Various test cases where legacy keys exist and are used to migrate to 'dnssec-policy'. These once existed as shell script but were removed because 'auto-dnssec' was removed. But the test cases are still useful if one wants to migrate to 'dnssec-policy' with such legacy keys, so it would be good to resurrect these tests.
Closes#3769
Backport of MR !10787
Merge branch 'backport-3769-migrate-zsk-ksk-plit-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10868
This is a follow-up from the test cases that were added long time ago
that cover migrating to dnssec-policy.
The test covers legacy keys that do not have the SyncPublish timing
metadata set.
(cherry picked from commit dfdac550d823861edcf447899dc4957404e473e4)
Various test cases where legacy keys exist and are used to migrate to
dnssec-policy. These once existed as shell script but were removed
because auto-dnssec was removed. But the test cases are still useful
if one wants to migrate to dnssec-policy with such legacy keys.
The tests were previously removed in commit
906dd57b68dab3526af82ec266f413e11391394d as part of MR !8085.
(cherry picked from commit 649981483575e3ddea26b9044c3cf4fa2502d2fa)
When migrating to dnssec-policy, keys that do not match will not have
a lifetime set. Adjust the test code to allow for that. Setting '-'
in a key properties string signals lifetime is expected not to be set.
(cherry picked from commit 89e90c30f89fc129b31b76768881f266087bf08a)
If we are migrating keys, we should take the existing key timing
metadata to initialise the state values. These tests will only setup
keys with Publish/Activate/SyncPublish times, because the Retire and
Remove timings will still need to be adjusted to the DNSSEC policy.
(cherry picked from commit 1a8cbf11fe03cf88a0e17095fe13a8e3bdb424fd)
Add and apply InsertBraces statement to add missing curly braces around one-line statements and use ControlStatementsExceptControlMacros for SpaceBeforeParens to remove space between foreach macro and the brace, e.g. `FOREACH (x) {` becomes `FOREACH(x) {`.
Backport of MR !10863
Merge branch 'backport-ondrej/update-clang-format-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10864
> Put a space before opening parentheses only after control statement
> keywords (for/if/while...) except this option doesn’t apply to ForEach
> and If macros. This is useful in projects where ForEach/If macros are
> treated as function calls instead of control statements.
(cherry picked from commit 42496f3f4a8802c0ba8033a1bcabc8bebf5b0087)
> Insert braces after control statements (if, else, for, do, and while)
> in C++ unless the control statements are inside macro definitions or
> the braces would enclose preprocessor directives.
(cherry picked from commit d051e1e8f8eea1400191e0fd20641394b7d438be)
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Backport of MR !10841
Merge branch 'backport-nicki/ci-shotgun-load-new-dataset-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10856
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
(cherry picked from commit 338389b3eb410d347dc337fa27371cf808888854)
Initialization of the common members of rdata type structures varies across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` macro for all types, so that new types are more likely to use it, and hence backport more cleanly.
Closes#5467
Merge branch '5467-use-dns_rdatacommon_init-to-hide-branch-differences-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10834
Initialization of the common members of rdata type structures varies
across branches. Standardize it by using the DNS_RDATACOMMON_INIT
macro for all types, so that new types are more likely to use it,
and hence backport more cleanly.
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543b6173c35019982bd6677a421204bff)
Backport of MR !10293
Merge branch 'backport-mnowak/more-lenient-respdiff-limits-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10847
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543b6173c35019982bd6677a421204bff)
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
Closes#5424
Backport of MR !10825
Merge branch 'backport-5424-hypothesis-artifacts-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10828
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
(cherry picked from commit a4e74ab8cd51a514424aa01fa96344f0f9f918c2)
Renamed the `filter-aaaa` system test to `filters`, converted it to python, and added test cases to exercise the `filter-a` plugin as well.
Backport of MR !10730
Merge branch 'backport-each-test-filter-a-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10832
Previously, symlinks and relative directory imports were used in test
modules. This caused a name clash when a shared code module "common.py"
was introduced for a different test. To avoid the issue, use full paths
in imports.
(cherry picked from commit e49c467efb64229f536f2f116f402da176656ee7)
Move tests which use different configuration to dedicated modules to
avoid possible interference with other tests.
Parametrize the test cases to have a dedicated test for each server
configuration.
Turn the check_filter() comments into log messages to help with
debugging.
(cherry picked from commit cbebeacec15a2716cce74f4a3f8544abd62b398f)
cut down the number of identical lines in the filter-aaaa test:
- replace identical test cases with small check functions
(check_aaaa_only, check_any, check_nodata, etc).
- group those together into large check functions (check_filter,
check_filter_other_family) that have options for recursive and
break_dnssec, then run those for each combination of options
on servers connfigured with filter-aaaa-on-v4 and filter-aaaa-on-v6.
(cherry picked from commit 58fe984c9505a2052dfd572cdde836686f710bd1)
use pytest for the filter-aaaa test.
In order to implement this, isctest.mark can now test whether IPv6 is
configured by calling testsock6.pl.
(cherry picked from commit b234c6d954ef76d9e9ac226ae164bfe31dadc3d3)
Adds dns_dsyncscheme_fromtext, dns_dsyncscheme_totext and
dns_dsyncscheme_format. Adds type dns_dsyncscheme_t.
(cherry picked from commit 6e1311c624d15e6c4d0184deea3bb670e8a5785d)
qp-tries allocate their nodes (twigs) in chunks to reduce allocator pressure and improve memory locality. The choice of chunk size presents a tradeoff: larger chunks benefit qp-tries with many values (as seen in large zones and resolvers) but waste memory in smaller use cases.
Previously, our fixed chunk size of 2^10 twigs meant that even an empty qp-trie would consume 12KB of memory, while reducing this size would negatively impact resolver performance.
This MR implements an adaptive chunking strategy that tracks the size of the most recently allocated chunk and doubles the chunk size for each new allocation until reaching a predefined maximum.
This approach effectively balances memory efficiency for small tries while maintaining the performance benefits of larger chunk sizes for bigger data structures.
Backport of MR !10245Closes#5445
Merge branch '5445-qp-small-alloc' into 'bind-9.20'
See merge request isc-projects/bind9!10804
Before implementing adaptive chunk sizing, it was necessary to ensure
that a chunk could hold up to 48 twigs, but the new logic will size-up
new chunks to ensure that the current allocation can succeed.
We exploit the new logic in two ways:
- We make the minimum chunk size smaller than the old limit of 2^6,
reducing memory consumption.
- We make the maximum chunk size larger, as it has been observed that
it improves resolver performance.
(cherry picked from commit d7064c9b88555918778822881a156e6f8864ea98)
qp-tries allocate their nodes (twigs) in chunks to reduce allocator
pressure and improve memory locality. The choice of chunk size presents
a tradeoff: larger chunks benefit qp-tries with many values (as seen
in large zones and resolvers) but waste memory in smaller use cases.
Previously, our fixed chunk size of 2^10 twigs meant that even an
empty qp-trie would consume 12KB of memory, while reducing this size
would negatively impact resolver performance.
This commit implements an adaptive chunking strategy that:
- Tracks the size of the most recently allocated chunk.
- Doubles the chunk size for each new allocation until reaching a
predefined maximum.
This approach effectively balances memory efficiency for small tries
while maintaining the performance benefits of larger chunk sizes for
bigger data structures.
This commit also splits the callback freeing qpmultis into two
phases, one that frees the underlying qptree, and one that reclaims
the qpmulti memory. In order to prevent races between the qpmulti
destructor and chunk garbage collection jobs, the second phase is
protected by reference counting.
(cherry picked from commit 70b1777d8aef75da1b184fe8155dc818ce66628a)
When the zone is configured with a CNAME override policy, or the response policy zone contains a wildcard CNAME, the extended DNS error code was not added. This has been fixed.
Closes#5342
Backport of MR !10777
Merge branch 'backport-5342-rpz-cname-override-ede-not-added-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10819
When the zone is configured with a CNAME override policy, also add the
configured EDE code.
When the zone is contains a wildcard CNAME, also add the configured
EDE code.
(cherry picked from commit 2f70a0ef12a4aea58098bd0ca9003c46146770fc)
When the zone is configured with a CNAME override policy, the EDE code
is not added as expected. Add a test case based on the issue in GitLab
(#5342).
When the zone contains a wildcard CNAME, the EDE code is not added as
expected. Also add a test case for this.
(cherry picked from commit 4ef00f97d6806622a833a9c7b9e414a5ddaa19f0)
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.
References #3014
Backport of MR !5578
Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10815
Spurious validation failures were traced back to check_signer looping
over val->sigrdataset directly. Cloning val->sigrdataset prevents
check_signer from interacting with callers that are also looping
over val->sigrdataset.
(cherry picked from commit 8aa130f253b11e61d87dadea576e2c1430ce8dcc)
