GitLab

EID and NIMLOC totext is broken.

See merge request !1571

Fix key ID extraction in the "dnssec" system test

See merge request !1732

Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test.  Make key ID
extraction precise by using an awk script which operates on specific
fields.

Minor "mirror" system test tweaks

See merge request !1713

The "mirror" system test expects all dig queries (including recursive
ones) to be responded to within 1 second, which turns out to be overly
optimistic in certain cases and leads to false positives being
triggered.  Increase dig query timeout used throughout the "mirror"
system test to 2 seconds in order to alleviate the issue.

Currently, ns3 in the "mirror" system test sends trust anchor telemetry
queries every second as it is started with "-T tat=1".  Given the number
of trust anchors configured on ns3 (9), TAT-related traffic clutters up
log files, hindering troubleshooting efforts.  Increase TAT query
interval to 3 seconds in order to alleviate the issue.

Note that the interval chosen cannot be much higher if intermittent test
failures are to be avoided: TAT queries are only sent after the
configured number of seconds passes since resolver startup.  Quick
experiments show that even on contemporary hardware, ns3 should be
running for at least 5 seconds before it is first shut down, so a
3-second TAT query interval seems to be a reasonable, future-proof
compromise.  Ensure the relevant check is performed before ns3 is first
shut down to emphasize this trade-off and make it more clear by what
time TAT queries are expected to be sent.

Update and sort the top level .gitignore to ignore automake files

See merge request !1727

"serve-stale" system test: wait until "rndc dumpdb" completes

See merge request !1712

"rndc dumpdb" works asynchronously, i.e. the requested dump may not yet
be fully written to disk by the time "rndc" returns.  Prevent false
positives for the "serve-stale" system test by only checking dump
contents after the line indicating that it is complete is written.

placeholder

See merge request !1724

Regen configure

See merge request !1721

Cleanup util/copyrights after virtual-time removal

See merge request !1719

Make builtin test use dynamic version from named -V

See merge request !1717

Reduce the software entropy in the BIND source code by removing unused...

See merge request !1718

Reduce the software entropy in the BIND source code by removing unused bin/tests/virtual-time/ directory.

Limit spatch to bin, lib and fuzz directories

See merge request !1716

Resolve "Investigate and fix what happens when managed-key algorithm is not supported"

Closes #806 and #757

See merge request !1350

This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

Michał Kępień authored Jan 24, 2019 and Matthijs Mekking committed Mar 19, 2019

Some values returned by dstkey_fromconfig() indicate that key loading
should be interrupted, others do not.  There are also certain subsequent
checks to be made after parsing a key from configuration and the results
of these checks also affect the key loading process.  All of this
complicates the key loading logic.

In order to make the relevant parts of the code easier to follow, reduce
the body of the inner for loop in load_view_keys() to a single call to a
new function, process_key().  Move dstkey_fromconfig() error handling to
process_key() as well and add comments to clearly describe the effects
of various key loading errors.

More specifically: ignore configured trusted and managed keys that
match a disabled algorithm.  The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.

Move from conf.sh.in to conf.sh.common as they will also need to be
added to conf.sh.win32.  Add variables for testing disabled
algorithms.

Make ifconfig.sh resilient to the directory where it is run

See merge request !1715