When migrating to dnssec-policy, keys that do not match will not have
a lifetime set. Adjust the test code to allow for that. Setting '-'
in a key properties string signals lifetime is expected not to be set.
(cherry picked from commit 89e90c30f8)
If we are migrating keys, we should take the existing key timing
metadata to initialise the state values. These tests will only setup
keys with Publish/Activate/SyncPublish times, because the Retire and
Remove timings will still need to be adjusted to the DNSSEC policy.
(cherry picked from commit 1a8cbf11fe)
Add and apply InsertBraces statement to add missing curly braces around one-line statements and use ControlStatementsExceptControlMacros for SpaceBeforeParens to remove space between foreach macro and the brace, e.g. `FOREACH (x) {` becomes `FOREACH(x) {`.
Backport of MR !10863
Merge branch 'backport-ondrej/update-clang-format-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10864
> Put a space before opening parentheses only after control statement
> keywords (for/if/while...) except this option doesn’t apply to ForEach
> and If macros. This is useful in projects where ForEach/If macros are
> treated as function calls instead of control statements.
(cherry picked from commit 42496f3f4a)
> Insert braces after control statements (if, else, for, do, and while)
> in C++ unless the control statements are inside macro definitions or
> the braces would enclose preprocessor directives.
(cherry picked from commit d051e1e8f8)
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Backport of MR !10841
Merge branch 'backport-nicki/ci-shotgun-load-new-dataset-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10856
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
(cherry picked from commit 338389b3eb)
Initialization of the common members of rdata type structures varies across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` macro for all types, so that new types are more likely to use it, and hence backport more cleanly.
Closes#5467
Merge branch '5467-use-dns_rdatacommon_init-to-hide-branch-differences-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10834
Initialization of the common members of rdata type structures varies
across branches. Standardize it by using the DNS_RDATACOMMON_INIT
macro for all types, so that new types are more likely to use it,
and hence backport more cleanly.
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Backport of MR !10293
Merge branch 'backport-mnowak/more-lenient-respdiff-limits-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10847
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
Closes#5424
Backport of MR !10825
Merge branch 'backport-5424-hypothesis-artifacts-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10828
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
(cherry picked from commit a4e74ab8cd)
Renamed the `filter-aaaa` system test to `filters`, converted it to python, and added test cases to exercise the `filter-a` plugin as well.
Backport of MR !10730
Merge branch 'backport-each-test-filter-a-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10832
Previously, symlinks and relative directory imports were used in test
modules. This caused a name clash when a shared code module "common.py"
was introduced for a different test. To avoid the issue, use full paths
in imports.
(cherry picked from commit e49c467efb)
Move tests which use different configuration to dedicated modules to
avoid possible interference with other tests.
Parametrize the test cases to have a dedicated test for each server
configuration.
Turn the check_filter() comments into log messages to help with
debugging.
(cherry picked from commit cbebeacec1)
cut down the number of identical lines in the filter-aaaa test:
- replace identical test cases with small check functions
(check_aaaa_only, check_any, check_nodata, etc).
- group those together into large check functions (check_filter,
check_filter_other_family) that have options for recursive and
break_dnssec, then run those for each combination of options
on servers connfigured with filter-aaaa-on-v4 and filter-aaaa-on-v6.
(cherry picked from commit 58fe984c95)
use pytest for the filter-aaaa test.
In order to implement this, isctest.mark can now test whether IPv6 is
configured by calling testsock6.pl.
(cherry picked from commit b234c6d954)
qp-tries allocate their nodes (twigs) in chunks to reduce allocator pressure and improve memory locality. The choice of chunk size presents a tradeoff: larger chunks benefit qp-tries with many values (as seen in large zones and resolvers) but waste memory in smaller use cases.
Previously, our fixed chunk size of 2^10 twigs meant that even an empty qp-trie would consume 12KB of memory, while reducing this size would negatively impact resolver performance.
This MR implements an adaptive chunking strategy that tracks the size of the most recently allocated chunk and doubles the chunk size for each new allocation until reaching a predefined maximum.
This approach effectively balances memory efficiency for small tries while maintaining the performance benefits of larger chunk sizes for bigger data structures.
Backport of MR !10245Closes#5445
Merge branch '5445-qp-small-alloc' into 'bind-9.20'
See merge request isc-projects/bind9!10804
Before implementing adaptive chunk sizing, it was necessary to ensure
that a chunk could hold up to 48 twigs, but the new logic will size-up
new chunks to ensure that the current allocation can succeed.
We exploit the new logic in two ways:
- We make the minimum chunk size smaller than the old limit of 2^6,
reducing memory consumption.
- We make the maximum chunk size larger, as it has been observed that
it improves resolver performance.
(cherry picked from commit d7064c9b88)
qp-tries allocate their nodes (twigs) in chunks to reduce allocator
pressure and improve memory locality. The choice of chunk size presents
a tradeoff: larger chunks benefit qp-tries with many values (as seen
in large zones and resolvers) but waste memory in smaller use cases.
Previously, our fixed chunk size of 2^10 twigs meant that even an
empty qp-trie would consume 12KB of memory, while reducing this size
would negatively impact resolver performance.
This commit implements an adaptive chunking strategy that:
- Tracks the size of the most recently allocated chunk.
- Doubles the chunk size for each new allocation until reaching a
predefined maximum.
This approach effectively balances memory efficiency for small tries
while maintaining the performance benefits of larger chunk sizes for
bigger data structures.
This commit also splits the callback freeing qpmultis into two
phases, one that frees the underlying qptree, and one that reclaims
the qpmulti memory. In order to prevent races between the qpmulti
destructor and chunk garbage collection jobs, the second phase is
protected by reference counting.
(cherry picked from commit 70b1777d8a)
When the zone is configured with a CNAME override policy, or the response policy zone contains a wildcard CNAME, the extended DNS error code was not added. This has been fixed.
Closes#5342
Backport of MR !10777
Merge branch 'backport-5342-rpz-cname-override-ede-not-added-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10819
When the zone is configured with a CNAME override policy, also add the
configured EDE code.
When the zone is contains a wildcard CNAME, also add the configured
EDE code.
(cherry picked from commit 2f70a0ef12)
When the zone is configured with a CNAME override policy, the EDE code
is not added as expected. Add a test case based on the issue in GitLab
(#5342).
When the zone contains a wildcard CNAME, the EDE code is not added as
expected. Also add a test case for this.
(cherry picked from commit 4ef00f97d6)
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.
References #3014
Backport of MR !5578
Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10815
Spurious validation failures were traced back to check_signer looping
over val->sigrdataset directly. Cloning val->sigrdataset prevents
check_signer from interacting with callers that are also looping
over val->sigrdataset.
(cherry picked from commit 8aa130f253)
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Closes#5456
Backport of MR !10808
Merge branch 'backport-5456-coverity-scan-drop-fs-capture-search-option-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10810
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
(cherry picked from commit 310884c259)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Backport of MR !10760
Merge branch 'backport-each-isctest-helpers-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10793
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
(cherry picked from commit 64143ea077)
Make the query helper function more universal and reusable across our
system tests -- default to using EDNS and sending AD=1.
(cherry picked from commit 989e64b9b0)
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
(cherry picked from commit efd60348b9)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
(cherry picked from commit b69097f139)
