and then looks
for a core dump generated by that test program. If one is found, the
driver prints the backtrace into the test log.
Michał Kępień [Thu, 21 May 2020 09:33:11 +0000 (11:33 +0200)]
Add py.test-3 to the list of tested pytest names
Some operating systems (e.g. CentOS, OpenBSD) install the main pytest
script as "py.test-3". Add that name to the list of names passed to
AC_PATH_PROGS() in order for pytest to be properly detected on a broader
range of operating systems.
Michał Kępień [Thu, 21 May 2020 09:33:11 +0000 (11:33 +0200)]
Do not use f-strings in Python system tests
Use str.format() instead of f-strings in Python system tests to enable
them to work on Python 3 versions older than 3.6 as the latter is not
available on some operating systems used in GitLab CI that are still
actively supported (CentOS 6, Debian 9, Ubuntu 16.04).
Michał Kępień [Thu, 21 May 2020 09:33:11 +0000 (11:33 +0200)]
Do not install doc build tools in GitLab CI jobs
As documentation building utilities are now all included in operating
system images used in GitLab CI, do not install them in each "docs" CI
job any more.
Michał Kępień [Thu, 21 May 2020 09:33:11 +0000 (11:33 +0200)]
Do not install Python packages in GitLab CI jobs
As Python QA tools, BIND system test prerequisites, and documentation
building utilities are now all included in operating system images used
in GitLab CI, do not use pip for installing them in each CI job any
more.
Michał Kępień [Thu, 21 May 2020 07:14:27 +0000 (09:14 +0200)]
Update release checklist
- First merge release branches to maintenance branches, then push
tags. If tags are pushed first and a given set of releases contains
security fixes, the push will be rejected by a server-side Git hook.
- Update ABI check job name.
- Add an item for updating QA tools used in GitLab CI after each
public release.
projects / thirdparty / bind9.git / log
