...
 
Commits (9)
  • Mark Andrews's avatar
    add check-ans-prereq · ec2ecffe
    Mark Andrews authored
    ec2ecffe
  • Mark Andrews's avatar
    add util/check-ans-prereq to precheck · 74c1c375
    Mark Andrews authored
    74c1c375
  • Mark Andrews's avatar
    Merge branch '871-add-a-ci-check-for-missing-prereq.sh-scripts' into 'master' · 3c47622f
    Mark Andrews authored
    Add a CI check for missing prereq.sh scripts
    
    Closes #871
    
    See merge request !1494
    3c47622f
  • Michał Kępień's avatar
    Fix serial number used in zone verification checks · 46480a4b
    Michał Kępień authored
    Due to the way the "mirror" system test is set up, it is impossible for
    the "verify-unsigned" and "verify-untrusted" zones to contain any serial
    number other than the original one present in ns2/verify.db.in.  Thus,
    using presence of a different serial number in the SOA records of these
    zones as an indicator of problems with mirror zone verification is
    wrong.  Look for the original zone serial number instead as that is the
    one that will be returned by ns3 if one of the aforementioned zones is
    successfully verified.
    46480a4b
  • Michał Kępień's avatar
    Improve reliability of zone verification checks · 2cbf1028
    Michał Kępień authored
    In the "mirror" system test, ns3 periodically sends trust anchor
    telemetry queries to ns1 and ns2.  It may thus happen that for some
    non-recursive queries for names inside mirror zones which are not yet
    loaded, ns3 will be able to synthesize a negative answer from the cached
    records it obtained from trust anchor telemetry responses.  In such
    cases, NXDOMAIN responses will be sent with the root zone SOA in the
    AUTHORITY section.  Since the root zone used in the "mirror" system test
    has the same serial number as ns2/verify.db.in and zone verification
    checks look for the specified serial numbers anywhere in the answer, the
    test could be broken if different zone names were used.
    
    The +noauth dig option could be used to address this weakness, but that
    would prevent entire responses from being stored for later inspection,
    which in turn would hamper troubleshooting test failures.  Instead, use
    a different serial number for ns2/verify.db.in than for any other zone
    used in the "mirror" system test and check the number of records in the
    ANSWER section of each response.
    2cbf1028
  • Michał Kępień's avatar
    Prevent races when waiting for log messages · 9c611dd9
    Michał Kępień authored
    The "mirror" system test checks whether log messages announcing a mirror
    zone coming into effect are emitted properly.  However, the helper
    functions responsible for waiting for zone transfers and zone loading to
    complete do not wait for these exact log messages, but rather for other
    ones preceding them, which introduces a possibility of false positives.
    
    This problem cannot be addressed by just changing the log message to
    look for because the test still needs to discern between transferring a
    zone and loading a zone.
    
    Add two new log messages at debug level 99 (which is what named
    instances used in system tests are configured with) that are to be
    emitted after the log messages announcing a mirror zone coming into
    effect.  Tweak the aforementioned helper functions to only return once
    the log messages they originally looked for are followed by the newly
    added log messages.  This reliably prevents races when looking for
    "mirror zone is now in use" log messages and also enables a workaround
    previously put into place in the "mirror" system test to be reverted.
    9c611dd9
  • Michał Kępień's avatar
    Merge branch 'michal/improve-stability-of-mirror-zone-tests' into 'master' · 724663c1
    Michał Kępień authored
    Improve stability of mirror zone system tests
    
    See merge request !1505
    724663c1
  • Michał Kępień's avatar
    Do not check SEP bit for mirror zone trust anchors · 72c20173
    Michał Kępień authored
    When a mirror zone is verified, the 'ignore_kskflag' argument passed to
    dns_zoneverify_dnssec() is set to false.  This means that in order for
    its verification to succeed, a mirror zone needs to have at least one
    key with the SEP bit set configured as a trust anchor.  This brings no
    security benefit and prevents zones signed only using keys without the
    SEP bit set from being mirrored, so change the value of the
    'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
    72c20173
  • Michał Kępień's avatar
    Add CHANGES entry · 2b19b851
    Michał Kępień authored
    5161.	[bug]		Do not require the SEP bit to be set for mirror zone
    			trust anchors. [GL #873]
    2b19b851
......@@ -154,6 +154,7 @@ stages:
misc:sid:amd64:
<<: *precheck_job
script:
- sh util/check-ans-prereq.sh
- sh util/checklibs.sh > checklibs.out
- sh util/tabify-changes < CHANGES > CHANGES.tmp
- diff -urNap CHANGES CHANGES.tmp
......
5161. [bug] Do not require the SEP bit to be set for mirror zone
trust anchors. [GL #873]
5160. [contrib] Added DNAME support to the DLZ LDAP schema. Also
fixed a compilation bug affecting several DLZ
modules. [GL #872]
......
......@@ -8,7 +8,7 @@
; information regarding copyright ownership.
$TTL 3600
@ SOA a.root-servers.nil. hostmaster 2000010100 3600 1200 604800 3600
@ SOA a.root-servers.nil. hostmaster 1 3600 1200 604800 3600
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example NS ns2.example.
......
......@@ -8,7 +8,7 @@
; information regarding copyright ownership.
$TTL 3600
@ SOA a.root-servers.nil. hostmaster 2000010100 3600 1200 604800 3600
@ SOA a.root-servers.nil. hostmaster 1 3600 1200 604800 3600
@ NS ns2
ns2 A 10.53.0.2
foo CNAME foo.example.
......@@ -55,6 +55,11 @@ zone "verify-axfr" {
file "verify-axfr.db.signed";
};
zone "verify-csk" {
type master;
file "verify-csk.db.signed";
};
zone "verify-ixfr" {
type master;
file "verify-ixfr.db.signed";
......
......@@ -32,6 +32,18 @@ done
# the "root" zone on ns1.
keys_to_trust="$keys_to_trust $keyname1"
# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
# set and add that key to the list of keys to trust.
zone=verify-csk
infile=verify.db.in
zonefile=verify-csk.db
keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
cat $infile $keyname.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
keys_to_trust="$keys_to_trust $keyname"
# Prepare remaining zones used in the test.
ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
......
......@@ -56,6 +56,12 @@ zone "verify-axfr" {
file "verify-axfr.db.mirror";
};
zone "verify-csk" {
type mirror;
masters { 10.53.0.2; };
file "verify-csk.db.mirror";
};
zone "verify-ixfr" {
type mirror;
masters { 10.53.0.2; };
......
This diff is collapsed.
......@@ -1534,6 +1534,10 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
dns_zone_log(xfr->zone, ISC_LOG_INFO,
"mirror zone is now in use");
}
xfrin_log(xfr, ISC_LOG_DEBUG(99), "freeing transfer context");
/*
* xfr->zone must not be detached before xfrin_log() is called.
*/
dns_zone_idetach(&xfr->zone);
}
......
......@@ -5069,6 +5069,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
}
zone_debuglog(zone, "zone_postload", 99, "done");
return (result);
}
......@@ -19814,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
origin = dns_db_origin(db);
result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
zone->mctx, false, false);
zone->mctx, true, false);
done:
if (secroots != NULL) {
......
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
status=0
for testscript in bin/tests/system/*/tests.sh; do
testdir="$(dirname "${testscript}")"
prereq="${testdir}/prereq.sh"
if [ -e "${prereq}" ] || [ -e "${prereq}.in" ]; then
continue
fi
if find "${testdir}" -type d -name "ans*" | grep -Eq "/ans[0-9]+$"; then
echo "missing ${prereq}"
status=1
fi
done
exit ${status}
......@@ -2585,6 +2585,7 @@
./util/COPYRIGHT.TOP X 2018,2019
./util/bindkeys.pl PERL 2009,2010,2011,2012,2014,2016,2017,2018,2019
./util/branchsync.sh SH 2013,2016,2018,2019
./util/check-ans-prereq.sh SH 2019
./util/check-categories.sh SH 2015,2016,2017,2018,2019
./util/check-changes PERL 2002,2004,2007,2012,2016,2018,2019
./util/check-cocci X 2018,2019
......