GitLab

Add more tests for kasp:

- Add tests for different algorithms.

- Add a test to ensure that an edit in an unsigned zone is
  picked up and properly signed.

- Add two tests that ensures that a zone gets signed when it is
  configured as so-called 'inline-signing'.  In other words, a
  secondary zone that is configured with a 'dnssec-policy'.  A zone
  that is transferred over AXFR or IXFR will get signed.

- Add a test to ensure signatures are reused if they are still
  fresh enough.

- Adds two more tests to verify that expired and unfresh signatures
  will be regenerated.

- Add tests for various cases with keys already available in the
  key-directory.

Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
will run a key manager on the matching keys.  This will do a couple
of things:

1. Create keys when needed (in case of rollover for example)
   according to the set policy.

2. Retire keys that are in excess of the policy.

3. Maintain key states according to "Flexible and Robust Key
   Rollover" [1]. After key manager ran, key files will be saved to
   disk.

   [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf

KEY GENERATION

Create keys according to DNSSEC policy.  Zones configured with
'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
to dnssec-keymgr) if not available.

KEY ROLLOVER

Rather than determining the desired state from timing metadata,
add a key state goal.  Any keys that are created or picked from the
key ring and selected to be a successor has its key state goal set
to OMNIPRESENT (this key wants to be signing!). At the same time,
a key that is being retired has its key state goal set to HIDDEN.

The keymgr state machine with the three rules will make sure no
introduction or withdrawal of DNSSEC records happens too soon.

KEY TIMINGS

All timings are based on RFC 7583.

The keymgr will return when the next action is happening so
that the zone can set the proper rekey event. Prior to this change
the rekey event will run every hour by default (configurable),
but with kasp we can determine exactly when we need to run again.

The prepublication time is derived from policy.

This commit adds code for generating keys with dnssec-keygen given
a specific dnssec-policy.

The dnssec-policy can be set with a new option '-k'. The '-l'
option can be used to set a configuration file that contains a
specific dnssec-policy.

Because the dnssec-policy dictates how the keys should look like,
many of the existing dnssec-keygen options cannot be used together
with '-k'.

If the dnssec-policy lists multiple keys, dnssec-keygen has now the
possibility to generate multiple keys at one run.

Add two tests for creating keys with '-k': One with the default
policy, one with multiple keys from the configuration.

Add code for creating, configuring, and destroying KASP keys.  When
using the default policy, create one CSK, no rollover.

This stores the dnssec-policy configuration and adds methods to
create, destroy, and attach/detach, as well as find a policy with
the same name in a list.

Also, add structures and functions for creating and destroying
kasp keys.

This commit introduces the initial `dnssec-policy` configuration
statement. It has an initial set of options to deal with signature
and key maintenance.

Add some checks to ensure that dnssec-policy is configured at the
right locations, and that policies referenced to in zone statements
actually exist.

Add some checks that when a user adds the new `dnssec-policy`
configuration, it will no longer contain existing DNSSEC
configuration options.  Specifically: `inline-signing`,
`auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
`update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
and `sig-validity-interval`.

Test a good kasp configuration, and some bad configurations.

Initial design document.

The ttlval configuration types are replaced by duration configuration
types. The duration is an ISO 8601 duration that is going to be used
for DNSSEC key timings such as key lifetimes, signature resign
intervals and refresh periods, etc. But it is also still allowed to
use the BIND ttlval ways of configuring intervals (number plus
optional unit).

A duration is stored as an array of 7 different time parts.
A duration can either be expressed in weeks, or in a combination of
the other datetime indicators.

Add several unit tests to ensure the correct value is parsed given
different string values.

Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
TCP connections to some BIND instance.

The OASIS pkcs11.h header has a restrictive license.  Replace the
pkcs11.h pkcs11f.h and pkcs11t.h headers with pkcs11.h from p11-kit.

For source distribution, the license for the OASIS headers itself
doesn't pose any licensing problem when combined with MPL license, but
it possibly creates problem for downstream distributors of BIND 9.

- the cache-file and check-itegrity options were not needed
- some zones and files were not used

- this required modification to the code that generates grammar text for
  the documentation, because the "dnssec-lookaside" option spanned more
  than one line in doc/misc/options, so grepping out only the lines
  marked "// obsolete" didn't remove the whole option.  this commit adds
  an option to cfg_test to print named.conf clauses only if they don't
  have the obsolete, ancient, test-only, or not-yet-implemented flags
  set.

The isc-config.sh script was introduced before pkg-config as is a purely
historical thing.  There are two reason for removal of isc-config.sh scripts:

a) The BIND 9 libraries are now meant to be used only from BIND 9, so there's no
   reason to provide convenience script to link with the libraries.

b) Even if that was not the case, we should and would replace the isc-config.sh
   with respective pkg-config (.pc) file for every library.

Special, for-tests-only, mode with atomics emulated by a mutex-locked variable - useful for finding atomics congestions

When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed.  Clear the output buffer before expanding it to prevent
this issue from occurring.

- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
  (libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
  is an error.
- an attempt is made to determine the default GeoIP2 database path at
  compile time if pkg-config is able to report the module prefix. if
  this fails, it will be necessary to set the path in named.conf with
  geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
  added for the eventual GeoIP2 search implementation.

The json-c have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header.  This MR fixes the usage making the caller object opaque.

The libxml2 have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header.  This MR fixes the usage making the caller object opaque.

This adds tests to the statschannel system test for testing if
the dnskey sign operation counters are incremented correctly.

It tests three cases:

1. A zone maintenance event where all the signatures that are about
   to expire are resigned.
2. A dynamic update event where the new RR and other relevant records
   (SOA, NSEC) are resigned.
3. Adding a standby key, that means the DNSKEY and SOA RRset are
   resigned.

The differences between two files are very minimal and most of the
code is common.  Merge those two files and use #ifdef WIN32 to include
the right bits on Windows.

- change references to trusted-keys to dnssec-keys with static-key
- rebuild doc/misc/options and other generated grammar doc
- add a "see MANAGED-KEYS" note when building named.conf.docbook

Fuzz input to dns_rdata_fromwire(). Then convert the result
to text, back to wire format, to multiline text, and back to wire
format again, checking for consistency throughout the sequence.

this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit 2d65626630c19bb8159a025accb18e5179da5dc3)
(cherry picked from commit 05d29443)