1. 10 May, 2019 1 commit
    • Michał Kępień's avatar
      Make NTAs work with validating forwarders · 5e804882
      Michał Kępień authored
      If named is configured to perform DNSSEC validation and also forwards
      all queries ("forward only;") to validating resolvers, negative trust
      anchors do not work properly because the CD bit is not set in queries
      sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
      material and making validation decisions based on its configuration,
      named is only receiving SERVFAIL responses to queries for bogus data.
      Fix by ensuring the CD bit is always set in queries sent to forwarders
      if the query name is covered by an NTA.
  2. 09 May, 2019 5 commits
  3. 08 May, 2019 1 commit
  4. 07 May, 2019 3 commits
  5. 06 May, 2019 2 commits
    • Evan Hunt's avatar
      move the test lists into conf.sh.common · a33237f0
      Evan Hunt authored
      there is now a common list of tests in conf.sh.common, with the
      tests that are either unique to windows or to unix, or which are
      enabled or disabled by configure or Configure, being listed in
      separate variables in conf.sh.in and conf.sh.win32.
    • Evan Hunt's avatar
      enable parallel system tests on windows · bbae24c1
      Evan Hunt authored
      this moves the creation of "parallel.mk" into a separate shell script
      instead of bin/tests/system/Makefile. that shell script can now be
      executed by runall.sh, allowing us to make use of the cygwin "make"
      command, which supports parallel execution.
  6. 26 Apr, 2019 2 commits
    • Michał Kępień's avatar
      Simplify trailing period handling in system tests · da2c1b74
      Michał Kępień authored
      Windows systems do not allow a trailing period in file names while Unix
      systems do.  When BIND system tests are run, the $TP environment
      variable is set to an empty string on Windows systems and to "." on Unix
      systems.  This environment variable is then used by system test scripts
      for handling this discrepancy properly.
      In multiple system test scripts, a variable holding a zone name is set
      to a string with a trailing period while the names of the zone's
      corresponding dlvset-* and/or dsset-* files are determined using
      numerous sed invocations like the following one:
          dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
      In order to improve code readability, use zone names without trailing
      periods and replace sed invocations with variable substitutions.
      To retain local consistency, also remove the trailing period from
      certain other zone names used in system tests that are not subsequently
      processed using sed.
    • Michał Kępień's avatar
      Make root zone data match root hints · 978a0d25
      Michał Kępień authored
      In the "allow-query" system test, ns3 uses a root hints file which
      contains a single entry for a.root-servers.nil (  This name
      is not present in the root zone served by ns1, which means querying it
      for that name and any type will yield an NXDOMAIN response.  When
      combined with unfavorable thread scheduling, this can lead to ns3
      caching an NXDOMAIN response for the only root server it is aware of and
      thus to false positives for the "allow-query" system test caused by ns3
      returning unexpected SERVFAIL responses.  Fix by modifying the root zone
      served by ns1 so that authoritative responses to a.root-servers.nil
      queries match the root hints file used by ns3.
  7. 25 Apr, 2019 1 commit
  8. 23 Apr, 2019 4 commits
    • Matthijs Mekking's avatar
      Harden grep key ID calls · 83473b97
      Matthijs Mekking authored
      Key IDs may accidentally match dig output that is not the key ID (for
      example the RRSIG inception or expiration time, the query ID, ...).
      Search for key ID + signer name should prevent that, as that is what
      only should occur in the RRSIG record, and signer name always follows
      the key ID.
    • Matthijs Mekking's avatar
      Remove sleeps · 67f0635f
      Matthijs Mekking authored
      Remove sleep calls from test, rely on wait_for_log().  Make
      wait_for_log() and dnssec_loadkeys_on() fail the test if the
      appropriate log line is not found.
      Slightly adjust the echo_i() lines to print only the key ID (not the
      key name).
    • Michał Kępień's avatar
      Wait more than 1 second for NSEC3 chain changes · f8746cdd
      Michał Kępień authored
      One second may not be enough for an NSEC3 chain change triggered by an
      UPDATE message to complete.  Wait up to 10 seconds when checking whether
      a given NSEC3 chain change is complete in the "nsupdate" system test.
    • Michał Kępień's avatar
      Remove redundant sleeps · 1c8e5ea3
      Michał Kępień authored
      In the "nsupdate" system test, do not sleep before checking results of
      changes which are expected to be processed synchronously, i.e. before
      nsupdate returns.
  9. 19 Apr, 2019 3 commits
    • Michał Kępień's avatar
      Update interface lists in ifconfig scripts · b6c1cdff
      Michał Kępień authored
      Make bin/tests/system/ifconfig.bat also configure addresses ending with
      9 and 10, so that the script is in sync with its Unix counterpart.
      Update comments listing the interfaces created by ifconfig.{bat,sh} so
      that they do not include addresses whose last octet is zero (since an
      address like is not a valid host address and thus the
      aforementioned scripts do not even attempt configuring them).
    • Michał Kępień's avatar
      Fix the "dnssec" system test on Windows · e4280ed9
      Michał Kępień authored
      On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
      contains carriage return characters at the end of each line.  Remove
      them before passing the aforementioned file to the awk script extracting
      key IDs so that the latter can work properly.
    • Michał Kępień's avatar
      Do not wait for lock file cleanup on Windows · 761ba451
      Michał Kępień authored
      As signals are currently not handled by named on Windows, instances
      terminated using signals are not able to perform a clean shutdown, which
      involves e.g. removing the lock file.  Thus, waiting for a given
      instance's lock file to be removed beforing assuming it is shut down
      is pointless on Windows, so do not even attempt it.
  10. 15 Apr, 2019 1 commit
  11. 11 Apr, 2019 3 commits
    • Evan Hunt's avatar
    • Matthijs Mekking's avatar
    • Matthijs Mekking's avatar
      Add test for ZSK rollover while KSK offline · 8bc10bcf
      Matthijs Mekking authored
      This commit adds a lengthy test where the ZSK is rolled but the
      KSK is offline (except for when the DNSKEY RRset is changed).  The
      specific scenario has the `dnskey-kskonly` configuration option set
      meaning the DNSKEY RRset should only be signed with the KSK.
      A new zone `updatecheck-kskonly.secure` is added to test against,
      that can be dynamically updated, and that can be controlled with rndc
      to load the DNSSEC keys.
      There are some pre-checks for this test to make sure everything is
      fine before the ZSK roll, after the new ZSK is published, and after
      the old ZSK is deleted.  Note there are actually two ZSK rolls in
      quick succession.
      When the latest added ZSK becomes active and its predecessor becomes
      inactive, the KSK is offline.  However, the DNSKEY RRset did not
      change and it has a good signature that is valid for long enough.
      The expected behavior is that the DNSKEY RRset stays signed with
      the KSK only (signature does not need to change).  However, the
      test will fail because after reconfiguring the keys for the zone,
      it wants to add re-sign tasks for the new active keys (in sign_apex).
      Because the KSK is offline, named determines that the only other
      active key, the latest ZSK, will be used to resign the DNSKEY RRset,
      in addition to keeping the RRSIG of the KSK.
      The question is: Why do we need to resign the DNSKEY RRset
      immediately when a new key becomes active?  This is not required,
      only once the next resign task is triggered the new active key
      should replace signatures that are in need of refreshing.
  12. 10 Apr, 2019 2 commits
  13. 09 Apr, 2019 1 commit
  14. 03 Apr, 2019 1 commit
    • Michał Kępień's avatar
      Do not rely on default dig options in system tests · b6cce0fb
      Michał Kępień authored
      Some system tests assume dig's default setings are in effect.  While
      these defaults may only be silently overridden (because of specific
      options set in /etc/resolv.conf) for BIND releases using liblwres for
      parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
      prudent to make sure that tests relying on specific +timeout and +tries
      settings specify these explicitly in their dig invocations, in order to
      prevent test failures from being triggered by any potential changes to
      current defaults.
  15. 22 Mar, 2019 1 commit
  16. 20 Mar, 2019 4 commits
    • Michał Kępień's avatar
      Fix key ID extraction in the "dnssec" system test · a40c60e4
      Michał Kępień authored
      Simply looking for the key ID surrounded by spaces in the tested
      dnssec-signzone output file is not a precise enough method of checking
      for signatures prepared using a given key ID: it can be tripped up by
      cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
      TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
      triggers false positives for the "dnssec" system test.  Make key ID
      extraction precise by using an awk script which operates on specific
    • Michał Kępień's avatar
      Increase dig query timeout to 2 seconds · 73afbdc5
      Michał Kępień authored
      The "mirror" system test expects all dig queries (including recursive
      ones) to be responded to within 1 second, which turns out to be overly
      optimistic in certain cases and leads to false positives being
      triggered.  Increase dig query timeout used throughout the "mirror"
      system test to 2 seconds in order to alleviate the issue.
    • Michał Kępień's avatar
      Increase TAT query interval · 6847a29b
      Michał Kępień authored
      Currently, ns3 in the "mirror" system test sends trust anchor telemetry
      queries every second as it is started with "-T tat=1".  Given the number
      of trust anchors configured on ns3 (9), TAT-related traffic clutters up
      log files, hindering troubleshooting efforts.  Increase TAT query
      interval to 3 seconds in order to alleviate the issue.
      Note that the interval chosen cannot be much higher if intermittent test
      failures are to be avoided: TAT queries are only sent after the
      configured number of seconds passes since resolver startup.  Quick
      experiments show that even on contemporary hardware, ns3 should be
      running for at least 5 seconds before it is first shut down, so a
      3-second TAT query interval seems to be a reasonable, future-proof
      compromise.  Ensure the relevant check is performed before ns3 is first
      shut down to emphasize this trade-off and make it more clear by what
      time TAT queries are expected to be sent.
    • Michał Kępień's avatar
      Wait until "rndc dumpdb" completes · 6e3f812a
      Michał Kępień authored
      "rndc dumpdb" works asynchronously, i.e. the requested dump may not yet
      be fully written to disk by the time "rndc" returns.  Prevent false
      positives for the "serve-stale" system test by only checking dump
      contents after the line indicating that it is complete is written.
  17. 19 Mar, 2019 5 commits