mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-23 02:28:55 +00:00
Code Issues Releases Wiki Activity
bind/bin/tests/system/fetchlimit/tests.sh

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

223 lines
6.3 KiB
Bash
Raw Normal View History

[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
#!/bin/sh
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files.
2021-06-03 08:37:05 +02:00
final cleanup - add CHANGES note - update copyrights and license headers - add -j to the make commands in .gitlab-ci.yml to take advantage of parallelization in the gitlab CI process
2018-02-22 15:10:37 -08:00
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
#
# SPDX-License-Identifier: MPL-2.0
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files.
2021-06-03 08:37:05 +02:00
#
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
Update license headers to not include years in copyright in all applicable files
2018-02-23 09:53:12 +01:00
#
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
Drop $SYSTEMTESTTOP from bin/tests/system/ The $SYSTEMTESTTOP shell variable if often set to .. in various shell scripts inside bin/tests/system/, but most of the time it is only used one line later, while sourcing conf.sh. This hardly improves code readability. $SYSTEMTESTTOP is also used for the purpose of referencing scripts/files living in bin/tests/system/, but given that the variable is always set to a short, relative path, we can drop it and replace all of its occurrences with the relative path without adversely affecting code readability.
2020-07-21 12:12:59 +02:00
. ../conf.sh
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
fix fetchlimit test use TCP for the test queries in between UDP bursts; this avoids congestion issues that interfered with the test on windows
2019-01-23 22:00:00 -08:00
DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1"
parallelize most system tests
2018-02-20 15:43:27 -08:00
RNDCCMD="$RNDC -p ${CONTROLPORT} -s 10.53.0.3 -c ../common/rndc.conf"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
burst() {
num=${3:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
num=$((num-1))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$
done
parallelize most system tests
2018-02-20 15:43:27 -08:00
$PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
rm -f burst.input.$$
}
stat() {
clients=`$RNDCCMD status | grep "recursive clients" |
sed 's;.*: \([^/][^/]*\)/.*;\1;'`
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i "clients: $clients"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
[ "$clients" = "" ] && return 1
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
[ "$clients" -ge $1 ] || return 1
[ "$clients" -le $2 ] || return 1
return 0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
}
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
status=0
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking recursing clients are dropped at the per-server limit ($n)"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
ret=0
# make the server lame and restart
$RNDCCMD flush
touch ans4/norespond
for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
burst a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try*10))
stat 20 200 || ret=1
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
[ $ret -eq 1 ] && break
sleep 1
done
parallelize most system tests
2018-02-20 15:43:27 -08:00
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "dumping ADB data ($n)"
ret=0
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
info=$($RNDCCMD fetchlimit | grep 10.53.0.4 | sed 's/.*quota .*(\([0-9]*\).*atr \([.0-9]*\).*/\2 \1/')
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i $info
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
set -- $info
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
quota=$2
[ ${quota:-200} -lt 200 ] || ret=1
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking servfail statistics ($n)"
parallelize most system tests
2018-02-20 15:43:27 -08:00
ret=0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
rm -f ns3/named.stats
$RNDCCMD stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
done
sspill=`grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
[ -z "$sspill" ] && sspill=0
fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
[ -z "$fails" ] && fails=0
[ "$fails" -ge "$sspill" ] || ret=1
parallelize most system tests
2018-02-20 15:43:27 -08:00
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking lame server recovery ($n)"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
ret=0
rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst b $try
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
stat 0 200 || ret=1
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
[ $ret -eq 1 ] && break
sleep 1
done
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "dumping ADB data ($n)"
ret=0
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
info=$($RNDCCMD fetchlimit | grep 10.53.0.4 | sed 's/.*quota .*(\([0-9]*\).*atr \([.0-9]*\).*/\2 \1/')
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i $info
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
set -- $info
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
[ ${2:-${quota}} -lt $quota ] || ret=1
quota=$2
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking lame server recovery (continued) ($n)"
ret=0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
for try in 1 2 3 4 5 6 7 8 9 10; do
burst c $try
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
stat 0 20 || ret=1
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
[ $ret -eq 1 ] && break
sleep 1
done
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "dumping ADB data ($n)"
ret=0
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
info=$($RNDCCMD fetchlimit | grep 10.53.0.4 | sed 's/.*quota .*(\([0-9]*\).*atr \([.0-9]*\).*/\2 \1/')
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i $info
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
set -- $info
add "rndc fetchlimit" to show fetchlimited servers this command runs dns_adb_dumpquota() to display all servers in the ADB that are being actively fetchlimited by the fetches-per-server controls (i.e, servers with a nonzero average timeout ratio or with the quota having been reduced from the default value). the "fetchlimit" system test has been updated to use the new command to check quota values instead of "rndc dumpdb".
2022-05-26 02:33:52 -07:00
[ ${2:-${quota}} -gt $quota ] || ret=1
quota=$2
parallelize most system tests
2018-02-20 15:43:27 -08:00
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
parallelize most system tests
2018-02-20 15:43:27 -08:00
copy_setports ns3/named2.conf.in ns3/named.conf
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 12:59:11 +01:00
rndc_reconfig ns3 10.53.0.3
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking lame server clients are dropped at the per-domain limit ($n)"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
ret=0
fail=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst b $try 300
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
$DIGCMD a ${try}.example > dig.out.ns3.$n.$try
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
success=$((success+1))
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
fail=$(($fail+1))
"rndc fetchlimit" now also lists rate-limited domains "rndc fetchlimit" now also prints a list of domain names that are currently rate-limited by "fetches-per-zone". The "fetchlimit" system test has been updated to use this feature to check that domain limits are applied correctly.
2022-05-26 14:43:23 -07:00
stat 40 40 || ret=1
allowed=$($RNDCCMD fetchlimit | awk '/lamesub/ { print $6 }')
[ "${allowed:-0}" -eq 40 ] || ret=1
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
[ $ret -eq 1 ] && break
sleep 1
done
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i "$success successful valid queries, $fail SERVFAIL"
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking drop statistics ($n)"
ret=0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
rm -f ns3/named.stats
$RNDCCMD stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
done
zspill=`grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
[ -z "$zspill" ] && zspill=0
drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
[ -z "$drops" ] && drops=0
[ "$drops" -ge "$zspill" ] || ret=1
parallelize most system tests
2018-02-20 15:43:27 -08:00
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
parallelize most system tests
2018-02-20 15:43:27 -08:00
copy_setports ns3/named3.conf.in ns3/named.conf
Use rndc_reload in tests, make sure that reload is complete before continuing
2018-12-11 12:59:11 +01:00
rndc_reconfig ns3 10.53.0.3
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking lame server clients are dropped below the hard limit ($n)"
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
ret=0
fail=0
revise soft limit test - don't bail out of the loop if clients are exceeded, just count incidents - verbosely describe expectations and results
2018-02-26 13:10:44 -08:00
exceeded=0
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst b $try 400
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
$DIGCMD +time=2 a ${try}.example > dig.out.ns3.$n.$try
Fix 'lame server clients are dropped below the hard limit' test The test was setting a minimum count for recursive clients which was not always being met (e.g. 91 instead of 100) producing a false positive. Lower the lower bound on recursive clients for this test to 1.
2023-02-28 14:10:56 +11:00
stat 1 400 || exceeded=$((exceeded + 1))
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
success=$((success+1))
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
fail=$(($fail+1))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
sleep 1
done
revise soft limit test - don't bail out of the loop if clients are exceeded, just count incidents - verbosely describe expectations and results
2018-02-26 13:10:44 -08:00
echo_i "$success successful valid queries (expected 5)"
[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; }
echo_i "$fail SERVFAIL responses (expected 0)"
[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; }
Test for the hard fetchlimit instead of soft fetchlimit Previously, the fetchlimit tested the recursive-clients soft limit that's defined as 90% of the hard limit (the actual configured value). This worked previously because the reaping of the oldest recursive client was put on the same event queue as the current TCP client, thus the cleaning has happened before the new TCP client established a new connection. With the change in BIND 9.14 that added a multiple event queues the cleaning of the oldests clients is no longer synchronous and could happen stochastically making the soft limit testing fail often. The situation became even worse with the new networking manager, thus we change the system test to fail only if the hard limit bound is not honored. Changing the accounting of the already reaped TCP clients so the soft limit testing is possible again is out of the scope for this change.
2019-12-05 00:02:43 +01:00
echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
revise soft limit test - don't bail out of the loop if clients are exceeded, just count incidents - verbosely describe expectations and results
2018-02-26 13:10:44 -08:00
[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
parallelize most system tests
2018-02-20 15:43:27 -08:00
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2015-07-08 22:53:39 -07:00
Fix fetchlimit system test issues 1. Fix the numbering. 2. Fix an artifacts rewriting issue. 3. Add missing checks of 'ret' after some checks.
2023-05-29 14:17:01 +00:00
n=$((n + 1))
echo_i "checking drop statistics ($n)"
ret=0
add a stats counter for clients dropped due to recursive-clients limit
2019-11-25 21:28:10 -08:00
rm -f ns3/named.stats
Fix 'checking drop statistics' test Wait for the desired log message to appear in ns3/named.stats rather than the creation of the file.
2023-02-28 14:24:20 +11:00
touch ns3/named.stats
add a stats counter for clients dropped due to recursive-clients limit
2019-11-25 21:28:10 -08:00
$RNDCCMD stats
Fix 'checking drop statistics' test Wait for the desired log message to appear in ns3/named.stats rather than the creation of the file.
2023-02-28 14:24:20 +11:00
wait_for_log 5 "queries dropped due to recursive client limit" ns3/named.stats || ret=1
add a stats counter for clients dropped due to recursive-clients limit
2019-11-25 21:28:10 -08:00
drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
[ "${drops:-0}" -ne 0 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
Add lower bound checks to fetchlimit test Check that the recursing client count is above a reasonable minimum, as well as below a maximum, so that we can detect bugs that cause recursion to fail too early or too often.
2022-05-08 17:17:29 -07:00
status=$((status+ret))
add a stats counter for clients dropped due to recursive-clients limit
2019-11-25 21:28:10 -08:00
parallelize most system tests
2018-02-20 15:43:27 -08:00
echo_i "exit status: $status"
do not overflow exit status. [RT #42643]
2016-06-14 13:48:39 +10:00
[ $status -eq 0 ] || exit 1
Reference in New Issue Copy Permalink