- 12 Mar, 2019 5 commits
-
-
Petr Menšík authored
Reuse the same checks two times, make difference minimal.
-
Michał Kępień authored
Silence a Perl warning output by stop.pl See merge request isc-projects/bind9!1649
-
Michał Kępień authored
On Unix systems, the CYGWIN environment variable is not set at all when BIND system tests are run. If a named instance crashes on shutdown or otherwise fails to clean up its pidfile and the CYGWIN environment variable is not set, stop.pl will print an uninitialized value warning on standard error. Prevent this by using defined().
-
Mark Andrews authored
Allow ifconfig to be called from any directory See merge request isc-projects/bind9!1563
-
ifconfig.sh depends on config.guess for platform guessing. It uses it to choose between ifconfig or ip tools to configure interfaces. If system-wide automake script is installed and local was not found, use platform guess. It should work well on mostly any sane platform. Still prefers local guess, but passes when if cannot find it.
-
- 11 Mar, 2019 12 commits
-
-
Michał Kępień authored
Stabilize "delzsk.example" zone checks See merge request isc-projects/bind9!1640
-
Michał Kępień authored
When a zone is converted from NSEC to NSEC3, the private record at zone apex indicating that NSEC3 chain creation is in progress may be removed during a different (later) zone_nsec3chain() call than the one which adds the NSEC3PARAM record. The "delzsk.example" zone check only waits for the NSEC3PARAM record to start appearing in dig output while private records at zone apex directly affect "rndc signing -list" output. This may trigger false positives for the "autosign" system test as the output of the "rndc signing -list" command used for checking ZSK deletion progress may contain extra lines which are not accounted for. Ensure the private record is removed from zone apex before triggering ZSK deletion in the aforementioned check. Also future-proof the ZSK deletion progress check by making it only look at lines it should care about.
-
Michał Kępień authored
"dnssec" system test tweaks Closes #129 See merge request isc-projects/bind9!1545
-
-
Michał Kępień authored
For checks querying a named instance with "dnssec-accept-expired yes;" set, authoritative responses have a TTL of 300 seconds. Assuming empty resolver cache, TTLs of RRsets in the ANSWER section of the first response to a given query will always match their authoritative counterparts. Also note that for a DNSSEC-validating named resolver, validated RRsets replace any existing non-validated RRsets with the same owner name and type, e.g. cached from responses received while resolving CD=1 queries. Since TTL capping happens before a validated RRset is inserted into the cache and RRSIG expiry time does not impose an upper TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out above, the original TTLs of the relevant RRsets equal 300 seconds, the RRsets in the ANSWER section of the responses to expiring.example/SOA and expired.example/SOA queries sent with CD=0 should always be exactly 120 seconds, never a lower value. Make the relevant TTL checks stricter to reflect that.
-
Michał Kępień authored
Always expecting a TTL of exactly 300 seconds for RRsets found in the ADDITIONAL section of responses received for CD=1 queries sent during TTL capping checks is too strict since these responses will contain records cached from multiple DNS messages received during the resolution process. In responses to queries sent with CD=1, ns.expiring.example/A in the ADDITIONAL section will come from a delegation returned by ns2 while the ANSWER section will come from an authoritative answer returned by ns3. If the queries to ns2 and ns3 happen at different Unix timestamps, RRsets cached from the older response will have a different TTL by the time they are returned to dig, triggering a false positive. Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL section of responses to queries sent with CD=1 to fix the issue. A safety margin this large is likely overkill, but it is used nevertheless for consistency with similar safety margins used in other TTL capping checks.
-
Michał Kępień authored
Commit c032c54d inadvertently changed the DNS message section inspected by one of the TTL capping checks from ADDITIONAL to ANSWER, introducing a discrepancy between that check's description and its actual meaning. Revert to inspecting the ADDITIONAL section in the aforementioned check.
-
Michał Kępień authored
Changes introduced by commit 6b8e4d6e were incomplete as not all time-sensitive checks were updated to match revised "nta-lifetime" and "nta-recheck" values. Prevent rare false positives by updating all NTA-related checks so that they work reliably with "nta-lifetime 12s;" and "nta-recheck 9s;". Update comments as well to prevent confusion.
-
Mark Andrews authored
Merge branch '803-add-return-code-to-allow-dlz-s-allowzonexfr-to-fall-back-to-to-the-view-s-allow-transfer-setting' into 'master' Resolve "Add return code to allow dlz's allowzonexfr to fall back to to the view's allow-transfer setting." Closes #803 See merge request isc-projects/bind9!1292
-
-
-
Mark Andrews authored
-
- 08 Mar, 2019 23 commits
-
-
Ondřej Surý authored
Restore missing check for flockfile and getc_unlocked See merge request isc-projects/bind9!1653
-
Ondřej Surý authored
-
Ondřej Surý authored
autoconf has native support for detecting LFS support See merge request isc-projects/bind9!1652
-
Ondřej Surý authored
-
Ondřej Surý authored
Set crlf in all *.vcxproj.* files See merge request isc-projects/bind9!1651
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Ondřej Surý authored
Use compiler directive to include config.h as a first file See merge request isc-projects/bind9!1650
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Ondřej Surý authored
Remove explicit '#include <config.h>' from the header files (the include should not have been there in the first place)
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Ondřej Surý authored
-
Michał Kępień authored
Fix regex used for mangling druz/DNSKEY (in the "dlv" system test) See merge request isc-projects/bind9!1641
-
Michał Kępień authored
During "dlv" system test setup, the "sed" regex used for mangling the DNSKEY RRset for the "druz" zone does not include the plus sign ("+"), which may: - cause the replacement to happen near the end of DNSKEY RDATA, which can cause the latter to become an invalid Base64 string, - prevent the replacement from being performed altogether. Both cases prevent the "dlv" system test from behaving as intended and may trigger false positives. Add the missing character to the aforementioned regex to ensure the replacement is always performed on bytes 10-25 of DNSKEY RDATA.
-
Michał Kępień authored
Make delv use OS-supplied ephemeral port range Closes #925 See merge request isc-projects/bind9!1611
-
Michał Kępień authored
5180. [bug] delv now honors the operating system's preferred ephemeral port range. [GL #925]
-
Michał Kępień authored
Make delv honor the operating system's preferred ephemeral port range instead of always using the default 1024-65535 range for outgoing messages.
-
Mark Andrews authored
cleanup: use dns_secalg_t and dns_dsdigest_t where appropriate See merge request isc-projects/bind9!1498
-
Use them in structs for various rdata types where they are missing. This doesn't change the structs since we are replacing explicit uint8_t field types with aliases for uint8_t. Use dns_dsdigest_t in library function arguments. Improve dnssec-cds with these more specific types.
-