2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00

43024 Commits

Author SHA1 Message Date
Michał Kępień
74805453ee Enable requesting TCP connections to be closed
In response to client queries, AsyncDnsServer users can currently only
make the server either send a reply or silently ignore the query.  In
the case of TCP queries, neither of these actions causes the client's
connection to be closed - the onus of doing that is on the client.
However, in some cases the server may be required to close the
connection on its own, so AsyncDnsServer users need to have some way of
requesting such an action.

Add a new ResponseAction subclass, ResponseDropAndCloseConnection, which
enables AsyncDnsServer users to conveniently request TCP connections to
be closed.  Instead of returning the response to send,
ResponseDropAndCloseConnection raises a custom exception that
AsyncDnsServer._handle_tcp() handles accordingly.

(cherry picked from commit 06b0800df88d3575efff64f30104db3a053fb02c)
2025-07-24 13:17:07 +00:00
Matthijs Mekking
ed37c7825e [9.20] fix: usr: Stale RRsets in a CNAME chain were not always refreshed
With serve-stale enabled, a CNAME chain that contains a stale RRset, the refresh query doesn't always properly refresh the stale RRsets. This has been fixed.

Closes #5243

Backport of MR !10720

Merge branch 'backport-5243-stale-refresh-as-prefetch-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10767
2025-07-23 12:46:58 +00:00
Matthijs Mekking
c8ed25560b Add reproducer as test case
The issue provided a reproducer that can be easily converted into a
test case.

(cherry picked from commit dc649735ad4ae544172280ee3891f632d98d4026)
2025-07-23 12:12:51 +00:00
Matthijs Mekking
03eb9aabe1 Special case refresh stale ncache data
When refreshing stale ncache data, the qctx->rdataset is NULL and
requires special processing.

(cherry picked from commit 7774f16ed5b1675d3bafc479c59ff7fbf1491084)
2025-07-23 12:12:51 +00:00
Matthijs Mekking
667d81b52b Make serve-stale refresh behave as prefetch
A serve-stale refresh is similar to a prefetch, the only difference
is when it triggers. Where a prefetch is done when an RRset is about
to expire, a serve-stale refresh is done when the RRset is already
stale.

This means that the check for the stale-refresh window needs to
move into query_stale_refresh(). We need to clear the
DNS_DBFIND_STALEENABLED option at the same places as where we clear
DNS_DBFIND_STALETIMEOUT.

Now that serve-stale refresh acts the same as prefetch, there is no
worry that the same rdataset is added to the message twice. This makes
some code obsolete, specifically where we need to clear rdatasets from
the message.

(cherry picked from commit a66b04c8d46505fc3a9918dd8b7f589ef6b89ff3)
2025-07-23 12:12:51 +00:00
Michał Kępień
9e57035eda [9.20] chg: test: Use isctest.asyncserver in the "zero" test
The original `ans.pl` server was a copy of the one in `fetchlimit`, so
there are some changes:

- The server now only responds with A replies (which is the only thing
  needed).
- The incrementing of the IP address goes beyond the least significant
  octet (so, after 192.0.2.255 it will yield 192.0.3.0).

Backport of MR !10597

Merge branch 'backport-stepan/zero-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10768
2025-07-23 14:06:42 +02:00
Štěpán Balážik
a208e17a8d Use isctest.asyncserver in the "zero" test
The original `ans.pl` server was based on a copy of the one in
`fetchlimit`, so there are some changes:

- The server now only responds with A replies (which is the only thing
  needed).
- The incrementing of the IP address goes beyond the least significant
  octet (so, after 192.0.2.255 it will yield 192.0.3.0).

(cherry picked from commit ec5729bee3d1aca84ed6136ffdf3d842feeee6c1)
2025-07-23 11:24:00 +00:00
Ondřej Surý
e016242c24 [9.20] fix: nil: Disable clang-format for Local IPv6 Unicast Addresses strings
The LSP server (using clangd) was always complaining about:

    Suspicious string literal, probably missing a comma

for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines.  Disable clang-format for these two lines.

Backport of MR !10764

Merge branch 'backport-ondrej/fix-suspicious-string-literal-probably-missing-comma-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10765
2025-07-23 09:09:29 +02:00
Ondřej Surý
63c5083039 Disable clang-format for Local IPv6 Unicast Addresses strings
The LSP server (using clangd) was always complaining about:

    Suspicious string literal, probably missing a comma

for the two Local IPv6 Unicast Addresses strings that spanned
across multiple lines.  Disable clang-format for these two lines.

(cherry picked from commit 6b7c99027d0253ac7e4b7ec83aa96dbcc70fb3ba)
2025-07-23 09:09:18 +02:00
Ondřej Surý
7f25d92c5d [9.20] fix: dev: Rename variable called 'free' to prevent the clash with free()
Backport of MR !10756

Merge branch 'backport-ondrej/rename-variable-called-free-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10757
2025-07-23 07:48:08 +02:00
Ondřej Surý
485aac9213
Rename 'free' variable to 'nfree' to not clash with free()
The beauty and horrors of the C - the compiler properly detects variable
shadowing, but you can freely shadow a standard function 'free()' with
variable called 'free'.  And if you reference 'free()' just as 'free'
you get the function pointer which means you can do also pointer
arithmetics, so 'free > 0' is always valid even when you delete the
local variable.

Replace the local variables 'free' with a name that doesn't shadow the
'free()' function to prevent future hard to detect bugs.

(cherry picked from commit 855960ce461ebe88342cce3105b9bdff8347c83c)
2025-07-22 14:28:15 +02:00
Štěpán Balážik
920874ea58 [9.20] chg: test: Use isctest.asyncserver in the "fetchlimit" test
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.

Backport of MR !10614

Merge branch 'backport-stepan/fetchlimit-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10755
2025-07-22 10:16:17 +00:00
Štěpán Balážik
87a0dfde67 Use isctest.asyncserver in the "fetchlimit" test
Replace the custom DNS server used in the "fetchlimit" system test
with new code based on the isctest.asyncserver module.

(cherry picked from commit 9ffc833919165289daed7a45e8a6cf81b6c13302)
2025-07-22 07:09:52 +00:00
Mark Andrews
bc54f059e0 [9.20] fix: usr: synth-from-dnssec was not working in some scenarios
Aggressive use of DNSSEC-Validated cache with NSEC was not working in scenarios when no parent NSEC was not in cache.  This has been fixed.

Closes #5422

Backport of MR !10736

Merge branch 'backport-5422-aggressive-nsec-not-working-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10754
2025-07-22 02:22:07 +10:00
Mark Andrews
15031f32e6 test synth-from-dnssec with no cached parent NSECs
Add \007.no-apex-covering as an owner name so that the cache does
not get primed with a parent NSEC RRset to test the case where
dns_qp_lookup returns ISC_R_NOTFOUND.

(cherry picked from commit df0492420915dc48407da7855b35b73b0d9852ae)
2025-07-21 17:46:02 +02:00
Mark Andrews
e4d64a0c33 Fix find_coveringnsec in qpcache.c
dns_qp_lookup was returning ISC_R_NOTFOUND rather than DNS_R_PARTIALMATCH
when there wasn't a parent with a NSEC record in the cache.  This was
causing find_coveringnsec to fail rather than returing the covering NSEC.

(cherry picked from commit 7de4207cb6dc9c65a4405a1710d15a723a6d2bf1)
2025-07-21 17:46:00 +02:00
Nicki Křížek
d4fb3a060b [9.20] fix: test: Add wait_for_keymgr_done() util function to tests
The kasp test cases assume that keymgr operations on the zone under test
have been completed before the test is executed. These are typically
quite fast, but the logs need to be explicitly checked for the messages,
otherwise there's a possibility of race conditions causing the
kasp/rollover tests to become unstable.
    
Call the wait function in all the kasp/rollover tests where it is
expected (which is generally in each test, unless we're dealing with
unsigned zones).

Closes #5371

Backport of MR !10717

Merge branch 'backport-5371-wait-keymgr-done-rollover-kasp-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10752
2025-07-18 16:54:58 +02:00
Nicki Křížek
3446e70b6a Add wait_for_keymgr_done() util function to tests
The kasp test cases assume that keymgr operations on the zone under test
have been completed before the test is executed. These are typically
quite fast, but the logs need to be explicitly checked for the messages,
otherwise there's a possibility of race conditions causing the
kasp/rollover tests to become unstable.

Call the wait function in all the kasp/rollover tests where it is
expected (which is generally in each test, unless we're dealing with
unsigned zones).

(cherry picked from commit 467b826162170334fe1c81cfde02b2fcb77c7725)
2025-07-18 16:20:06 +02:00
Nicki Křížek
7718baa363 Add nsX fixtures to system tests
Many of our test cases only use a single NamedInstance from the
`servers` fixture. Introduce `nsX` helper fixtures to simplify these
tests and reduce boilterplate code further.

Specifically, the test no longer has to either define its own variable
to extract a single server from the list, or use the longer
servers["nsX"] syntax. While this may seem minor, the amount of times it
is repeated across the tests justifies the change. It also promotes
using more explicit server identification, i.e. `nsX`, rather than
generic `server`. This also improves the clarity of the tests and may be
helpful in traceback during debugging as well.

(cherry picked from commit fe5534291699572e67ad4a854b412e40c524307a)
2025-07-18 16:20:06 +02:00
Nicki Křížek
0e1a793416 [9.20] chg: test: Split up rollover test cases
Prior to this change, there was a single `rollover` test directory, containing 8 tests. These contained even more test scenarios, that were mostly unrelated to each other. This made debugging or even comprehending the tests difficult, as you'd often have to grasp the importance (or rather lack of it) of thousands of lines of setup, configuration and test code, and debug logs.

Now the tests were split up into 14 different test directories, containing 67 tests in total. This makes it much more comprehensible to understand what's going on in any single of these test cases, as there is no unrelated code. It also allows better parallelization and debugging of individual test cases, because of the improved granularity.

Backport of MR !10581

Merge branch 'backport-nicki/split-rollover-test-cases-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10751
2025-07-18 15:28:07 +02:00
Nicki Křížek
0b1aa69fb7 Clean up rollover test case
(cherry picked from commit 42b034460f176dae018a6290b5dc186617611b09)
2025-07-18 14:50:39 +02:00
Nicki Křížek
d898162d4a Isolate rollover-multisigner test case
(cherry picked from commit 86c3c1da77019a5803d356d26a31023f92c62e91)
2025-07-18 14:50:39 +02:00
Nicki Křížek
7f6789e300 Isolate rollover-enable-dnssec test case
(cherry picked from commit e29417731204f7d7e8d5ca5ffe0c149d4c041028)
2025-07-18 14:50:39 +02:00
Nicki Křížek
e90f93fc68 Isolate rollover-zsk-prepub test case
(cherry picked from commit 64199e062d6579e5a63bcaa67a9fab7008e916fa)
2025-07-18 14:48:35 +02:00
Nicki Křížek
4cb75dead9 Isolate rollover-ksk-3crowd test case
(cherry picked from commit bc7be041e198b2fbe731f3875a1e7e62886a332a)
2025-07-18 14:48:16 +02:00
Nicki Křížek
3d5c90aa44 Use common test functions for three-is-a-crowd test
Previously, a lot of the checking was re-implemented and duplicated from
check_rollover_step(). Use that function where possible and only
override the needed checks.

(cherry picked from commit d6dffe660352875e7cce6c4a5a201420775b5501)
2025-07-18 14:48:00 +02:00
Nicki Křížek
ead775e2a9 Isolate rollover-ksk-doubleksk test case
(cherry picked from commit bd5a55c5b705b267f91903a467154466ee313b03)
2025-07-18 14:47:58 +02:00
Nicki Křížek
89c2afda43 Isolate rollover-csk-roll1 test case
(cherry picked from commit 296cfc836364abfff81c2579bb2eea8f43e98194)
2025-07-18 14:47:38 +02:00
Nicki Křížek
05d143e5f0 Isolate rollover-csk-roll2 test case
(cherry picked from commit 9d2bd1b6460aab51dfcd9cabe4f389f6cc1cb392)
2025-07-18 14:47:22 +02:00
Nicki Křížek
a0afdbd668 Isolate rollover-algo-csk test
(cherry picked from commit fdecef5378654204295bbee0410657b337e49c43)
2025-07-18 14:47:04 +02:00
Nicki Křížek
6dc96a18b8 Isolate rollover-algo-ksk-zsk test
(cherry picked from commit 8be9a8b52a5012fb8014b47a4a7dd515fd7210d9)
2025-07-18 14:46:46 +02:00
Nicki Křížek
0e75a38201 Isolate rollover-straight2none test
(cherry picked from commit 519f9082dfc31884a40ed46c883a4738cc17632c)
2025-07-18 14:46:27 +02:00
Nicki Křížek
a225f35b95 Isolate rollover-lifetime test
(cherry picked from commit a9c70c3e260952acdd9a6a5d628649b0de647e4c)
2025-07-18 14:46:07 +02:00
Nicki Křížek
cd78c5ed51 Isolate rollover-going-insecure test case
(cherry picked from commit 7001056eabdee147ab51d5a8ca99aa6904e17c7f)
2025-07-18 14:45:45 +02:00
Nicki Křížek
5d315d94fe Isolate rollover-dynamic2inline test
(cherry picked from commit 8503a218c303c05d93f9b4a91516c7aab933c227)
2025-07-18 14:45:19 +02:00
Nicki Křížek
a38f0b5cde Separate common templates and test code for rollover tests
This is a preparation to split up and further isolate the various
rollover tests in a subsequent commits.

(cherry picked from commit 44dd5b3240895154b95dd73f5a649fc08790ff1d)
2025-07-18 12:39:39 +00:00
Nicki Křížek
48762ffab7 Move shared test code into isctest.kasp module
Move key calculations and rollover step checks into the shared
isctest.kasp module. Deduplicate the key interval calculations.

(cherry picked from commit b4107103549868c5eeb228278cfe6d010d6d5e8c)
2025-07-18 12:39:39 +00:00
Nicki Křížek
e89df7b69f Use a single named.conf template in rollover test
Rather than using multiple slightly modified named.conf files, use a
single template which can be rendered differently based on an input
argument -- in this case, csk_roll.

(cherry picked from commit 784a252425fdbea436ecb48b9992253623ac4f68)
2025-07-18 12:39:39 +00:00
Nicki Křížek
fc58c00464 [9.20] chg: test: Improve WatchLog API for pytest
- Refactor and extend the `WatchLog.wait_for_line()` API:
    1. To allow for usage of one or more FlexPatterns, i.e. either plain
       strings to be matched verbatim, or regular expressions. Both can be
       used interchangeably to provide the caller to write simple and
       readable test code, while allowing for increased complexity to allow
       special cases.
    2. Always return the regex match, which allows the caller to identify
       which line was matched, as well as to extract any additional
       information, such as individual regex groups.
- Add `WatchLog.wait_for_sequence()` and `WatchLog.wait_for_all()` helper functions

Backport of MR !10618

Merge branch 'backport-nicki/watchlog-improvements-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10749
2025-07-18 14:36:22 +02:00
Nicki Křížek
1abc6bd3fc Turn on doctest in CI
Run doctests for the isctest module in a dedicated CI job.

(cherry picked from commit d737986ea24bdcb344a91a491816766b80120c15)
2025-07-18 13:09:21 +02:00
Nicki Křížek
0a2d539f6f Change NamedInstance.rndc() doctest into doc example
The test is troublesome, because NamedInstance(identifier) expects that
a directory with such a name exists. While it'd be possible to mock
those directories as well, it'd make the doctest overly long and
complex, which isn't justified, given that it's only testing a couple of
options. Turn it into regular documentation instead.

(cherry picked from commit dcfb6c23da975427e73a21a77636b6f5afcfe5ac)
2025-07-18 13:09:21 +02:00
Nicki Křížek
275e7520b2 Separate LineReader functionality from WatchLog
The buffered reading of finished lines deserves its own class to make
its function clearer, rather than bundling it within the WatchLog class.

Co-Authored-By: Michał Kępień <michal@isc.org>
(cherry picked from commit ee782fb4b1ea17f3b01dc6d549481116409141bc)
2025-07-18 13:09:21 +02:00
Nicki Křížek
df50dcc300 Refactor WatchLog for better readability
Various improvements for typing, naming, code deduplication and better
code organization to make the code easier to read.

(cherry picked from commit 3c8432d19645d4cf1549f9ec5a3a776ab4213e2d)
2025-07-18 13:09:21 +02:00
Nicki Křížek
dda6c1fbd8 Use custom WatchLog timeout exception
The TimeoutError is raised when system functions time out. Define a
custom WatchLogTimeout to improve clarity.

(cherry picked from commit 628b47dd308a99fe1ea5bde5f1f4c1d88e0dadcf)
2025-07-18 13:09:20 +02:00
Nicki Křížek
c978abc61d Add wait_for_all() and wait_for_sequence() to WatchLog
Extend the WatchLog API with a couple of new matching options.

wait_for_sequence() can be used to check a specific sequence of lines
appears in the log file in the given order.

wait_for_all() ensure that all the provided patterns appear in the log
at least once.

Co-authored-by: Colin Vidal <colin@isc.org>
(cherry picked from commit 0a839cd0bdd0256db68cbe85508a17bde6cb4595)
2025-07-18 13:09:20 +02:00
Nicki Křížek
75bf69fea0 Split up waiting for match to a separate WatchLog method
To allow re-use in upcoming functions, isolate the line matching logic
into a separate function. Use an instance-wide deadline attribute, which
is set by the calling function.

(cherry picked from commit 365f8b6af6e213398ad7d9084b0ebf9140b0933b)
2025-07-18 13:09:20 +02:00
Nicki Křížek
180d182d5f Allow WatchLog.wait_for_line() to be called more than once
In some cases, it can be useful to be able to re-use the same WatchLog
to wait for another line.

(cherry picked from commit 2afb3755b2ceb7066ce112e8f01c39cee27c02d5)
2025-07-18 13:09:20 +02:00
Nicki Křížek
d6c27c4606 Unify the WatchLog.wait_for_line/s() API
Rather than using two distinct functions for matching either one pattern
(wait_for_line()), or any of multiple patterns (wait_for_lines()), use a
single function that handles both in the same way.

Extend the wait_for_line() API:
1. To allow for usage of one or more FlexPatterns, i.e. either plain
   strings to be matched verbatim, or regular expressions. Both can be
   used interchangeably to provide the caller to write simple and
   readable test code, while allowing for increased complexity to allow
   special cases.
2. Always return the regex match, which allows the caller to identify
   which line was matched, as well as to extract any additional
   information, such as individual regex groups.

(cherry picked from commit 5840908ead3a1f1775bda6690c820bbcbfd9d849)
2025-07-18 13:09:20 +02:00
Nicki Křížek
652e8ac4d3 Set timeout for WatchLog per-instance rather than per-call
To simplify usage of multiple wait_for_*() calls, configure the timeout
value for the WatchLog instance, rather than specifying it for each
call.

This is a preparation/cleanup for implementing multiple wait_for_*()
calls in subsequent commits.

(cherry picked from commit f2679bff194e1bb00b3b0f25264f056e5ba60af5)
2025-07-18 13:09:20 +02:00
Nicki Křížek
644ab9d28c Abstract WatchLog line buffering to a separate function
Move the line buffering functionality into _readline() to improve the
readability of code. This also allows reading the file contents from
other functions, since the line buffer is now an attribute of the class.

(cherry picked from commit 67896ddde2cc9058fc965eb50b263ca7909d24d7)
2025-07-18 10:16:06 +00:00