When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.
(cherry picked from commit 708927e03d)
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.
For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.
Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.
(cherry picked from commit 680aedb595)
Add missing checks for `$FEATURETEST --have-fips-dh` in notify system test to match those in setup.sh.
Closes#5015
Backport of MR !9707
Merge branch 'backport-5015-tls-notify-checks-fail-on-ol-8-fips-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9712
In the ksr system test, the 'test_ksr_twotone' case may fail if there are two keys with the same keytag (but different algorithms), because one key is expected to be signing and the other is not.
Switch to regular expression matching and include the algorithm in the search string.
Closes#5017
Backport of MR !9701
Merge branch 'backport-5017-unexpected-match-ksr-twotone-again-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9710
In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.
Switch to regular expression matching and include the algorithm in the
search string.
(cherry picked from commit 795fcc9f80)
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.
Closes#5000
Backport of MR !9690
Merge branch 'backport-5000-provide-correct-changelog-on-ftp-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9703
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.
(cherry picked from commit e40bd273e4)
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.
Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.
New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.
Closes#4938
Backport of MR !9587
Merge branch 'backport-4938-use-jinja2-templates-in-system-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9699
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.
Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.
New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.
(cherry picked from commit 60e118c4fb)
Emphasize more that the `inline-signing` default value has changed in 9.20.0.
Merge branch 'matthijs-improve-release-notes-wrt-inline-signing-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9647
Use a stricter hazard check which ensures the audience tag is present in
the MR title and is one of the known values. This prevents siuations
where incorrect audience is accidentally used, resulting in a missing
changelog entry or a release note.
(cherry picked from commit cdb93bcbd4)
Coverity Scan reported a new issue for the ksr system test. There is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().
This popped up because previously we set 'retired' to 0 in case of unlimited lifetime, but we changed it to None.
It is actually a false positive, because if lifetime is unlimited there will be only one key in 'keys'.
However, the code would be better if we always initialized 'active' and if it is not the first key and retired is set, set the successor key's active time to the retire time of the predecessor key.
Closes#5004
Backport of MR !9687
Merge branch 'backport-5004-cid-510858-ksr-check-keys-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9693
Coverity Scan reported a new issue for the ksr system test. There
is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().
This popped up because previously we set 'retired' to 0 in case of
unlimited lifetime, but we changed it to None.
It is actually a false positive, because if lifetime is unlimited
there will be only one key in 'keys'.
However, the code would be better if we always initialized 'active'
and if it is not the first key and retired is set, set the successor
key's active time to the retire time of the predecessor key.
(cherry picked from commit e777efb576)
A test may fail if the key id is shorter than 5 digits. Add a leading space to the expected strings which start with the key tag to avoid the issue.
Closes#5002
Backport of MR !9688
Merge branch 'backport-5002-unexpected-match-ksr-twotwone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9692
The test_ksr_twotwone may fail if the key id is shorter than 5 digits.
Add a leading space to the expected strings which start with the key
tag to avoid the issue.
(cherry picked from commit d5f32f6990)
Make system tests symlinks and logged test names consistent across pytest versions.
Backport of MR !9071
Merge branch 'backport-nicki/pytest-v8-compat-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9685
While this file is no longer created / used in the main branch, it may
linger around when switching from maintenance branches.
(cherry picked from commit 6262d002bf)
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.
Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).
Related https://github.com/pytest-dev/pytest/issues/7777
(cherry picked from commit 7118cbed98)
Notifies configured to use TLS will now be sent over TLS, instead of plaintext UDP or TCP.
Also, failing to load the TLS configuration for notify now also results in an error.
Closes#4821
Backport of MR !9407
Merge branch 'backport-4821-notify-over-tls-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9684
Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate
the expired certificate for tls-x6 to reflect the swap of ns2 and ns3.
(cherry picked from commit bbdc6b26aa)
This allows for dispatch to use existing TCP/HTTPS/TLS etc. streams without accidentally using an unexpected transport.
Closes#4989
Backport of MR !9633
Merge branch 'backport-4989-fix-transport-use-with-dispatch-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9682
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused. Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.
(cherry picked from commit baab8a5d75)
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
Closes#4999
Backport of MR !9673
Merge branch 'backport-4999-pytest-kasp-use-utc-timezone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9679
Use a different timezone via the TZ variable in at least one of the
system test jobs in order to detect possible issues with timezone
handling in python.
(cherry picked from commit 46810be809)
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
(cherry picked from commit f840deba33)
Backport of MR !9626
Merge branch 'backport-nicki/pylint-disable-too-few-too-many-checks-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9656
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.
(cherry picked from commit 7639c58c48)
It is possible that the zone is not yet fully signed because it is
signed in batches. Retry the AXFR and verify command a couple of times.
(cherry picked from commit b8b3df0676)
If a function is expected to assert / raise on failure (rather than
return boolean), its name should start with "check_".
(cherry picked from commit 67957d1f54)
Move all test cases from tests.sh to tests_ksr.py. The only test that
is not moved is the check that key id's match expected keys. The
shell-based system test checks two earlier set environment variables
against each other that has become redundant in the pytest variant,
because we now check the signed key response against a list of keys
and for each key we take into account the timing metadata. So we
already ensure that each published key is in the correct key bundle.
(cherry picked from commit a15bf6704b)
Write initial pytest kasp library. This contains everything that is
required for testing Offline KSK functionality with pytest.
This includes:
- addtime: adding a value to a timing metadata
- get_timing_metdata: retrieve timing metadata from keyfile
- get_metadata/get_keystate: retrieve metadata from statefile
- get_keytag: retrieve keytag from base keyfile string
- get_keyrole: get key role from statefile
- dnskey_equals: compare DNSKEY record from file against a string
- cds_equals: compare CDS derived from file against a string
- zone_is_signed: wait until a zone is completely signed
- dnssec_verify: verify a DNSSEC signed zone with dnssec-verify
- check_dnssecstatus: check rndc dnssec -status output
- check_signatures: check that signatures for a given RRset are correct
- check_dnskeys: check that the published DNSKEY RRset is correct
- check_cds: check that the published CDS RRset is correct
- check_apex: check SOA, DNSKEY, CDNSKEY, and CDS RRset
- check_subdomain: check an RRset below the apex
(cherry picked from commit a3829990fd)
