1. 21 Feb, 2019 2 commits
  2. 18 Feb, 2019 3 commits
  3. 14 Feb, 2019 5 commits
    • Petr Menšík's avatar
      Correct path in dnssec-checkds help · 7bd544e7
      Petr Menšík authored
      7bd544e7
    • Michał Kępień's avatar
      Do not check SEP bit for mirror zone trust anchors · 72c20173
      Michał Kępień authored
      When a mirror zone is verified, the 'ignore_kskflag' argument passed to
      dns_zoneverify_dnssec() is set to false.  This means that in order for
      its verification to succeed, a mirror zone needs to have at least one
      key with the SEP bit set configured as a trust anchor.  This brings no
      security benefit and prevents zones signed only using keys without the
      SEP bit set from being mirrored, so change the value of the
      'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
      72c20173
    • Michał Kępień's avatar
      Prevent races when waiting for log messages · 9c611dd9
      Michał Kępień authored
      The "mirror" system test checks whether log messages announcing a mirror
      zone coming into effect are emitted properly.  However, the helper
      functions responsible for waiting for zone transfers and zone loading to
      complete do not wait for these exact log messages, but rather for other
      ones preceding them, which introduces a possibility of false positives.
      
      This problem cannot be addressed by just changing the log message to
      look for because the test still needs to discern between transferring a
      zone and loading a zone.
      
      Add two new log messages at debug level 99 (which is what named
      instances used in system tests are configured with) that are to be
      emitted after the log messages announcing a mirror zone coming into
      effect.  Tweak the aforementioned helper functions to only return once
      the log messages they originally looked for are followed by the newly
      added log messages.  This reliably prevents races when looking for
      "mirror zone is now in use" log messages and also enables a workaround
      previously put into place in the "mirror" system test to be reverted.
      9c611dd9
    • Michał Kępień's avatar
      Improve reliability of zone verification checks · 2cbf1028
      Michał Kępień authored
      In the "mirror" system test, ns3 periodically sends trust anchor
      telemetry queries to ns1 and ns2.  It may thus happen that for some
      non-recursive queries for names inside mirror zones which are not yet
      loaded, ns3 will be able to synthesize a negative answer from the cached
      records it obtained from trust anchor telemetry responses.  In such
      cases, NXDOMAIN responses will be sent with the root zone SOA in the
      AUTHORITY section.  Since the root zone used in the "mirror" system test
      has the same serial number as ns2/verify.db.in and zone verification
      checks look for the specified serial numbers anywhere in the answer, the
      test could be broken if different zone names were used.
      
      The +noauth dig option could be used to address this weakness, but that
      would prevent entire responses from being stored for later inspection,
      which in turn would hamper troubleshooting test failures.  Instead, use
      a different serial number for ns2/verify.db.in than for any other zone
      used in the "mirror" system test and check the number of records in the
      ANSWER section of each response.
      2cbf1028
    • Michał Kępień's avatar
      Fix serial number used in zone verification checks · 46480a4b
      Michał Kępień authored
      Due to the way the "mirror" system test is set up, it is impossible for
      the "verify-unsigned" and "verify-untrusted" zones to contain any serial
      number other than the original one present in ns2/verify.db.in.  Thus,
      using presence of a different serial number in the SOA records of these
      zones as an indicator of problems with mirror zone verification is
      wrong.  Look for the original zone serial number instead as that is the
      one that will be returned by ns3 if one of the aforementioned zones is
      successfully verified.
      46480a4b
  4. 08 Feb, 2019 4 commits
  5. 07 Feb, 2019 3 commits
  6. 06 Feb, 2019 12 commits
  7. 01 Feb, 2019 1 commit
  8. 31 Jan, 2019 8 commits
    • Michał Kępień's avatar
      Add system tests for IXFR statistics · a9a47c79
      Michał Kępień authored
      Ensure IXFR statistics are calculated correctly by dig and named, both
      for incoming and outgoing transfers.  Disable EDNS when using dig to
      request an IXFR so that the same reference file can be used for testing
      statistics calculated by both dig and named (dig uses EDNS by default
      when sending transfer requests, which affects the number of bytes
      transferred).
      a9a47c79
    • Michał Kępień's avatar
      Add system tests for AXFR statistics · a22e24a4
      Michał Kępień authored
      Ensure AXFR statistics are calculated correctly by dig and named, both
      for incoming and outgoing transfers.  Rather than employing a zone which
      is already used in the "xfer" system test, create a new one whose AXFR
      form spans multiple TCP messages.  Disable EDNS when using dig to
      request an AXFR so that the same reference file can be used for testing
      statistics calculated by both dig and named (dig uses EDNS by default
      when sending transfer requests, which affects the number of bytes
      transferred).
      a22e24a4
    • Michał Kępień's avatar
      Add functions for extracting transfer statistics · 6071c6cc
      Michał Kępień authored
      Add two helper shell functions to facilitate extracting transfer
      statistics from dig output and named log files.
      6071c6cc
    • Evan Hunt's avatar
      silence a spurious dnssec-keygen warning in the dnssec system test · 6661db95
      Evan Hunt authored
      the occluded-key test creates both a KEY and a DNSKEY. the second
      call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
      a spurious warning to be printed when it sees the type KEY record.
      this should be fixed in dnssec.c, but the meantime this change silences
      the warning by reversing the order in which the keys are created.
      6661db95
    • Evan Hunt's avatar
      test logging of key maintenance events · 5c1c2853
      Evan Hunt authored
      5c1c2853
    • Evan Hunt's avatar
      detect crash on shutdown in stop.pl · 9bf37f4e
      Evan Hunt authored
      9bf37f4e
    • Evan Hunt's avatar
      Ancient named.conf options are now a fatal configuration error · ff3dace1
      Evan Hunt authored
      - options that were flagged as obsolete or not implemented in 9.0.0
        are now flagged as "ancient", and are a fatal error
      - the ARM has been updated to remove these, along with other
        obsolete descriptions of BIND 8 behavior
      - the log message for obsolete options explicitly recommends removal
      ff3dace1
    • Matthijs Mekking's avatar
      Add tests for dumpdb stale ttl · a2d115cb
      Matthijs Mekking authored
      This adds a test for rndc dumpdb to ensure the correct "stale
      comment" is printed.  It also adds a test for non-stale data to
      ensure no "stale comment" is printed for active RRsets.
      
      In addition, the serve-stale tests are hardened with more accurate
      grep calls.
      a2d115cb
  9. 30 Jan, 2019 2 commits