2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 21:47:59 +00:00

43636 Commits

Author SHA1 Message Date
Michal Nowak
310884c259
Revert "Capture scripts for Coverity Scan analysis"
This reverts commit b4a2674d98902983e8096c99b747343482d30673.

The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
2025-07-31 11:51:34 +02:00
Petr Špaček
dee6464cee chg: ci: Log packages, test AlmaLinux 9
Merge branch 'pspacek/ci-platforms-and-logging' into 'main'

See merge request isc-projects/bind9!10799
2025-07-31 08:39:27 +00:00
Petr Špaček
e702e09143 Log all installed system packages and Python libraries before build 2025-07-31 10:37:46 +02:00
Petr Špaček
8c71989a45 Run MR pipelines also on AlmaLinux 9
Turns out Python version there is older than elsewhere.
2025-07-31 10:37:46 +02:00
Michał Kępień
a91e362bb7 chg: dev: Check meson.build formatting in CI
Add a new CI job that checks whether all meson.build files in the
repository are formatted in the exact same way as "muon fmt" would
format them.  This enforces formatting consistency across all
meson.build files in the repository and enables updating their contents
using dedicated tools, e.g. "meson rewrite".

See #5379

Merge branch '5379-check-meson.build-formatting-in-ci' into 'main'

See merge request isc-projects/bind9!10770
2025-07-30 17:41:13 +02:00
Michał Kępień
e2c6603cb5
Check meson.build formatting in CI
Add a new CI job that checks whether all meson.build files in the
repository are formatted in the exact same way as "muon fmt" would
format them.  This enforces formatting consistency across all
meson.build files in the repository and enables updating their contents
using dedicated tools, e.g. "meson rewrite".
2025-07-30 17:37:38 +02:00
Petr Špaček
48f8b14192 Fix system test compatibility with old Python
Merge branch 'pspacek/test-compatibility' into 'main'

See merge request isc-projects/bind9!10797
2025-07-30 14:35:45 +00:00
Petr Špaček
b0c7f8b598 Fix compatibility with Python < 3.10
Dataclass kw_only argument was added only in Python 3.10 but EL9 image
has only 3.9.21.
2025-07-30 14:35:32 +00:00
Petr Špaček
6ae224fc9c Fix minimal dnspython version test
Wrong version number was uncovered by Ubuntu 22.04 Jammy which actually
has dnspython 2.1.0.
2025-07-30 14:35:32 +00:00
Colin Vidal
7d138108ce fix: test: fix macOS build for plugin unit test
MR !10753 breaks macOS build for plugin unit test as its linker doesn't
supports `--wrap` option, which is used in in order to mock the function
`isc_file_exits()`.

To work around the problem, a mocked `isc_file_exits()` is implemented
inside the plugin test as a static function before inlining the file
using it, which effectively links to this version rather than the isclib
one.

Closes #5455

Merge branch '5455-fix-macos-build-plugintest' into 'main'

See merge request isc-projects/bind9!10796
2025-07-30 12:11:46 +02:00
Colin Vidal
32909254f5 fix ns_plugin_expandpath tests with no extension
Parts of ns_plugin_expandpath() test expected the plugin extension to be
appened automatically (the plugin name/path is provided without the
extension), this enable to test the logic which adds the correct
extension based on the platfrom.

But the expected expanded paths from the test were hard coded with the
`.so` extension, so the test can't pass on macOS platform. This fixes
the test by using the macro providing the current-platform extension.
2025-07-30 10:35:26 +02:00
Colin Vidal
1b6347483e fix macOS build for plugin unit test
MR !10753 breaks macOS build for plugin unit test as its linker doesn't
supports `--wrap` option, which is used in in order to mock the function
`isc_file_exits()`.

To work around the problem, a mocked `isc_file_exits()` is implemented
inside the plugin test as a static function before inlining the file
using it, which effectively links to this version rather than the isclib
one.
2025-07-30 09:58:47 +02:00
Evan Hunt
c28b1436b9 new: test: add helper functions to isctest
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:

- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0

- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0

- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0

- isctest.check.rr_count_eq() - checks the number of RRsset in a section

- isctest.check.same_data() - checks that two message have the
                              same rcode and data
- isctest.check.same_answer() - checks that two message have the same
                                rcode and answer

- isctest.query.create() - a wrapper for dns.message.make_query() that
                           creates a query message similar to dig +dnssec

Merge branch 'each-isctest-helpers' into 'main'

See merge request isc-projects/bind9!10760
2025-07-29 22:56:53 +00:00
Nicki Křížek
64143ea077 Use isctest.query.create across system tests
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
2025-07-29 12:13:11 -07:00
Nicki Křížek
f2a4c5dcb0 Add RA flag checks to isctest.check 2025-07-29 12:12:44 -07:00
Nicki Křížek
989e64b9b0 Refactor and move query helper to isctest.query.create
Make the query helper function more universal and reusable across our
system tests -- default to using EDNS and sending AD=1.
2025-07-29 12:12:44 -07:00
Nicki Křížek
efd60348b9 Unify RR counting in isctest.check helper
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
2025-07-29 12:12:44 -07:00
Nicki Křížek
b24dd20e5a Refactor isctest.check.section_equal comparison
Use the same logic as dnspython uses in dns.message.Message.
2025-07-29 12:12:44 -07:00
Evan Hunt
b69097f139 add helper functions to isctest
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:

- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0

- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0

- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count

- isctest.check.same_data() - check that two message have the
                              same rcode and data
- isctest.check.same_answer() - check that two message have the same
                                rcode and answer

- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
                         creates a query message similar to dig +dnssec:
                         use_edns=True, want_dnssec=True,
                         and flags are set to (RD|AD) by default, but
                         options exist to disable AD or enable CD.
                         (to generate non-DNSSEC queries, use
                         message.make_query() directly.)
2025-07-29 12:12:44 -07:00
Matthijs Mekking
6f679231da fix: test: Improve key collision detection in ksr system test
MR !10238 added key collision detection in the ksr system test but it was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter by one, nullifying the subtract by one.

Fix by splitting the output on ':' rather than on the default whitespace. Also make the substring matching more strict.

Closes #5229 (again)

Merge branch '5229-ksr-key-collision' into 'main'

See merge request isc-projects/bind9!10775
2025-07-29 12:46:20 +00:00
Matthijs Mekking
abdb9a1334 Improve key collision detection in ksr system test
MR !10238 added key collision detection in the ksr system test but it
was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter
by one, nullifying the subtract by one.

Use regular expressions to search in the output and make the string
expression more strict.
2025-07-29 13:57:06 +02:00
Petr Špaček
c9dcc8c485 new: test: Robust tests for NSEC3 nonexistent QNAME proof
Related to #5292

Merge branch '5292-wrong' into 'main'

See merge request isc-projects/bind9!10416
2025-07-29 08:54:27 +00:00
Michał Kępień
adb931f700 Adjust type hints for the "nsec3-answer" test
Add missing type hints in the tests_nsec3.py module.  Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
2025-07-29 10:00:46 +02:00
Petr Špaček
fc3d5e5918 Add more empty non-terminals to test zone
I don't know exactly why, I just have a feeling there might be
interesting corner cases somewhere.
2025-07-29 10:00:46 +02:00
Petr Špaček
46781845ea Randomize NSEC3 salt
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.
2025-07-29 10:00:46 +02:00
Petr Špaček
548632b18a Test proof of nonexistance of DS in insecure referrals
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.
2025-07-29 10:00:46 +02:00
Petr Špaček
73e4201331 Test dangling DNAME answers come with NXDOMAIN proofs
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
2025-07-29 10:00:46 +02:00
Petr Špaček
d0e413dd57 Test dangling CNAMEs come with NXDOMAIN proofs
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.
2025-07-29 10:00:46 +02:00
Petr Špaček
cc6544b417 Move query outside of check_() functions
This allows better check() code reuse.
2025-07-29 10:00:46 +02:00
Petr Špaček
ac58b58002 Separate test into a new directory
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.
2025-07-29 10:00:46 +02:00
Petr Špaček
a92391f60f Test simple NODATA answers with NSEC3 2025-07-29 10:00:46 +02:00
Petr Špaček
b854d5a3f5 Detect extraneous NSEC3 RRs in responses
We expect minimal possible answers which prove what they have to
according to DNSSEC protocol.
2025-07-29 10:00:46 +02:00
Petr Špaček
c45ad51860 Move proof checking into a NSEC3Checker class 2025-07-29 10:00:46 +02:00
Petr Špaček
cfaf5c997f Add consistency checks to responses with NSEC3
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
  By definition, the type bitmap describes state of the unhashed name
  but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
  Unless the response crosses zone boundary, parent zone has insecure
  delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
  RFC 5155 section 7.2, last paragraph - at least when we don't cross
  zone boundary.
2025-07-29 10:00:46 +02:00
Petr Špaček
9ca2077274 Split NXDOMAIN/NOERROR/NODATA test cases
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases.  Wildcard
NODATA answer was added.
2025-07-29 10:00:45 +02:00
Petr Špaček
f0592de608 Extract closest encloser and source of synthesis logic into ZoneAnalyzer
As a side-effect, we now have set of all existing names in a zone with a
test, too. These parts should be shared with new NSEC tests.
2025-07-29 10:00:45 +02:00
Petr Špaček
9cea2af25c Use isctest library to check hypothesis version
Side-effect of importing from isctest.hypothesis first is a version
check and clean Pytest skip if version is too old.
2025-07-29 10:00:45 +02:00
Petr Špaček
42b60a3819 Generate comprehensive tests for ZoneAnalyzer utility class
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.

Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.

For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.
2025-07-29 10:00:45 +02:00
Petr Špaček
cad48e56ab Test ZoneAnalyzer utility class
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.
2025-07-29 10:00:37 +02:00
Petr Špaček
dbba59f48b Separate zone analyzer from NSEC3 test
Code to generate ENTs, detect wildcards, occlusion etc. is generic
enough to be in an utility module.
2025-07-29 10:00:37 +02:00
Petr Špaček
3fb6b990af Shorten syntax to access Name object
dns.name all over the place does not make it easier to read the code at
all, and I'm going to add lot more code here.
2025-07-29 10:00:36 +02:00
Petr Špaček
bd8be10329 Move multi-subdomain name generator into shared utilities 2025-07-29 10:00:36 +02:00
Evan Hunt
e263df8848 Add property based test for nsec3hash utility
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.
2025-07-29 10:00:36 +02:00
Petr Špaček
84ad35e7af Test also with subdomains of existing names
Composite strategy makes sure we always test with a subdomain of an
existing name.
2025-07-29 10:00:36 +02:00
Petr Špaček
f9e12a840d Dedup NSEC3 get_next_name function 2025-07-29 10:00:36 +02:00
Matthijs Mekking
955e3ccf3e Add a property based test for NSEC3 proofs for non-existent QNAMEs
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.
2025-07-29 10:00:36 +02:00
Mark Andrews
132e68fddb Check that correct NSEC3 proofs are returned 2025-07-29 10:00:36 +02:00
Colin Vidal
13807cf853 chg: usr: plugin extension in plugin path is now optional
Plugin configuration no longer requires the library file extension, so it is now possible to invoke a plugin using the syntax `plugin query "library"` instead of `plugin query "libary.so"`.

Closes #5377

Merge branch '5377-implicit-plugin-ext' into 'main'

See merge request isc-projects/bind9!10753
2025-07-28 23:43:11 +02:00
Colin Vidal
284806029a update ARM plugin documentation
Update the ARM documentation of plugin usage as the extension in the
plugin library path is now optional.
2025-07-28 23:08:04 +02:00
Colin Vidal
b0061843b7 update test_hooks system tests
Add the case where the plugin name is provided without the extension in
the test_hooks system tests.
2025-07-28 23:08:04 +02:00