This reverts commit b4a2674d98902983e8096c99b747343482d30673.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Closes#5456
Backport of MR !10808
Merge branch 'backport-5456-coverity-scan-drop-fs-capture-search-option-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10810
This reverts commit b4a2674d98902983e8096c99b747343482d30673.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
(cherry picked from commit 310884c259fff325e9051ad123fe96600b848903)
Dataclass kw_only argument was added only in Python 3.10 but EL9 image
has only 3.9.21.
(cherry picked from commit b0c7f8b598d8a37fa7560d0d1b6c87e429b2446a)
Wrong version number was uncovered by Ubuntu 22.04 Jammy which actually
has dnspython 2.1.0.
(cherry picked from commit 6ae224fc9c7ed96f1e06ad8f929b20ea6ce32f25)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Backport of MR !10760
Merge branch 'backport-each-isctest-helpers-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10793
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
(cherry picked from commit 64143ea077c3ddb48f808af2d0b05e21209cd268)
Make the query helper function more universal and reusable across our
system tests -- default to using EDNS and sending AD=1.
(cherry picked from commit 989e64b9b0e2a65b8b4b0f2bc75b1f2e2a327272)
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
(cherry picked from commit efd60348b9280383fe5d50042a94ea363390356d)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
(cherry picked from commit b69097f139154ca0d2177f35632400200d220bdc)
MR !10238 added key collision detection in the ksr system test but it was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter by one, nullifying the subtract by one.
Fix by splitting the output on ':' rather than on the default whitespace. Also make the substring matching more strict.
Closes#5229 (again)
Backport of MR !10775
Merge branch 'backport-5229-ksr-key-collision-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10791
MR !10238 added key collision detection in the ksr system test but it
was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter
by one, nullifying the subtract by one.
Use regular expressions to search in the output and make the string
expression more strict.
(cherry picked from commit abdb9a133483f3a1968646289ae355e3cdddbf72)
Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
(cherry picked from commit adb931f70005f900437dc121097db54cd608de94)
I don't know exactly why, I just have a feeling there might be
interesting corner cases somewhere.
(cherry picked from commit fc3d5e5918dde168290d97ad122d0948bdc61db1)
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.
(cherry picked from commit 46781845ea96f5e1e6052141b1ac844c5483a8ca)
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.
(cherry picked from commit 548632b18aee8fa05c67a0284522a1e19183310c)
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit 73e4201331fb468664aa72faa785acabe97fc820)
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit d0e413dd5763fbe81ba37abeec650f26a9248feb)
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.
(cherry picked from commit ac58b580021902a52291583fecc13a76ee5f2db2)
We expect minimal possible answers which prove what they have to
according to DNSSEC protocol.
(cherry picked from commit b854d5a3f5d60ceb275a4d1813e56bc9f5b5c4ea)
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
(cherry picked from commit cfaf5c997f73e1d91735d6c87a2a21cab391eabd)
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases. Wildcard
NODATA answer was added.
(cherry picked from commit 9ca2077274908d86599e0161cf2c0ccc140b224f)
As a side-effect, we now have set of all existing names in a zone with a
test, too. These parts should be shared with new NSEC tests.
(cherry picked from commit f0592de608af06792dbc14829a0ac3671b9ed868)
Side-effect of importing from isctest.hypothesis first is a version
check and clean Pytest skip if version is too old.
(cherry picked from commit 9cea2af25ca90b206c1a8a9255883b15097a9973)
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.
Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.
For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.
(cherry picked from commit 42b60a3819ea48ad38fe9bcf5ff1ccfb752315ef)
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.
(cherry picked from commit cad48e56ab5e08ccb7bde55948a511538cef2649)
Code to generate ENTs, detect wildcards, occlusion etc. is generic
enough to be in an utility module.
(cherry picked from commit dbba59f48b8ec0fa12e7519fda206272c2893011)
dns.name all over the place does not make it easier to read the code at
all, and I'm going to add lot more code here.
(cherry picked from commit 3fb6b990af3ec44e0b0d4e14d76d8c4bfba9692b)
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.
(cherry picked from commit e263df8848b9998d0578d03ffb48a6235f60aada)
Composite strategy makes sure we always test with a subdomain of an
existing name.
(cherry picked from commit 84ad35e7affd1c17e29721a3d84e283642cf6af2)
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.
(cherry picked from commit 955e3ccf3e3cfb7f622733a6966d292856b062ae)
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.
Backport of MR !10689
Merge branch 'backport-stepan/dispatch-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10773
When the tests-connreset.py module was initially implemented in commit
5c17919019ef0af8226e5bb61214b805bb3e2451, the dispatch code did not
properly apply the idle timeout to TCP connections. This allowed the
check in that test module to reset the TCP connection after 5 seconds as
named did not attempt to tear the connection down earlier than that.
However, as the dispatch code was improved, the idle timeout started
being enforced for TCP dispatches; the exact value it is set to in the
current code depends on a given server's SRTT, but it defaults to about
1.2 seconds for responsive servers. This means that the code paths
triggered by the "dispatch" system test are now different than the ones
it was originally supposed to trigger because it is now named itself
that shuts the TCP connection down cleanly before the ans3 server gets a
chance to reset it.
Account for the above by lowering the amount of time after which the
ans3 server in the "dispatch" system test resets TCP connections to just
1 second, so that the test actually does what its name implies.
(cherry picked from commit 48e705d738bcd34f6f868810503af4236504afcb)
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.
(cherry picked from commit 316b7d55900229e7e16304603dde23fb55d45424)
Add a TCP connection handler, ConnectionReset, which enables closing TCP
connections without emptying the client socket buffer, causing the
kernel to send an RST segment to the client. This relies on a horrible
asyncio hack that can break at any point in the future due to abusing
implementation details in the Python Standard Library. Despite the eye
bleeding this code may cause, the approach it takes was still deemed
preferable to implementing an asyncio transport from scratch just to
enable triggering connection resets.
(cherry picked from commit e4078885073a6c5b59729f4313108e3e7637efdb)
Add a new abstract class, ConnectionHandler, instances of which can be
installed on AsyncDnsServer to manipulate TCP connections upon
accepting.
(cherry picked from commit b4d53e7287436be8510b8d280428a8cb6c8b628f)
