GitLab

"rndc signing -serial <value>" could take longer than a second to
complete.  Loop waiting for update to succeed.

For tests where "rndc signing -serial <value>" is supposed to not
succeed, repeatedly test that we don't get the new serial, then
test that we have the old value.  This should prevent false negatives.

The first step in all existing setup.sh scripts is to call clean.sh.  To
reduce code duplication and ensure all system tests added in the future
behave consistently with existing ones, invoke clean.sh from run.sh
before calling setup.sh.

this adds functions in conf.sh.common to create DS-style trust anchor
files. those functions are then used to create nearly all of the trust
anchors in the system tests.

there are a few exceptions:
 - some tests in dnssec and mkeys rely on detection of unsupported
   algorithms, which only works with key-style trust anchors, so those
   are used for those tests in particular.
 - the mirror test had a problem with the use of a CSK without a
   SEP bit, which still needs addressing

in the future, some of these tests should be changed back to using
traditional trust anchors, so that both types will be exercised going
forward.

- keyfile_to_trusted_keys -> keyfile_to_static_keys
- keyfile_to_managed_keys -> keyfile_to_initial_keys

Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script.  Remove redundant "rm"
invocations from setup.sh scripts.  Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.

use regex instead of exact string matching, to deal with CR at end of ine

A short time window exists between logging the addition of an NSEC3PARAM
record to a zone and committing it to the current version of the zone
database.  If a query arrives during such a time window, an unsigned
response will be returned.  One of the checks in the "inline" system
test requires NSEC3 records to be present in an answer - that check
would fail in the case described above.  Use rndc instead of log
watching for checking whether zone signing and NSEC3 chain modifications
are complete in order to prevent intermittent "inline" system test
failures.

While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage.  This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version.  This in
turn prevents zone maintenance from happening for the signed version of
the zone.

Until commit 29b7efdd, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs).  This behavior caused other issues [1] and thus had to be
changed.

Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes.  Take care not to clear it prematurely during initial zone
load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem.  Add comments aiming to
help explain code flow.

[1] see RT #47076

When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh.  Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.

Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.

Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test.  Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test.  Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.

If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading.  Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.

Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.

- all tests with "recursion yes" now also specify "dnssec-validation yes",
  and all tests with "recursion no" also specify "dnssec-validation no".
  this must be maintained in all new tests, or else validation will fail
  when we use local root zones for testing.
- clean.sh has been modified where necessary to remove managed-keys.bind
  and viewname.mkeys files.

When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing.  Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.

- add CHANGES note
- update copyrights and license headers
- add -j to the make commands in .gitlab-ci.yml to take
  advantage of parallelization in the gitlab CI process

                        for a inline slave zone. [RT #46875]

                        KSK. [RT #46787]