many of the zones in the dnssec system test were identical or
had only trivial differences, and it would be easier to keep track
of them if they were sourced from template files.
also, the extra_artifacts have been simplified and restored to
the test files.
the shell tests that queried servers to check correct signing
behavior (using dnssec-signzone, dnssec-policy and nsupdate),
as well as "rndc signing", private-type records, rndc zonestatus,
offline keys, etc, have been moved to tests_signing.py.
the minimal update test in the dnssec_update_test.pl script
was also moved here and the perl script has been removed.
begin converting DNSSEC validation tests from shell to python,
and simplify the name servers used in the test.
ns4, the name server used for validation tests, is now configured
using jinja2 templates.
ns8, which was previously used for testing unsupported, disabled
and revoked keys and trust anchors, has been removed. we now
use a jinja2 configuration in ns5 for this purpose.
the configurations in ns7 and ns6 didn't conflict with one another,
so the two servers have been merged into one.
- dnssec tool tests (i.e., dnssec-signzone, dnssec-keygen, etc) that
don't require interaction with a running server have been moved
to a new 'dnssectools' system test directory.
- a dig formatting test has been moved to digdelv.
- a named-rrchecker test has been moved to rrchecker
the tests of "rndc nta" behavior have been moved out of the
dnssec shell test, into bin/tests/system/nta, and converted
to python. features of the dnssec test framework that were
needed for NTA testing have been moved to the nta test, and
dnssec has been correspondingly simplified.
- changed named.conf.in to named.conf.j2 in all server directories that
don't currently need to use copy_setports() during the test.
- converted the tests that use ns5 to python, and replaced
named1.conf.in and named2.conf.in with a jinja2 template instead.
the only remaining server that still needs copy_setports() is ns4.
- removed ns4/named5.conf.in, and moved its functions to ns5 (which
is supposed to be for servers with broken trust-anchor configurations,
so it should have been there in the first place). converted the tests
that used that ns4 configuration to use ns5 with jinja instead.
- revised the remaining ns4 configurations (named[1-4].conf.in) to
minimize the differences between them. this will make it easier to
convert it into a jinja2 template later.
The `cross-version-config-tests` CI job had to be removed due to radical
differences between meson and autoconf. With the release of 9.21.11
this job now can be reintroduced by comparing two meson built BIND
source trees.
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Closes#5456
Merge branch '5456-coverity-scan-drop-fs-capture-search-option' into 'main'
See merge request isc-projects/bind9!10808
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Add a new CI job that checks whether all meson.build files in the
repository are formatted in the exact same way as "muon fmt" would
format them. This enforces formatting consistency across all
meson.build files in the repository and enables updating their contents
using dedicated tools, e.g. "meson rewrite".
See #5379
Merge branch '5379-check-meson.build-formatting-in-ci' into 'main'
See merge request isc-projects/bind9!10770
Add a new CI job that checks whether all meson.build files in the
repository are formatted in the exact same way as "muon fmt" would
format them. This enforces formatting consistency across all
meson.build files in the repository and enables updating their contents
using dedicated tools, e.g. "meson rewrite".
MR !10753 breaks macOS build for plugin unit test as its linker doesn't
supports `--wrap` option, which is used in in order to mock the function
`isc_file_exits()`.
To work around the problem, a mocked `isc_file_exits()` is implemented
inside the plugin test as a static function before inlining the file
using it, which effectively links to this version rather than the isclib
one.
Closes#5455
Merge branch '5455-fix-macos-build-plugintest' into 'main'
See merge request isc-projects/bind9!10796
Parts of ns_plugin_expandpath() test expected the plugin extension to be
appened automatically (the plugin name/path is provided without the
extension), this enable to test the logic which adds the correct
extension based on the platfrom.
But the expected expanded paths from the test were hard coded with the
`.so` extension, so the test can't pass on macOS platform. This fixes
the test by using the macro providing the current-platform extension.
MR !10753 breaks macOS build for plugin unit test as its linker doesn't
supports `--wrap` option, which is used in in order to mock the function
`isc_file_exits()`.
To work around the problem, a mocked `isc_file_exits()` is implemented
inside the plugin test as a static function before inlining the file
using it, which effectively links to this version rather than the isclib
one.
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Merge branch 'each-isctest-helpers' into 'main'
See merge request isc-projects/bind9!10760
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
MR !10238 added key collision detection in the ksr system test but it was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter by one, nullifying the subtract by one.
Fix by splitting the output on ':' rather than on the default whitespace. Also make the substring matching more strict.
Closes#5229 (again)
Merge branch '5229-ksr-key-collision' into 'main'
See merge request isc-projects/bind9!10775
MR !10238 added key collision detection in the ksr system test but it
was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter
by one, nullifying the subtract by one.
Use regular expressions to search in the output and make the string
expression more strict.
Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases. Wildcard
NODATA answer was added.
