1. 30 Jul, 2020 1 commit
    • Michal Nowak's avatar
      Drop $SYSTEMTESTTOP from bin/tests/system/ · 093af1c0
      Michal Nowak authored
      The $SYSTEMTESTTOP shell variable if often set to .. in various shell
      scripts inside bin/tests/system/, but most of the time it is only
      used one line later, while sourcing conf.sh. This hardly improves
      code readability.
      
      $SYSTEMTESTTOP is also used for the purpose of referencing
      scripts/files living in bin/tests/system/, but given that the
      variable is always set to a short, relative path, we can drop it and
      replace all of its occurrences with the relative path without adversely
      affecting code readability.
      093af1c0
  2. 01 Jul, 2020 1 commit
    • Evan Hunt's avatar
      further tidying of primary/secondary terminology in system tests · e43b3c1f
      Evan Hunt authored
      this changes most visble uses of master/slave terminology in tests.sh
      and most uses of 'type master' or 'type slave' in named.conf files.
      files in the checkconf test were not updated in order to confirm that
      the old syntax still works. rpzrecurse was also left mostly unchanged
      to avoid interference with DNSRPS.
      e43b3c1f
  3. 25 May, 2020 1 commit
  4. 15 Nov, 2019 2 commits
    • Evan Hunt's avatar
      use DS style trust anchors in all system tests · 54a682ea
      Evan Hunt authored
      this adds functions in conf.sh.common to create DS-style trust anchor
      files. those functions are then used to create nearly all of the trust
      anchors in the system tests.
      
      there are a few exceptions:
       - some tests in dnssec and mkeys rely on detection of unsupported
         algorithms, which only works with key-style trust anchors, so those
         are used for those tests in particular.
       - the mirror test had a problem with the use of a CSK without a
         SEP bit, which still needs addressing
      
      in the future, some of these tests should be changed back to using
      traditional trust anchors, so that both types will be exercised going
      forward.
      54a682ea
    • Evan Hunt's avatar
      refactor create_keydata · 4d3ed3f4
      Evan Hunt authored
      use empty placeholder KEYDATA records for all trust anchors, not just
      DS-style trust anchors.
      
      this revealed a pre-existing bug: keyfetch_done() skips keys without
      the SEP bit when populating the managed-keys zone. consequently, if a
      zone only has a single ZSK which is configured as trust anchor and no
      KSKs, then no KEYDATA record is ever written to the managed-keys zone
      when keys are refreshed.
      
      that was how the root server in the dnssec system test was configured.
      however, previously, the KEYDATA was created when the key was
      initialized; this prevented us from noticing the bug until now.
      
      configuring a ZSK as an RFC 5011 trust anchor is not forbidden by the
      spec, but it is highly unusual and not well defined.  so for the time
      being, I have modified the system test to generate both a KSK and ZSK
      for the root zone, enabling the test to pass.
      
      we should consider adding code to detect this condition and allow keys
      without the SEP bit to be used as trust anchors if no key with the SEP
      bit is available, or at minimum, log a warning.
      4d3ed3f4
  5. 09 Aug, 2019 1 commit
  6. 28 Jun, 2019 1 commit
    • Michał Kępień's avatar
      Add and use keyfile_to_key_id() helper function · 7d6eaad1
      Michał Kępień authored
      When trying to extract the key ID from a key file name, some test code
      incorrectly attempts to strip all leading zeros.  This breaks tests when
      keys with ID 0 are generated.  Add a new helper shell function,
      keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
      test code whenever a key ID needs to be extracted from a key file name.
      7d6eaad1
  7. 05 Jun, 2019 1 commit
  8. 10 May, 2019 1 commit
    • Michał Kępień's avatar
      Make NTAs work with validating forwarders · 5e804882
      Michał Kępień authored
      If named is configured to perform DNSSEC validation and also forwards
      all queries ("forward only;") to validating resolvers, negative trust
      anchors do not work properly because the CD bit is not set in queries
      sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
      material and making validation decisions based on its configuration,
      named is only receiving SERVFAIL responses to queries for bogus data.
      Fix by ensuring the CD bit is always set in queries sent to forwarders
      if the query name is covered by an NTA.
      5e804882
  9. 19 Mar, 2019 1 commit
  10. 15 Mar, 2019 1 commit
  11. 10 Dec, 2018 3 commits
  12. 13 Jun, 2018 1 commit
  13. 16 May, 2018 1 commit
  14. 11 May, 2018 1 commit
  15. 23 Feb, 2018 2 commits
  16. 22 Feb, 2018 1 commit
  17. 24 Apr, 2017 1 commit
  18. 21 Apr, 2017 1 commit
  19. 19 Oct, 2016 1 commit
  20. 22 Jul, 2016 1 commit
  21. 27 Jun, 2016 1 commit
  22. 22 Aug, 2014 2 commits
  23. 07 Jul, 2014 1 commit
  24. 07 May, 2014 1 commit
  25. 19 Feb, 2014 1 commit
  26. 16 Feb, 2014 2 commits
  27. 21 Jan, 2014 2 commits
  28. 10 Apr, 2013 1 commit
  29. 03 Apr, 2013 1 commit
  30. 10 Jan, 2013 2 commits
  31. 29 Jun, 2012 2 commits