as previously mentioned in commit c65b2868ab, a cfg_obj_t
configuration tree structure takes up considerably more space than
the canonical text. since the zone configuration saved in the zone
object using dns_zone_setcfg() is only currently used for "rndc
showzone", it can be saved as text more efficiently than as an
object tree. (and, if a tree were needed, the text could be
re-parsed quickly; zone configuration text is generally small.)
Detection of implicit cast from a boolean into an int, or an
isc_result_t into a boolean (either in an assignement or return
position).
If such pattern is found, a warning comment is added into the code (and
the CI will fails) so the error can be spotted and manually fixed.
Merge branch 'colin/cocci-detect-iscresult-int-implicit-casts' into 'main'
See merge request isc-projects/bind9!11095
As the implicit cast check print "WARNING: ..." on stderr, add a pattern
to make sure that check-cocci would fails if such warning is found on
stderr. This is generic (not specific like the existing "parse error")
so it should be able to support future Coccinelle spatch warnings.
The `display_rrcomments` is a tri-state (-1, 0, 1) which is (in some
cases) initialized with `state`, a boolean, through an implicit cast.
This was spot by Coccinelle. Remove the implcit cast by explicitly
assigning 0 or 1 to `display_rrcomments` based on `state` value.
Detection of implicit cast from a boolean into an int, or an
isc_result_t into a boolean (either in an assignement or return
position).
If such pattern is found, a warning comment is added into the code (and
the CI will fails) so the error can be spotted and manually fixed.
Add a utility function to check for EDE codes present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Merge branch 'nicki/isctest-check-ede-helper' into 'main'
See merge request isc-projects/bind9!11182
Previously, hasattr("extended_errors") was used as a check to detect a
mimumum required dnspython version in order to only perform the EDE
check if a new-enough dnspython was present. This is now abstracted into
isctest.check.ede().
In order to support dnspython<2.2.0, use isctest.compat.EDECode rather
than using dns.edns.EDECode directly.
Add a utility function to check for EDE options present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Rather than using the convenience .extended_errors() method
introduced in dnspython 2.7.0, iterate over the options and find
EDEOption types, which is supported from 2.2.0 onwards.
To work around the issue of using dns.edns.EDECode to specify EDE codes
in our tests, create an isctest.compat.EDECode wrapper. This can be used
even with dnspython versions prior to 2.2.0 and will simply result in
no-op, since EDE isn't supported in the older dnspython anyway.
When shutting down an fctx, validators can just be canceled
without checking whether there are pending finds.
Merge branch 'ondrej/remove-maybe_cancel_validators' into 'main'
See merge request isc-projects/bind9!11229
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
Closes#5617
Merge branch '5617-rewrite-reload-view-test' into 'main'
See merge request isc-projects/bind9!11225
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
Harden `ede24` system test in order to avoid random failures, likely caused by timing issues. Also remove expiration-related dead-code (which should have been done in the original ede24 changes) as well as printing the query ID, as this should be useful to debug further flaky system test issues. (In particular, this one, if the changes made here are not enough).
Closes#5625
Merge branch '5625-fix-ede24-test' into 'main'
See merge request isc-projects/bind9!11217
Because ede24 system tests require stopping/restarting server, there is
always the risk that the test ends (with a failure) with server in an
wrong and impredictible state. This would make the other tests to fail
in a strange way as well.
To avoid this problem, split the test into different modules, so if a
module fails, the other module is not impacted as it uses separate
server instances.
There was a random failure of ede24 system test. While this is still a
bit speculative, the two reasons were:
- in the case of `test_ede24_noloaded` the test might attempt to early
(before the zone actually transfered on the secondary server) to query
ns2.
- still in the case of `test_ede24_noloaded`, even after waiting for
transfer succeed logs, if the CI machine is slow, the zone could be
expired before the request checking the secondary zone works because
the expiration time of the zone was very short (1s). Moving this
expiration time to 3 seconds should be enough (while not making the
test execution too much longer when waiting for the zone expiration).
- in the case of `test_ede24_expired`, the zone expired flag is flipped
and the log message is printed immediately after. However, it is
possible that because the flag is set using a relaxed atomic
operation, another thread process the query and gets the previous
(non-expired) value of the flag. In order to workaround this, the
test now also expects another log written after the zone expiration
(stop timers) on the next UV tick.
Adding the query ID to the query trace message. The log is now as the
following (id is at the end):
query client=0x7f75c5017000 thread=0x7f75c6dfe680(foo.fr/A): \
client attr:0x22300, query attr:0x700, restarts:0, \
origqname:foo.fr, timer:0, authdb:0, referral:0, id:21338
This should help debugging tests, in particular to quickly get a
specific query from the logs.
There is code duplication between `keyfetch` and `nsfetch`, refactor to allow common code paths to differentiate between them. This is in preparation for support of generalized DNS notifications, that will require fetching DSYNC records.
Merge branch 'matthijs-refactor-zone-fetch' into 'main'
See merge request isc-projects/bind9!11176
Scheduling and rescheduling a zonefetch is also similar. Refactor into
zonefetch functions. This also increments and decrements the zone's
internal reference counter in the same module, which may be less
confusing when reading the code.
Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.
Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.
Merge branch 'stepan/run-all-system-tests-on-system-test-change' into 'main'
See merge request isc-projects/bind9!11214
Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.
Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.
Compare only the dumped configuration as the `cfg_printx` does not NULL-terminate the configuration strings.
Merge branch 'colin/fix-parser-test' into 'main'
See merge request isc-projects/bind9!11215
Parser test could crash because the `dumpb2` buffer hasn't explicit C
NULL string termination after dumping the configuration tree in it.
`cfg_printx` does not doing this by default.
Fix the test by comparing only the strings written with strncmp.
a94aab9440 removed importorskip call from
isctest.name on which the functionality of this test relied.
Add an explicit importorskip call to the test.
Merge branch 'stepan/fix-tools-nsec3hash-on-jammy' into 'main'
See merge request isc-projects/bind9!11213
A mix of supported and unsupported DNSSEC algorithms in the same zone could have caused validation failures. Ignore the DNSSEC keys with unsupported algorithm when looking for the signing keys.
Closes#5622
Merge branch '5622-dont-fail-on-unsupported-algorithms' into 'main'
See merge request isc-projects/bind9!11208
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search. Instead, skip
such keys and continue searching for the right key.
Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Closes#5606
Merge branch '5606-fix-assertion-failure-in-overmem-cleaning' into 'main'
See merge request isc-projects/bind9!11166
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
Full removal of pre-2.0.0 `dnspython` support is planned for after 9.18
goes EoL.
Merge branch 'stepan/require-dnspython-2-for-asyncserver' into 'main'
See merge request isc-projects/bind9!11191
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.
Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
Add a new GitLab CI job that automatically generates post-disclosure
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates T-1 packager
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates public T-5
pre-announcements for BIND 9 security releases based on the metadata for
the current release cycle.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of security releases in a given release cycle in case
autodetection fails for any reason.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of CVE IDs fixed in a given release cycle in case
autodetection fails for any reason.
Extract common YAML keys used by release-related job definitions into
reusable anchors to ensure consistency and limit repetition across
multiple similar jobs.
