The old name "common" clashes with the convention of system test
directory naming. It appears as a system test directory, but it only
contains helper files.
To reduce confusion and to allow automatic detection of issues with
possibly missing test files, rename the helper directory to "_common".
The leading underscore indicates the directory is different and the its
name can no longer be confused with regular system test directories.
The inline system test tests 'auto-dnssec' in conjunction with
'inline-signing'. Change the tests to make use of 'dnssec-policy'.
Remove some tests that no longer make sense:
- The 'retransfer3.' zone tests changing the parameters with
'rndc signing -nsec3param'. This command is going away and NSEC3
parameters now need to be configured with nsec3param within
'dnssec-policy'.
- The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take
over signing if the KSK is inactive, or vice versa. This fallback
mode longer makes sense when using a DNSSEC policy.
Some tests need to be adapted more than just changing 'auto-dnssec'
to 'dnssec-policy':
- The 'delayedkeys.' zone first needs to be configured as insecure,
then we can change it to start signing. Previously, no existing
keys means that you cannot sign the zone, with 'dnssec-policy'
new keys will be created.
- The 'updated.' zone needs to have key states in a specific state
so that the minimal journal check still works (otherwise CDS/
CDNSKEY and related records will be in the journal too).
- External keys are now added to the unsigned zone and no longer
are maintained with key files. Adjust the 'externalkey.' zone
accordingly.
- The 'nsec3-loop.' zone requires three signing keys. Since
'dnssec-policy' will ignore duplicates in the 'keys' section,
create RSASHA256 keys with different role and/or key length.
Finally, the 'externalkey.' zone checks for an expected number of
DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY
and 2 RRSIG records. Due to logic behavior changes (key timing
metadata is no longer authoritative, these expected values are
changed to 4 DNSKEY records (two signing keys and two external keys
per algorithm) and 1 RRSIG record (one active KSK per signing
algorithm).
This commit converts the license handling to adhere to the REUSE
specification. It specifically:
1. Adds used licnses to LICENSES/ directory
2. Add "isc" template for adding the copyright boilerplate
3. Changes all source files to include copyright and SPDX license
header, this includes all the C sources, documentation, zone files,
configuration files. There are notes in the doc/dev/copyrights file
on how to add correct headers to the new files.
4. Handle the rest that can't be modified via .reuse/dep5 file. The
binary (or otherwise unmodifiable) files could have license places
next to them in <foo>.license file, but this would lead to cluttered
repository and most of the files handled in the .reuse/dep5 file are
system test files.
this changes most visble uses of master/slave terminology in tests.sh
and most uses of 'type master' or 'type slave' in named.conf files.
files in the checkconf test were not updated in order to confirm that
the old syntax still works. rpzrecurse was also left mostly unchanged
to avoid interference with DNSRPS.
- add CHANGES note
- update copyrights and license headers
- add -j to the make commands in .gitlab-ci.yml to take
advantage of parallelization in the gitlab CI process
3943. [func] SERVFAIL responses can now be cached for a
limited time (configured by "servfail-ttl",
default 10 seconds, limit 30). This can reduce
the frequency of retries when an authoritative
server is known to be failing, e.g., due to
ongoing DNSSEC validation problems. [RT #21347]
