Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import 9.16.42 (last was 9.16.37) 

--- 9.16.42 released ---

6192.	[security]	A query that prioritizes stale data over lookup
			triggers a fetch to refresh the stale data in cache.
			If the fetch is aborted for exceeding the recursion
			quota, it was possible for 'named' to enter an infinite
			callback loop and crash due to stack overflow. This has
			been fixed. (CVE-2023-2911) [GL #4089]

6190.	[security]	Improve the overmem cleaning process to prevent the
			cache going over the configured limit. (CVE-2023-2828)
			[GL #4055]

6183.	[bug]		Fix a serve-stale bug where a delegation from cache
			could be returned to the client. [GL #3950]

6173.	[bug]		Properly process extra "nameserver" lines in
			resolv.conf otherwise the next line is not properly
			processed. [GL #4066]

6169.	[bug]		named could crash when deleting inline-signing zones
			with "rndc delzone". [GL #4054]

	--- 9.16.41 released ---

6157.	[bug]		When removing delegations in an OPTOUT range
			empty-non-terminal NSEC3 records generated by
			those delegations were not removed. [GL #4027]

	--- 9.16.40 released ---

6142.	[bug]		Reduce the number of dns_dnssec_verify calls made
			determining if revoked keys needs to be removed from
			the trust anchors. [GL #3981]

6138.	[doc]		Fix the DF-flag documentation on the outgoing
			UDP packets. [GL #3710]

6132.	[doc]		Remove a dead link in the DNSSEC guide. [GL #3967]

6129.	[cleanup]	Value stored to 'source' during its initialization is
			never read. [GL #3965]

6124.	[bug]		When changing from a NSEC3 capable DNSSEC algorithm to
			an NSEC3 incapable DNSSEC algorithm using KASP the zone
			could sometimes be incompletely signed. [GL #3937]

5741.	[bug]		Log files with "timestamp" suffixes could be left in
			place after rolling, even if the number of preserved
			log files exceeded the configured "versions" limit.
			[GL #828] [GL #3959]

	--- 9.16.39 released ---

6119.	[bug]		Make sure to revert the reconfigured zones to the
			previous version of the view, when the new view
			reconfiguration fails during the configuration of
			one of the configured zones. [GL #3911]

6116.	[bug]		Fix error path cleanup issue in the dns_catz_new_zones()
			function. [GL #3900]

6115.	[bug]		Unregister db update notify callback before detaching
			from the previous db inside the catz update notify
			callback. [GL #3777]

6105.	[bug]		Detach 'rpzs' and 'catzs' from the previous view in
			configure_rpz() and configure_catz(), respectively,
			just after attaching it to the new view. [GL #3880]

6098.	[test]		Don't test HMAC-MD5 when not supported by libcrypto.
			[GL #3871]

6095.	[test]		Test various 'islands of trust' configurations when
			using managed keys. [GL #3662]

6094.	[bug]		Building against (or running with) libuv versions
			1.35.0 and 1.36.0 is now a fatal error.  The rules for
			mixing and matching compile-time and run-time libuv
			versions have been tightened for libuv versions between
			1.35.0 and 1.40.0. [GL #3840]

	--- 9.16.38 released ---

6083.	[bug]		Fix DNSRPS-enabled builds as they were inadvertently
			broken by change 6042. [GL #3827]

6081.	[bug]		Handle primary server address lookup failures in
			nsupdate more gracefully. [GL #3830]

6080.	[bug]		'named -V' leaked memory. [GL #3829]

6079.	[bug]		Force set the DS state after a 'rdnc dnssec -checkds'
			command. [GL #3822]

6075.	[bug]		Add missing node lock when setting node->wild in
			add_wildcard_magic. [GL #3799]

6072.	[bug]		Avoid the OpenSSL lock contention when initializing
			Message Digest Contexts by using explicit algorithm
			fetching, initializing static contexts for every
			supported algorithms, and initializing the new context
			by copying the static copy. [GL #3795]

6069.	[bug]		Detach from the view in zone_shutdown() to
			release the memory held by the dead view
			early. [GL #3801]
This commit is contained in:
christos 2023-06-26 21:45:59 +00:00
parent 45e235d0ba
commit fed34e531e
125 changed files with 2058 additions and 708 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
external/mpl/bind/dist/CHANGES vendored
View File

@ -1,3 +1,111 @@
--- 9.16.42 released ---
6192. [security] A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache.
If the fetch is aborted for exceeding the recursion
quota, it was possible for 'named' to enter an infinite
callback loop and crash due to stack overflow. This has
been fixed. (CVE-2023-2911) [GL #4089]
6190. [security] Improve the overmem cleaning process to prevent the
cache going over the configured limit. (CVE-2023-2828)
[GL #4055]
6183. [bug] Fix a serve-stale bug where a delegation from cache
could be returned to the client. [GL #3950]
6173. [bug] Properly process extra "nameserver" lines in
resolv.conf otherwise the next line is not properly
processed. [GL #4066]
6169. [bug] named could crash when deleting inline-signing zones
with "rndc delzone". [GL #4054]
--- 9.16.41 released ---
6157. [bug] When removing delegations in an OPTOUT range
empty-non-terminal NSEC3 records generated by
those delegations were not removed. [GL #4027]
--- 9.16.40 released ---
6142. [bug] Reduce the number of dns_dnssec_verify calls made
determining if revoked keys needs to be removed from
the trust anchors. [GL #3981]
6138. [doc] Fix the DF-flag documentation on the outgoing
UDP packets. [GL #3710]
6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]
6129. [cleanup] Value stored to 'source' during its initialization is
never read. [GL #3965]
6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
an NSEC3 incapable DNSSEC algorithm using KASP the zone
could sometimes be incompletely signed. [GL #3937]
5741. [bug] Log files with "timestamp" suffixes could be left in
place after rolling, even if the number of preserved
log files exceeded the configured "versions" limit.
[GL #828] [GL #3959]
--- 9.16.39 released ---
6119. [bug] Make sure to revert the reconfigured zones to the
previous version of the view, when the new view
reconfiguration fails during the configuration of
one of the configured zones. [GL #3911]
6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones()
function. [GL #3900]
6115. [bug] Unregister db update notify callback before detaching
from the previous db inside the catz update notify
callback. [GL #3777]
6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in
configure_rpz() and configure_catz(), respectively,
just after attaching it to the new view. [GL #3880]
6098. [test] Don't test HMAC-MD5 when not supported by libcrypto.
[GL #3871]
6095. [test] Test various 'islands of trust' configurations when
using managed keys. [GL #3662]
6094. [bug] Building against (or running with) libuv versions
1.35.0 and 1.36.0 is now a fatal error. The rules for
mixing and matching compile-time and run-time libuv
versions have been tightened for libuv versions between
1.35.0 and 1.40.0. [GL #3840]
--- 9.16.38 released ---
6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
broken by change 6042. [GL #3827]
6081. [bug] Handle primary server address lookup failures in
nsupdate more gracefully. [GL #3830]
6080. [bug] 'named -V' leaked memory. [GL #3829]
6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
command. [GL #3822]
6075. [bug] Add missing node lock when setting node->wild in
add_wildcard_magic. [GL #3799]
6072. [bug] Avoid the OpenSSL lock contention when initializing
Message Digest Contexts by using explicit algorithm
fetching, initializing static contexts for every
supported algorithms, and initializing the new context
by copying the static copy. [GL #3795]
6069. [bug] Detach from the view in zone_shutdown() to
release the memory held by the dead view
early. [GL #3801]
--- 9.16.37 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
@ -48,6 +156,13 @@
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]
5845. [bug] Refactor the timer to keep track of posted events
as to use isc_task_purgeevent() instead of using
isc_task_purgerange(). The isc_task_purgeevent()
has been refactored to purge a single event instead
of walking through the list of posted events.
[GL #3252]
--- 9.16.36 released ---
6043. [bug] The key file IO locks objects would never get

8
external/mpl/bind/dist/CONTRIBUTING vendored
View File

@ -57,14 +57,14 @@ To clone the repository, use:
$ git clone https://gitlab.isc.org/isc-projects/bind9.git
Release branch names are of the form v9_X, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.12
Release branch names are of the form bind-9.X, where X represents the
second number in the BIND 9 version number. So, to check out the BIND 9.18
branch, use:
$ git checkout v9_12
$ git checkout bind-9.18
Whenever a branch is ready for publication, a tag is placed of the form
v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
v9.X.Y. The 9.18.0 release, for instance, is tagged as v9.18.0.
The branch in which the next major release is being developed is called
main.

8
external/mpl/bind/dist/CONTRIBUTING.md vendored
View File

@ -71,14 +71,14 @@ To clone the repository, use:
> $ git clone https://gitlab.isc.org/isc-projects/bind9.git
Release branch names are of the form `v9_X`, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.12
Release branch names are of the form `bind-9.X`, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.18
branch, use:
> $ git checkout v9_12
> $ git checkout bind-9.18
Whenever a branch is ready for publication, a tag is placed of the
form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`.
form `v9.X.Y`. The 9.18.0 release, for instance, is tagged as `v9.18.0`.
The branch in which the next major release is being developed is called
`main`.

1
external/mpl/bind/dist/bin/python/isc/coverage.py.in vendored
View File

@ -24,6 +24,7 @@ prog = "dnssec-coverage"
from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
############################################################################
# print a fatal error and exit
############################################################################

1
external/mpl/bind/dist/bin/python/isc/dnskey.py.in vendored
View File

@ -14,6 +14,7 @@ import time
import calendar
from subprocess import Popen, PIPE
########################################################################
# Class dnskey
########################################################################

1
external/mpl/bind/dist/bin/python/isc/keymgr.py.in vendored
View File

@ -17,6 +17,7 @@ prog = "dnssec-keymgr"
from isc import dnskey, keydict, keyseries, policy, parsetab, utils
############################################################################
# print a fatal error and exit
############################################################################

1
external/mpl/bind/dist/bin/python/isc/keyzone.py.in vendored
View File

@ -14,6 +14,7 @@ import sys
import re
from subprocess import Popen, PIPE
########################################################################
# Exceptions
########################################################################

8
external/mpl/bind/dist/bin/rndc/rndc.rst vendored
View File

@ -173,9 +173,13 @@ Currently supported commands are:
notation.
``dnstap`` ( **-reopen** | **-roll** [*number*] )
This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows
This command closes and re-opens DNSTAP output files.
``rndc dnstap -reopen`` allows
the output file to be renamed externally, so that ``named`` can
truncate and re-open it. ``rndc dnstap -roll`` causes the output file
truncate and re-open it.
``rndc dnstap -roll`` causes the output file
to be rolled automatically, similar to log files. The most recent
output file has ".0" appended to its name; the previous most recent
output file is moved to ".1", and so on. If ``number`` is specified, then

2
external/mpl/bind/dist/bin/tests/system/acl/tests.sh vendored
View File

@ -99,7 +99,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
# and other values? right out
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two

3
external/mpl/bind/dist/bin/tests/system/autosign/clean.sh vendored
View File

@ -23,14 +23,13 @@ rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.*
rm -f digcomp.out.test*
rm -f digcomp.out.test*
rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns*/named.lock
rm -f ns1/root.db
rm -f ns2/example.db
rm -f ns2/optout-with-ent.db
rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf

8
external/mpl/bind/dist/bin/tests/system/autosign/ns2/keygen.sh vendored
View File

@ -56,3 +56,11 @@ do
done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP
# a zone with empty non-terminals.
zone=optout-with-ent
zonefile=optout-with-ent.db
infile=optout-with-ent.db.in
cat $infile > $zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null

9
external/mpl/bind/dist/bin/tests/system/autosign/ns2/named.conf.in vendored
View File

@ -96,4 +96,13 @@ zone "child.optout.example" {
auto-dnssec maintain;
};
zone "optout-with-ent" {
type primary;
file "optout-with-ent.db";
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";

22
external/mpl/bind/dist/bin/tests/system/autosign/ns2/optout-with-ent.db.in vendored Normal file
View File

@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns2.example. . (
2010042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2.example.
sub1.ent NS .
sub2.ent NS .

45
external/mpl/bind/dist/bin/tests/system/autosign/tests.sh vendored
View File

@ -153,7 +153,7 @@ do
$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
done
for z in bar. example. private.secure.example.
for z in bar. example. private.secure.example. optout-with-ent.
do
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
@ -173,6 +173,9 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "done"; fi
status=$((status + ret))
echo_i "Convert optout-with-ent from nsec to nsec3"
($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in .
do
@ -1741,5 +1744,45 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
ret=0
zone=optout-with-ent
hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
# check that NSEC3 for ENT is present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
# remove first delegation of two delegations, NSEC3 for ENT should remain.
(
echo zone $zone
echo server 10.53.0.2 "$PORT"
echo update del sub1.ent.$zone NS
echo send
) | $NSUPDATE
# check that NSEC3 for ENT is still present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
# remove second delegation of two delegations, NSEC3 for ENT should be deleted.
(
echo zone $zone
echo server 10.53.0.2 "$PORT"
echo update del sub2.ent.$zone NS
echo send
) | $NSUPDATE
# check that NSEC3 for ENT is gone present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n
grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

1
external/mpl/bind/dist/bin/tests/system/catz/clean.sh vendored
View File

@ -23,6 +23,7 @@ rm -f ns1/*dom*example.db
rm -f ns2/__catz__*db
rm -f ns2/named.conf.tmp
rm -f ns3/dom13.example.db ns3/dom14.example.db
rm -f ns4/catalog-self.example.db
rm -f nsupdate.out.*
rm -f ns[123]/catalog[1234].example.db
rm -rf ns2/zonedir

11
external/mpl/bind/dist/bin/tests/system/catz/ns2/named1.conf.in vendored
View File

@ -47,7 +47,7 @@ options {
};
# A faulty dlz configuration to check if named and catz survive a certain class
# of failed configuration attempts (see GL#3060).
# of failed configuration attempts (see GL #3060).
# We use "dlz" because the dlz processing code is located in an ideal place in
# the view configuration function for the test to cover the view reverting code.
#T3dlz "bad-dlz" {
@ -78,6 +78,15 @@ zone "catalog4.example" {
primaries { 10.53.0.1; };
};
# When the following zone configuration is enabled, "dom3.example" should
# already exist as a member of "catalog1.example", and named should be able
# to deal with that situation (see GL #3911). Make sure that this duplicate
# zone comes after the the "catalog1.example" zone in the configuration file.
#T4zone "dom3.example" {
#T4 type secondary;
#T4 file "dom2.example.db";
#T4};
key tsig_key. {
secret "LSAnCU+Z";
algorithm @DEFAULT_HMAC@;

14
external/mpl/bind/dist/bin/tests/system/catz/ns4/catalog.example.db.in vendored Normal file
View File

@ -0,0 +1,14 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ 3600 SOA . . 1 86400 3600 86400 3600
@ 3600 IN NS invalid.
version IN TXT "1"

55
external/mpl/bind/dist/bin/tests/system/catz/ns4/named.conf.in vendored Normal file
View File

@ -0,0 +1,55 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "../../common/rndc.key";
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { fd92:7065:b8e:ffff::4; };
notify no;
notify-delay 0;
recursion no;
serial-query-rate 100;
ixfr-from-differences yes; // GL #3777
catalog-zones {
zone "catalog-self.example"
min-update-interval 1s
default-masters { 10.53.0.4; };
};
};
zone "catalog-self.example" {
type primary;
file "catalog-self.example.db";
notify explicit;
};
key tsig_key. {
secret "LSAnCU+Z";
algorithm @DEFAULT_HMAC@;
};
key next_key. {
secret "LaAnCU+Z";
algorithm @DEFAULT_HMAC@;
};

2
external/mpl/bind/dist/bin/tests/system/catz/setup.sh vendored
View File

@ -19,10 +19,12 @@ $SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named1.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
cp -f ns3/catalog.example.db.in ns3/catalog2.example.db
cp -f ns1/catalog.example.db.in ns1/catalog3.example.db
cp -f ns1/catalog.example.db.in ns1/catalog4.example.db
cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db
mkdir -p ns2/zonedir

53
external/mpl/bind/dist/bin/tests/system/catz/tests.sh vendored
View File

@ -373,6 +373,9 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
nextpart ns2/named.run >/dev/null
# GL #3060
n=$((n+1))
echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)"
ret=0
@ -397,6 +400,38 @@ rndccmd 10.53.0.2 reconfig || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
nextpart ns2/named.run >/dev/null
# GL #3911
n=$((n+1))
echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)"
ret=0
sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp
copy_setports ns2/named.conf.tmp ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# catalog zone update can be deferred
sleep 2
n=$((n+1))
echo_i "checking again that dom3.example. is served by secondary ($n)"
ret=0
wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "reconfiguring secondary - reverting the bad configuration ($n)"
ret=0
copy_setports ns2/named1.conf.in ns2/named.conf
rndccmd 10.53.0.2 reconfig || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
nextpart ns2/named.run >/dev/null
n=$((n+1))
echo_i "removing all records from catalog1 zone ($n)"
ret=0
@ -1858,5 +1893,23 @@ wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
##########################################################################
# GL #3777
nextpart ns4/named.run >/dev/null
n=$((n+1))
echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)"
ret=0
echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db
rndccmd 10.53.0.4 reload || ret=1
n=$((n+1))
echo_i "Issuing another rndc reload command after 1 second ($n)"
sleep 1
rndccmd 10.53.0.4 reload || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
##########################################################################
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

2
external/mpl/bind/dist/bin/tests/system/chain/ans4/ans.py vendored
View File

@ -265,7 +265,7 @@ def create_response(msg):
if wantsigs:
r.answer.append(sigs[-1])
else:
for (i, sig) in rrs:
for i, sig in rrs:
if sig and not wantsigs:
continue
elif sig:

2
external/mpl/bind/dist/bin/tests/system/checkconf/kasp-bad-keylen.conf vendored
View File

@ -20,5 +20,5 @@ dnssec-policy "bad-keylen" {
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badkeylen";
dnssec-policy "bad-keylen";
};

2
external/mpl/bind/dist/bin/tests/system/cookie/ans9/ans.py vendored
View File

@ -35,6 +35,7 @@ from dns.rdataclass import *
from dns.rdatatype import *
from dns.tsig import *
# Log query to file
def logquery(type, qname):
with open("qlog", "a") as f:
@ -54,6 +55,7 @@ except:
dopass2 = False
############################################################################
#
# This server will serve valid and spoofed answers. A spoofed answer will

1
external/mpl/bind/dist/bin/tests/system/dnssec/ans10/ans.py vendored
View File

@ -25,6 +25,7 @@ from dns.rdataclass import *
from dns.rcode import *
from dns.name import *
# Log query to file
def logquery(type, qname):
with open("qlog", "a") as f:

1
external/mpl/bind/dist/bin/tests/system/dnstap/tests.sh vendored
View File

@ -670,6 +670,7 @@ EOF
$FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \
-w dnstap.out > fstrm_capture.out 2>&1 &
fstrm_capture_pid=$!
sleep 1
$RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i
$DIG $DIGOPTS @10.53.0.4 a.example > dig.out

35
external/mpl/bind/dist/bin/tests/system/dupsigs/tests.sh vendored
View File

@ -20,29 +20,42 @@ status=0
#
# We expect the zone to have the following:
#
# - 5 signatures for signing.test.
# - 6 signatures for signing.test.
# - 3 signatures for ns.signing.test.
# - 2 x 500 signatures for a{0000-0499}.signing.test.
#
# for a total of 1008.
# for a total of 1009.
fully_signed () {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 |
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1008) exit(1) }'
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr"
}
retry_quiet 30 fully_signed || ret=1
# Wait for the last NSEC record in the zone to be signed. This is a lightweight
# alternative to avoid many AXFR requests while waiting for the zone to be
# fully signed.
_wait_for_last_nsec_signed() {
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
return 0
}
echo_i "wait for the zone to be fully signed"
retry_quiet 60 _wait_for_last_nsec_signed
retry_quiet 10 fully_signed || status=1
if [ $status != 0 ]; then echo_i "failed"; fi
start=`date +%s`
now=$start
end=$((start + 140))
while [ $now -lt $end ]; do
while [ $now -lt $end ] && [ $status -eq 0 ]; do
et=$((now - start))
echo "=============== $et ============"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
if [ ${et} -ne 0 -a ${lines} -ne 1009 ]
then

1
external/mpl/bind/dist/bin/tests/system/forward/ans11/ans.py vendored
View File

@ -25,6 +25,7 @@ from dns.rdataclass import *
from dns.rcode import *
from dns.name import *
# Log query to file
def logquery(type, qname):
with open("qlog", "a") as f:

10
external/mpl/bind/dist/bin/tests/system/get_algorithms.py vendored
View File

@ -111,7 +111,10 @@ def is_supported(alg: Algorithm) -> bool:
f"{TESTCRYPTO} -q {alg.name}",
shell=True,
check=True,
env={"KEYGEN": KEYGEN},
env={
"KEYGEN": KEYGEN,
"TMPDIR": os.getenv("TMPDIR", "/tmp"),
},
stdout=subprocess.DEVNULL,
)
except subprocess.CalledProcessError as exc:
@ -232,9 +235,8 @@ def main():
# later by run.sh
print("export ALGORITHM_SET=error")
raise
else:
for name, value in algs_env.items():
print(f"export {name}={value}")
for name, value in algs_env.items():
print(f"export {name}={value}")
if __name__ == "__main__":

1
external/mpl/bind/dist/bin/tests/system/inline/tests_signed_zone_files.py vendored
View File

@ -35,7 +35,6 @@ class RawFormatHeader(dict):
def test_unsigned_serial_number():
"""
Check whether all signed zone files in the "ns8" subdirectory contain the
serial number of the unsigned version of the zone in the raw-format header.

16
external/mpl/bind/dist/bin/tests/system/kasp/tests.sh vendored
View File

@ -551,15 +551,23 @@ _wait_for_metadata() {
n=$((n+1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
# DS State should be forced into RUMOURED.
set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
n=$((n+1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
# DS State should be forced into UNRETENTIVE.
set_keystate "KEY1" "STATE_DS" "unretentive"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

2
external/mpl/bind/dist/bin/tests/system/legacy/tests.sh vendored
View File

@ -33,7 +33,7 @@ resolution_succeeds() {
resolution_fails() {
_servfail=0
_timeout=0
$DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n
$DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n
grep "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1
grep "connection timed out" dig.out.test$n > /dev/null && _timeout=1
if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then

5
external/mpl/bind/dist/bin/tests/system/logfileconfig/clean.sh vendored
View File

@ -14,10 +14,9 @@
#
# Clean up after log file tests
#
rm -f ns1/rndc.conf
rm -f ns1/controls.conf
rm -f ns1/named.conf
rm -f ns1/named.pid ns1/named.run
rm -f ns1/named.args
rm -f ns1/named.pid ns1/named.run ns1/named.run.prev
rm -f ns1/named.memstats ns1/dig.out
rm -f ns1/named_log ns1/named_pipe ns1/named_sym
rm -rf ns1/named_dir

1
external/mpl/bind/dist/bin/tests/system/logfileconfig/named1.args vendored Normal file
View File

@ -0,0 +1 @@
-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4

1
external/mpl/bind/dist/bin/tests/system/logfileconfig/named2.args vendored Normal file
View File

@ -0,0 +1 @@
-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog

43
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.dirconf.in vendored Normal file
View File

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "/tmp";
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

43
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in vendored Normal file
View File

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "named_iso8601_utc";
print-time iso8601-utc;
severity debug 9;
};
category default { default_log; default_debug; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

43
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601.in vendored Normal file
View File

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "named_iso8601";
print-time iso8601;
severity debug 9;
};
category default { default_log; default_debug; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

43
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.pipeconf.in vendored Normal file
View File

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "named_pipe";
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

50
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plain.in vendored Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "named_log";
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
channel query_log {
file "query_log";
print-time yes;
buffered yes;
};
category queries { query_log; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

34
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plainconf.in vendored Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

43
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.symconf.in vendored Normal file
View File

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
file "named_sym";
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

52
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.tsconf.in vendored Normal file
View File

@ -0,0 +1,52 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
buffered no;
file "named_ts" versions 3 size 1000 suffix timestamp; # small size
severity debug 100;
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
channel query_log {
file "query_log";
print-time yes;
buffered yes;
};
category queries { query_log; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

52
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited.in vendored Normal file
View File

@ -0,0 +1,52 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
buffered no;
file "named_unlimited" versions unlimited size 1000;
severity debug 100;
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
channel query_log {
file "query_log";
print-time yes;
buffered yes;
};
category queries { query_log; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

52
external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf.in vendored Normal file
View File

@ -0,0 +1,52 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
dnssec-validation no;
recursion no;
notify yes;
};
logging {
channel default_log {
buffered no;
file "named_vers" versions 5 size 1000; // really small size
severity debug 100;
print-time yes;
};
category default { default_log; default_debug; };
category lame-servers { null; };
channel query_log {
file "query_log";
print-time yes;
buffered yes;
};
category queries { query_log; };
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
};
key rndc-key {
secret "1234abcd8765";
algorithm hmac-sha256;
};

4
external/mpl/bind/dist/bin/tests/system/logfileconfig/setup.sh vendored
View File

@ -16,6 +16,4 @@ SYSTEMTESTTOP=..
$SHELL clean.sh
copy_setports ns1/named.plain ns1/named.conf
copy_setports ns1/rndc.conf.in ns1/rndc.conf
copy_setports ns1/controls.conf.in ns1/controls.conf
copy_setports ns1/named.plain.in ns1/named.conf

513
external/mpl/bind/dist/bin/tests/system/logfileconfig/tests.sh vendored
View File

@ -16,30 +16,6 @@ SYSTEMTESTTOP=..
THISDIR=`pwd`
CONFDIR="ns1"
PLAINCONF="${THISDIR}/${CONFDIR}/named.plainconf"
PLAINFILE="named_log"
DIRCONF="${THISDIR}/${CONFDIR}/named.dirconf"
DIRFILE="named_dir"
PIPECONF="${THISDIR}/${CONFDIR}/named.pipeconf"
PIPEFILE="named_pipe"
SYMCONF="${THISDIR}/${CONFDIR}/named.symconf"
SYMFILE="named_sym"
VERSCONF="${THISDIR}/${CONFDIR}/named.versconf"
VERSFILE="named_vers"
TSCONF="${THISDIR}/${CONFDIR}/named.tsconf"
TSFILE="named_ts"
UNLIMITEDCONF="${THISDIR}/${CONFDIR}/named.unlimited"
UNLIMITEDFILE="named_unlimited"
ISOCONF="${THISDIR}/${CONFDIR}/named.iso8601"
ISOFILE="named_iso8601"
ISOCONFUTC="${THISDIR}/${CONFDIR}/named.iso8601-utc"
ISOUTCFILE="named_iso8601_utc"
DLFILE="named_deflog"
PIDFILE="${THISDIR}/${CONFDIR}/named.pid"
myRNDC="$RNDC -c ${THISDIR}/${CONFDIR}/rndc.conf"
myNAMED="$NAMED -c ${THISDIR}/${CONFDIR}/named.conf -m record,size,mctx -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4"
# Test given condition. If true, test again after a second. Used for testing
# filesystem-dependent conditions in order to prevent false negatives caused by
# directory contents not being synchronized immediately after rename() returns.
@ -53,367 +29,216 @@ test_with_retry() {
return 1
}
waitforpidfile() {
for _w in 1 2 3 4 5 6 7 8 9 10
do
test -f $PIDFILE && break
sleep 1
done
}
status=0
n=0
cd $CONFDIR
export SYSTEMTESTTOP=../..
echo_i "testing log file validity (named -g + only plain files allowed)"
n=`expr $n + 1`
echo_i "testing plain file (named -g) ($n)"
# First run with a known good config.
echo > $PLAINFILE
copy_setports $PLAINCONF named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "reloading configuration failed" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing plain file succeeded"
else
echo_i "testing plain file failed (unexpected)"
echo_i "exit status: 1"
exit 1
fi
n=$((n+1))
echo_i "testing log file validity (only plain files allowed) ($n)"
ret=0
cat /dev/null > ns1/named_log
copy_setports ns1/named.plainconf.in ns1/named.conf
nextpart ns1/named.run > /dev/null
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Now try directory, expect failure
n=`expr $n + 1`
echo_i "testing directory as log file (named -g) ($n)"
echo > named.run
rm -rf $DIRFILE
mkdir -p $DIRFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $DIRCONF named.conf
echo > named.run
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing directory as file succeeded (UNEXPECTED)"
echo_i "exit status: 1"
exit 1
else
echo_i "testing directory as log file failed (expected)"
fi
else
echo_i "skipping directory test (unable to create directory)"
fi
# Now try pipe file, expect failure
n=`expr $n + 1`
echo_i "testing pipe file as log file (named -g) ($n)"
echo > named.run
rm -f $PIPEFILE
mkfifo $PIPEFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $PIPECONF named.conf
echo > named.run
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing pipe file as log file succeeded (UNEXPECTED)"
echo_i "exit status: 1"
exit 1
else
echo_i "testing pipe file as log file failed (expected)"
fi
else
echo_i "skipping pipe test (unable to create pipe)"
fi
# Now try symlink file to plain file, expect success
n=`expr $n + 1`
echo_i "testing symlink to plain file as log file (named -g) ($n)"
# Assume success
echo > named.run
echo > $PLAINFILE
rm -f $SYMFILE $SYMFILE
ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $SYMCONF named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
echo > named.run
grep "reloading configuration failed" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing symlink to plain file succeeded"
else
echo_i "testing symlink to plain file failed (unexpected)"
echo_i "exit status: 1"
exit 1
fi
else
echo_i "skipping symlink test (unable to create symlink)"
fi
# Stop the server and run through a series of tests with various config
# files while controlling the stop/start of the server.
# Have to stop the stock server because it uses "-g"
#
stop_server ns1
$myNAMED > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "failed to start $myNAMED"
echo_i "exit status: $status"
exit $status
fi
status=0
echo_i "testing log file validity (only plain files allowed)"
n=`expr $n + 1`
echo_i "testing plain file (named -g) ($n)"
# First run with a known good config.
echo > $PLAINFILE
copy_setports $PLAINCONF named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "reloading configuration failed" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing plain file succeeded"
else
echo_i "testing plain file failed (unexpected)"
echo_i "exit status: 1"
exit 1
fi
# Now try directory, expect failure
n=`expr $n + 1`
n=$((n+1))
echo_i "testing directory as log file ($n)"
echo > named.run
rm -rf $DIRFILE
mkdir -p $DIRFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $DIRCONF named.conf
echo > named.run
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "configuring logging: invalid file" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing directory as file succeeded (UNEXPECTED)"
echo_i "exit status: 1"
exit 1
else
echo_i "testing directory as log file failed (expected)"
fi
else
echo_i "skipping directory test (unable to create directory)"
fi
ret=0
nextpart ns1/named.run > /dev/null
copy_setports ns1/named.dirconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Now try pipe file, expect failure
n=`expr $n + 1`
n=$((n+1))
echo_i "testing pipe file as log file ($n)"
echo > named.run
rm -f $PIPEFILE
mkfifo $PIPEFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $PIPECONF named.conf
echo > named.run
$myRNDC reconfig > rndc.out.test$n 2>&1
grep "configuring logging: invalid file" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing pipe file as log file succeeded (UNEXPECTED)"
echo_i "exit status: 1"
exit 1
else
echo_i "testing pipe file as log file failed (expected)"
fi
ret=0
nextpart ns1/named.run > /dev/null
rm -f ns1/named_pipe
if mkfifo ns1/named_pipe >/dev/null 2>&1; then
copy_setports ns1/named.pipeconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "skipping pipe test (unable to create pipe)"
echo_i "skipping pipe test (unable to create pipe)"
fi
# Now try symlink file to plain file, expect success
n=`expr $n + 1`
n=$((n+1))
echo_i "testing symlink to plain file as log file ($n)"
# Assume success
status=0
echo > named.run
echo > $PLAINFILE
rm -f $SYMFILE
ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1
if [ $? -eq 0 ]
then
copy_setports $SYMCONF named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
echo > named.run
grep "reloading configuration failed" named.run > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo_i "testing symlink to plain file succeeded"
else
echo_i "testing symlink to plain file failed (unexpected)"
echo_i "exit status: 1"
exit 1
fi
ret=0
rm -f ns1/named_log ns1/named_sym
touch ns1/named_log
if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then
nextpart ns1/named.run > /dev/null
copy_setports ns1/named.symconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "skipping symlink test (unable to create symlink)"
fi
n=`expr $n + 1`
echo_i "testing default logfile using named -L file ($n)"
# Now stop the server again and test the -L option
rm -f $DLFILE
stop_server --use-rndc --port ${CONTROLPORT} ns1
if ! test -f $PIDFILE; then
copy_setports $PLAINCONF named.conf
$myNAMED -L $DLFILE > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo_i "failed to start $myNAMED"
echo_i "exit status: $status"
exit $status
fi
echo_i "repeat previous tests without named -g"
copy_setports ns1/named.plain.in ns1/named.conf
$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} logfileconfig ns1
cp named1.args ns1/named.args
start_server --noclean --restart --port ${PORT} ns1
waitforpidfile
n=$((n+1))
echo_i "testing log file validity (only plain files allowed) ($n)"
ret=0
cat /dev/null > ns1/named_log
copy_setports ns1/named.plainconf.in ns1/named.conf
nextpart ns1/named.run > /dev/null
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
sleep 1
if [ -f "$DLFILE" ]; then
echo_i "testing default logfile using named -L succeeded"
else
echo_i "testing default logfile using named -L failed"
echo_i "exit status: 1"
exit 1
fi
# Now try directory, expect failure
n=$((n+1))
echo_i "testing directory as log file ($n)"
ret=0
nextpart ns1/named.run > /dev/null
copy_setports ns1/named.dirconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Now try pipe file, expect failure
n=$((n+1))
echo_i "testing pipe file as log file ($n)"
ret=0
nextpart ns1/named.run > /dev/null
rm -f ns1/named_pipe
if mkfifo ns1/named_pipe >/dev/null 2>&1; then
copy_setports ns1/named.pipeconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "failed to cleanly stop $myNAMED"
echo_i "exit status: 1"
exit 1
echo_i "skipping pipe test (unable to create pipe)"
fi
# Now try symlink file to plain file, expect success
n=$((n+1))
echo_i "testing symlink to plain file as log file ($n)"
ret=0
rm -f ns1/named_log ns1/named_sym
touch ns1/named_log
if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then
nextpart ns1/named.run > /dev/null
copy_setports ns1/named.symconf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "skipping symlink test (unable to create symlink)"
fi
echo_i "testing logging functionality"
n=`expr $n + 1`
n=$((n+1))
ret=0
echo_i "testing iso8601 timestamp ($n)"
copy_setports $ISOCONF named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
if grep '^....-..-..T..:..:..\.... ' $ISOFILE > /dev/null; then
echo_i "testing iso8601 timestamp succeeded"
else
echo_i "testing iso8601 timestamp failed"
status=`expr $status + 1`
fi
copy_setports ns1/named.iso8601.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=`expr $n + 1`
n=$((n+1))
echo_i "testing iso8601-utc timestamp ($n)"
copy_setports $ISOCONFUTC named.conf
$myRNDC reconfig > rndc.out.test$n 2>&1
if grep '^....-..-..T..:..:..\....Z' $ISOUTCFILE > /dev/null; then
echo_i "testing iso8601-utc timestamp succeeded"
else
echo_i "testing iso8601-utc timestamp failed"
status=`expr $status + 1`
fi
ret=0
copy_setports ns1/named.iso8601-utc.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=`expr $n + 1`
n=$((n+1))
echo_i "testing explicit versions ($n)"
copy_setports $VERSCONF named.conf
ret=0
copy_setports ns1/named.versconf.in ns1/named.conf
# a seconds since epoch version number
touch $VERSFILE.1480039317
t1=`$PERL -e 'print time()."\n";'`
$myRNDC reconfig > rndc.out.test$n 2>&1
touch ns1/named_vers.1480039317
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
t2=`$PERL -e 'print time()."\n";'`
t=`expr ${t2:-0} - ${t1:-0}`
if test ${t:-1000} -gt 5
then
echo_i "testing explicit versions failed: cleanup of old entries took too long ($t secs)"
status=`expr $status + 1`
fi
if ! grep "status: NOERROR" dig.out.test$n > /dev/null
then
echo_i "testing explicit versions failed: DiG lookup failed"
status=`expr $status + 1`
fi
if test_with_retry -f $VERSFILE.1480039317
then
echo_i "testing explicit versions failed: $VERSFILE.1480039317 not removed"
status=`expr $status + 1`
fi
if test_with_retry -f $VERSFILE.5
then
echo_i "testing explicit versions failed: $VERSFILE.5 exists"
status=`expr $status + 1`
fi
if test_with_retry ! -f $VERSFILE.4
then
echo_i "testing explicit versions failed: $VERSFILE.4 does not exist"
status=`expr $status + 1`
fi
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
# we are configured to retain five logfiles (a current file
# and 4 backups). so files with version number 5 or higher
# should be removed.
test_with_retry -f ns1/named_vers.1480039317 && ret=1
test_with_retry -f ns1/named_vers.5 && ret=1
test_with_retry -f ns1/named_vers.4 || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=`expr $n + 1`
n=$((n+1))
echo_i "testing timestamped versions ($n)"
copy_setports $TSCONF named.conf
ret=0
copy_setports ns1/named.tsconf.in ns1/named.conf
# a seconds since epoch version number
touch $TSFILE.2015010112000012
t1=`$PERL -e 'print time()."\n";'`
$myRNDC reconfig > rndc.out.test$n 2>&1
$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
t2=`$PERL -e 'print time()."\n";'`
t=`expr ${t2:-0} - ${t1:-0}`
if test ${t:-1000} -gt 5
then
echo_i "testing timestamped versions failed: cleanup of old entries took too long ($t secs)"
status=`expr $status + 1`
fi
if ! grep "status: NOERROR" dig.out.test$n > /dev/null
then
echo_i "testing timestamped versions failed: DiG lookup failed"
status=`expr $status + 1`
fi
if test_with_retry -f $TSFILE.1480039317
then
echo_i "testing timestamped versions failed: $TSFILE.1480039317 not removed"
status=`expr $status + 1`
fi
touch ns1/named_ts.1480039317
# a timestamp version number
touch ns1/named_ts.20150101120000120
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
_found2() (
$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
n=`expr $n + 1`
# we are configured to keep three versions, so the oldest
# timestamped versions should be gone, and there should
# be two or three backup ones.
[ -f ns1/named_ts.1480039317 ] && return 1
[ -f ns1/named_ts.20150101120000120 ] && return 1
set -- ns1/named_ts.*
[ "$#" -eq 2 -o "$#" -eq 3 ] || return 1
)
retry_quiet 5 _found2 || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing unlimited versions ($n)"
copy_setports $UNLIMITEDCONF named.conf
ret=0
copy_setports ns1/named.unlimited.in ns1/named.conf
# a seconds since epoch version number
touch $UNLIMITEDFILE.1480039317
t1=`$PERL -e 'print time()."\n";'`
$myRNDC reconfig > rndc.out.test$n 2>&1
touch ns1/named_unlimited.1480039317
rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
t2=`$PERL -e 'print time()."\n";'`
t=`expr ${t2:-0} - ${t1:-0}`
if test ${t:-1000} -gt 5
then
echo_i "testing unlimited versions failed: took too long ($t secs)"
status=`expr $status + 1`
fi
if ! grep "status: NOERROR" dig.out.test$n > /dev/null
then
echo_i "testing unlimited versions failed: DiG lookup failed"
status=`expr $status + 1`
fi
if test_with_retry ! -f $UNLIMITEDFILE.1480039317
then
echo_i "testing unlimited versions failed: $UNLIMITEDFILE.1480039317 removed"
status=`expr $status + 1`
fi
if test_with_retry ! -f $UNLIMITEDFILE.4
then
echo_i "testing unlimited versions failed: $UNLIMITEDFILE.4 does not exist"
status=`expr $status + 1`
fi
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
test_with_retry -f ns1/named_unlimited.1480039317 || ret=1
test_with_retry -f ns1/named_unlimited.4 || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "testing default logfile using named -L file ($n)"
ret=0
$PERL ../stop.pl logfileconfig ns1
cp named2.args ns1/named.args
test -f ns1/named.pid && ret=1
rm -f ns1/named_deflog
copy_setports ns1/named.plainconf.in ns1/named.conf
start_server --noclean --restart --port ${PORT} ns1
[ -f "ns1/named_deflog" ] || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

9
external/mpl/bind/dist/bin/tests/system/mkeys/clean.sh vendored
View File

@ -12,17 +12,22 @@
# information regarding copyright ownership.
rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
rm -f */island.conf
rm -f */private.conf
rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
rm -f */managed-keys.bind* */named.secroots
rm -f */named.conf
rm -f ns3/broken.conf
rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns1/dsset-sub.tld.
rm -f ns1/dsset-tld.
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns1/zone.key
rm -f ns3/broken.conf
rm -f ns4/dsset-sub.foo.
rm -f ns5/named.args
rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope

10
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named1.conf.in vendored
View File

@ -47,3 +47,13 @@ zone "." {
allow-update { any; };
auto-dnssec maintain;
};
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

10
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named2.conf.in vendored
View File

@ -45,3 +45,13 @@ zone "." {
type primary;
file "root.db.signed";
};
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

10
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named3.conf.in vendored
View File

@ -39,3 +39,13 @@ zone "." {
type primary;
file "root.db.signed";
};
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

3
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/root.db vendored
View File

@ -23,3 +23,6 @@ a.root-servers.nil. A 10.53.0.1
; no delegation
example. TXT "This is a test."
tld. NS ns.tld.
ns.tld. A 10.53.0.1

18
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sign.sh vendored
View File

@ -14,6 +14,24 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=sub.tld
zonefile=sub.tld.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
keyfile_to_initial_ds $keyname > island.conf
cp island.conf ../ns5/island.conf
zone=tld
zonefile=tld.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
zone=.
zonefile=root.db

21
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sub.tld.db vendored Normal file
View File

@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
sub.tld. IN SOA marka.isc.org. ns.sub.tld. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
sub.tld. NS ns.sub.tld.
ns.sub.tld. A 10.53.0.1

23
external/mpl/bind/dist/bin/tests/system/mkeys/ns1/tld.db vendored Normal file
View File

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
tld. IN SOA marka.isc.org. ns.tld. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
tld. NS ns.tld.
ns.tld. A 10.53.0.1
sub.tld. NS ns.sub.tld.
ns.sub.tld. A 10.53.0.1

5
external/mpl/bind/dist/bin/tests/system/mkeys/ns4/named.conf.in vendored
View File

@ -41,3 +41,8 @@ zone "." {
type hint;
file "../../common/root.hint";
};
zone "sub.foo" {
type primary;
file "sub.foo.db.signed";
};

25
external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sign.sh vendored Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=sub.foo
zonefile=sub.foo.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
keyfile_to_initial_ds $keyname > private.conf
cp private.conf ../ns5/private.conf

21
external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sub.foo.db vendored Normal file
View File

@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
sub.foo. IN SOA marka.isc.org. ns.foo. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
sub.foo. NS ns.sub.foo.
ns.sub.foo. A 10.53.0.4

23
external/mpl/bind/dist/bin/tests/system/mkeys/ns5/foo.db vendored Normal file
View File

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
foo. IN SOA marka.isc.org. ns.foo. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
foo. NS ns.foo.
ns.foo. A 10.53.0.5
sub.foo. NS ns.sub.foo.
ns.sub.foo. A 10.53.0.4

8
external/mpl/bind/dist/bin/tests/system/mkeys/ns5/named.conf.in vendored
View File

@ -41,3 +41,11 @@ zone "." {
type hint;
file "../../common/root.hint";
};
zone "foo" {
type primary;
file "foo.db";
};
include "island.conf";
include "private.conf";

1
external/mpl/bind/dist/bin/tests/system/mkeys/setup.sh vendored
View File

@ -33,6 +33,7 @@ copy_setports ns7/named.conf.in ns7/named.conf
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
( cd ns4 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf

132
external/mpl/bind/dist/bin/tests/system/mkeys/tests.sh vendored
View File

@ -568,44 +568,46 @@ grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "reset the root server with no keys, check for minimal update ($n)"
ret=0
# Refresh keys first to prevent previous checks from influencing this one.
# Note that we might still get occasional false negatives on some really slow
# machines, when $t1 equals $t2 due to the time elapsed between "rndc
# managed-keys status" calls being equal to the normal active refresh period
# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
# set using -T mkeytimers).
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
t1=$(grep 'next refresh:' rndc.out.1.$n) || true
stop_server --use-rndc --port "${CONTROLPORT}" ns1
rm -f ns1/root.db.signed.jnl
cp ns1/root.db ns1/root.db.signed
nextpart ns1/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns1
wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
# one key listed
count=$(grep -c "keyid: " rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
# it's the original key id
count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
# not revoked
count=$(grep -c "REVOKE" rndc.out.2.$n) || true
[ "$count" -eq 0 ] || ret=1
# trust is still current
count=$(grep -c "trust" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
count=$(grep -c "trusted since" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
t2=$(grep 'next refresh:' rndc.out.2.$n) || true
[ "$t1" = "$t2" ] && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if [ ! "$CYGWIN" ]; then
n=$((n+1))
echo_i "reset the root server with no keys, check for minimal update ($n)"
ret=0
# Refresh keys first to prevent previous checks from influencing this one.
# Note that we might still get occasional false negatives on some really slow
# machines, when $t1 equals $t2 due to the time elapsed between "rndc
# managed-keys status" calls being equal to the normal active refresh period
# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
# set using -T mkeytimers).
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
t1=$(grep 'next refresh:' rndc.out.1.$n) || true
stop_server --use-rndc --port "${CONTROLPORT}" ns1
rm -f ns1/root.db.signed.jnl
cp ns1/root.db ns1/root.db.signed
nextpart ns1/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns1
wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
mkeys_refresh_on 2 || ret=1
mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
# one key listed
count=$(grep -c "keyid: " rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
# it's the original key id
count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
# not revoked
count=$(grep -c "REVOKE" rndc.out.2.$n) || true
[ "$count" -eq 0 ] || ret=1
# trust is still current
count=$(grep -c "trust" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
count=$(grep -c "trusted since" rndc.out.2.$n) || true
[ "$count" -eq 1 ] || ret=1
t2=$(grep 'next refresh:' rndc.out.2.$n) || true
[ "$t1" = "$t2" ] && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
fi
n=$((n+1))
echo_i "reset the root server with no signatures, check for minimal update ($n)"
@ -680,8 +682,12 @@ rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i
mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1
mkeys_reconfig_on 2 || ret=1
mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
grep "name: \." rndc.out.2.$n > /dev/null || ret=1
check_root_trust_anchor_is_present_in_status() {
mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1
grep "name: \." rndc.out.2.$n > /dev/null || return 1
return 0
}
retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@ -719,7 +725,9 @@ ret=0
stop_server --use-rndc --port "${CONTROLPORT}" ns5
nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5
wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1
# ns5/named.run will contain logs from both the old instance and the new
# instance. In order for the test to pass, both must attempt a fetch.
count=$(grep -c "Creating key fetch" ns5/named.run) || true
@ -727,6 +735,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)"
ret=0
mkeys_sync_on 5
mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
# there should be three keys listed now
count=$(grep -c "keyid: " rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# three lines indicating trust status
count=$(grep -c "trust" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# one indicates current trust
count=$(grep -c "trusted since" rndc.out.$n) || true
[ "$count" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "check key refreshes are resumed after root servers become available ($n)"
ret=0
@ -738,7 +763,9 @@ rm -f ns5/managed-keys.bind*
cp ns5/named2.args ns5/named.args
nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5
wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1
grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
# ns1 should still REFUSE queries from ns5, so resolving should be impossible
@ -751,7 +778,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf
rm -f ns1/root.db.signed.jnl
nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1 || ret=1
wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
@ -832,5 +861,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)"
ret=0
mkeys_sync_on 5
mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
# there should be three keys listed now
count=$(grep -c "keyid: " rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# theee lines indicating trust status
count=$(grep -c "trust" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# three indicates current trust
count=$(grep -c "trusted since" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

1
external/mpl/bind/dist/bin/tests/system/nsec3/tests.sh vendored
View File

@ -231,7 +231,6 @@ dnssec_verify
# This is a secondary zone, where the primary is signed with NSEC3 but
# the dnssec-policy dictates NSEC.
set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600
set_key_default_values "KEY1"
echo_i "initial check zone ${ZONE}"
check_nsec

6
external/mpl/bind/dist/bin/tests/system/nsupdate/setup.sh vendored
View File

@ -73,7 +73,11 @@ EOF
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
if $FEATURETEST --md5; then
$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
else
echo -n > ns1/md5.key
fi
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key

38
external/mpl/bind/dist/bin/tests/system/nsupdate/tests.sh vendored
View File

@ -852,7 +852,14 @@ fi
n=$((n + 1))
ret=0
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
if $FEATURETEST --md5
then
ALGS="md5 sha1 sha224 sha256 sha384 sha512"
else
ALGS="sha1 sha224 sha256 sha384 sha512"
echo_i "skipping disabled md5 algorithm"
fi
for alg in $ALGS; do
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@ -860,7 +867,7 @@ send
END
done
sleep 2
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
for alg in $ALGS; do
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
@ -1302,19 +1309,22 @@ END
grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
ret=0
echo_i "check that update is rejected if quota is exceeded ($n)"
for loop in 1 2 3 4 5 6 7 8 9 10; do
{
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
update add txt-$loop.other.nil 3600 IN TXT Whatever
send
# This check is unstable on Windows.
if [ ! "$CYGWIN" ]; then
n=$((n + 1))
ret=0
echo_i "check that update is rejected if quota is exceeded ($n)"
for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
{
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
update add txt-$loop.other.nil 3600 IN TXT Whatever
send
END
} &
done
wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
} &
done
wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
fi
if ! $FEATURETEST --gssapi ; then
echo_i "SKIPPED: GSSAPI tests"

4
external/mpl/bind/dist/bin/tests/system/pytest_custom_markers.py vendored
View File

@ -34,9 +34,9 @@ def feature_test(feature):
have_libxml2 = pytest.mark.skipif(
feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
)
have_json_c = pytest.mark.skipif(
feature_test("--have-json-c"), reason="json-c support disabled in the build"
not feature_test("--have-json-c"), reason="json-c support disabled in the build"
)

2
external/mpl/bind/dist/bin/tests/system/rndc/setup.sh vendored
View File

@ -40,7 +40,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
make_key 1 ${EXTRAPORT1} hmac-md5
$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
make_key 2 ${EXTRAPORT2} hmac-sha1
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256

24
external/mpl/bind/dist/bin/tests/system/rndc/tests.sh vendored
View File

@ -350,16 +350,20 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "testing rndc with hmac-md5 ($n)"
ret=0
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
for i in 2 3 4 5 6
do
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=$((n+1))
if $FEATURETEST --md5; then
echo_i "testing rndc with hmac-md5 ($n)"
ret=0
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
for i in 2 3 4 5 6
do
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "skipping rndc with hmac-md5 ($n)"
fi
n=`expr $n + 1`
echo_i "testing rndc with hmac-sha1 ($n)"

10
external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in vendored
View File

@ -148,3 +148,13 @@ zone "static-stub-nomatch." {
type static-stub;
server-addresses { 10.53.0.10; };
};
# A faulty dlz configuration to check if named with response policy zones
# survives a certain class of failed configuration attempts (see GL #3880).
# "dlz" is used because the dlz processing code is located in an ideal place in
# the view configuration function for the test to cover the view reverting code.
# The "BAD" comments below are necessary, because they will be removed using
# 'sed' by tests.sh in order to activate the faulty configuration.
#BAD dlz "bad-dlz" {
#BAD database "dlopen bad-dlz.so example.org";
#BAD };

10
external/mpl/bind/dist/bin/tests/system/rpz/tests.sh vendored
View File

@ -846,6 +846,16 @@ EOF
stop_server --use-rndc --port ${CONTROLPORT} ns3
restart 3 "rebuild-bl-rpz"
t=`expr $t + 1`
echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})"
sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp
copy_setports ns3/named.conf.tmp ns3/named.conf
rm ns3/named.conf.tmp
$RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed"
sleep 1
copy_setports ns3/named.conf.in ns3/named.conf
$RNDCCMD $ns3 reconfig || setret "failed"
# reload a RPZ zone that is now deliberately broken.
t=`expr $t + 1`
echo_i "checking rpz failed update will keep previous rpz rules (${t})"

23
external/mpl/bind/dist/bin/tests/system/run.sh vendored
View File

@ -276,11 +276,8 @@ get_core_dumps() {
}
core_dumps=$(get_core_dumps | tr '\n' ' ')
assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l)
sanitizer_summaries=$(find "$systest/" -name 'tsan.*' | wc -l)
if [ -n "$core_dumps" ]; then
echoinfo "I:$systest:Core dump(s) found: $core_dumps"
echofail "R:$systest:FAIL"
get_core_dumps | while read -r coredump; do
SYSTESTDIR="$systest"
echoinfo "D:$systest:backtrace from $coredump:"
@ -308,17 +305,23 @@ if [ -n "$core_dumps" ]; then
gzip -1 "${coredump}"
done
status=$((status+1))
elif [ "$assertion_failures" -ne 0 ]; then
fi
assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l)
if [ "$assertion_failures" -ne 0 ]; then
SYSTESTDIR="$systest"
echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
status=$((status+1))
fi
tsan_failures=$(find "$systest/" -name 'tsan.*' | wc -l)
if [ "$tsan_failures" -ne 0 ]; then
echoinfo "I:$systest:$tsan_failures sanitizer report(s) found"
find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
echofail "R:$systest:FAIL"
status=$((status+1))
elif [ "$sanitizer_summaries" -ne 0 ]; then
echoinfo "I:$systest:$sanitizer_summaries sanitizer report(s) found"
echofail "R:$systest:FAIL"
status=$((status+1))
elif [ "$status" -ne 0 ]; then
fi
if [ "$status" -ne 0 ]; then
echofail "R:$systest:FAIL"
else
echopass "R:$systest:PASS"

10
external/mpl/bind/dist/bin/tests/system/runtime/tests.sh vendored
View File

@ -96,7 +96,7 @@ echo_i "verifying that 'lock-file none' disables process check ($n)"
ret=0
testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3)
test -n "$testpid" || ret=1
retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1
retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
grep "another named process" ns2/named$n.run > /dev/null && ret=1
kill_named ns2/named-alt3.pid || ret=1
test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
@ -188,7 +188,7 @@ ret=0
INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)"
testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}")
test -n "$testpid" || ret=1
retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1
retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1
kill_named ns2/named.pid || ret=1
test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
@ -201,7 +201,7 @@ ret=0
INSTANCE_NAME="runtime-ns2-extra-8-$;"
testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}")
test -n "$testpid" || ret=1
retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1
retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1
kill_named ns2/named.pid || ret=1
test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
@ -215,7 +215,7 @@ LONG_CMD_LINE=$(cat long-cmd-line)
# shellcheck disable=SC2086
testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf")
test -n "$testpid" || ret=1
retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1
retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1
kill_named ns2/named.pid || ret=1
test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
@ -235,7 +235,7 @@ if [ "$(id -u)" -eq 0 ] && [ -z "$CYGWIN" ]; then
chmod 0700 "${TEMP_NAMED_DIR}"
testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf)
test -n "$testpid" || ret=1
retry_quiet 10 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1
retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1
[ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1
grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1
kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1

54
external/mpl/bind/dist/bin/tests/system/serve-stale/ans2/ans.pl vendored
View File

@ -49,6 +49,16 @@ my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr",
my $SOA = "example 300 IN SOA . . 0 0 0 0 300";
my $NS = "example 300 IN NS ns.example";
my $A = "ns.example 300 IN A $localaddr";
#
# Slow delegation
#
my $slowSOA = "slow 300 IN SOA . . 0 0 0 0 300";
my $slowNS = "slow 300 IN NS ns.slow";
my $slowA = "ns.slow 300 IN A $localaddr";
my $slowTXT = "data.slow 2 IN TXT \"A slow text record with a 2 second ttl\"";
my $slownegSOA = "slow 2 IN SOA . . 0 0 0 0 300";
#
# Records to be TTL stretched
#
@ -100,6 +110,12 @@ sub reply_handler {
# If we are not responding to queries we are done.
return if (!$send_response);
if (index($qname, "latency") == 0) {
# simulate network latency before answering
print " Sleeping 50 milliseconds\n";
select(undef, undef, undef, 0.05);
}
# Construct the response and send it.
if ($qname eq "ns.example" ) {
if ($qtype eq "A") {
@ -212,6 +228,44 @@ sub reply_handler {
push @auth, $rr;
}
$rcode = "NOERROR";
} elsif ($qname eq "ns.slow" ) {
if ($qtype eq "A") {
my $rr = new Net::DNS::RR($slowA);
push @ans, $rr;
} else {
my $rr = new Net::DNS::RR($slowSOA);
push @auth, $rr;
}
$rcode = "NOERROR";
} elsif ($qname eq "slow") {
if ($qtype eq "NS") {
my $rr = new Net::DNS::RR($slowNS);
push @auth, $rr;
$rr = new Net::DNS::RR($slowA);
push @add, $rr;
} elsif ($qtype eq "SOA") {
my $rr = new Net::DNS::RR($slowSOA);
push @ans, $rr;
} else {
my $rr = new Net::DNS::RR($slowSOA);
push @auth, $rr;
}
$rcode = "NOERROR";
} elsif ($qname eq "data.slow") {
if ($slow_response) {
print " Sleeping 3 seconds\n";
sleep(3);
# only one time
$slow_response = 0;
}
if ($qtype eq "TXT") {
my $rr = new Net::DNS::RR($slowTXT);
push @ans, $rr;
} else {
my $rr = new Net::DNS::RR($slownegSOA);
push @auth, $rr;
}
$rcode = "NOERROR";
} else {
my $rr = new Net::DNS::RR($SOA);
push @auth, $rr;

2
external/mpl/bind/dist/bin/tests/system/serve-stale/ns1/root.db vendored
View File

@ -14,3 +14,5 @@
ns.nil. 300 A 10.53.0.1
example. 300 NS ns.example.
ns.example. 300 A 10.53.0.2
slow. 300 NS ns.slow.
ns.slow. 300 A 10.53.0.2

7
external/mpl/bind/dist/bin/tests/system/serve-stale/ns3/named2.conf.in vendored
View File

@ -39,12 +39,13 @@ options {
stale-answer-ttl 3;
stale-refresh-time 0;
stale-answer-client-timeout 1800;
recursive-clients 10; # CVE-2022-3924
max-stale-ttl 3600;
resolver-query-timeout 10;
qname-minimization disabled;
};
zone "." {
type secondary;
primaries { 10.53.0.1; };
file "root.bk";
type hint;
file "root.db";
};

79
external/mpl/bind/dist/bin/tests/system/serve-stale/tests.sh vendored
View File

@ -1638,6 +1638,24 @@ grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "delay responses from authoritative server ($n)"
ret=0
$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)"
ret=0
$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "disable responses from authoritative server ($n)"
ret=0
@ -1652,10 +1670,11 @@ sleep 2
nextpart ns3/named.run > /dev/null
echo_i "sending queries for tests $((n+1))-$((n+2))..."
echo_i "sending queries for tests $((n+1))-$((n+3))..."
t1=`$PERL -e 'print time()'`
$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2))
$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) &
wait
t2=`$PERL -e 'print time()'`
@ -1677,21 +1696,32 @@ status=$((status+ret))
n=$((n+1))
echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)"
ret=0
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)"
ret=0
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Now query for RRset not in cache. The first query should time out, but once
# we enable the authoritative server, the second query should be able to get a
# response.
nextpart ns3/named.run > /dev/null
echo_i "sending queries for tests $((n+2))-$((n+3))..."
echo_i "sending queries for tests $((n+2))-$((n+4))..."
$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) &
$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) &
$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) &
# Enable the authoritative name server after stale-answer-client-timeout.
n=$((n+1))
@ -1730,6 +1760,37 @@ retry_quiet 8 check_results dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)"
ret=0
check_results() {
[ -s "$1" ] || return 1
grep "connection timed out" "$1" > /dev/null || return 1
return 0
}
retry_quiet 8 check_results dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# CVE-2022-3924, GL #3619
n=$((n+1))
echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)"
ret=0
num=0
# Make sure to exceed the configured value of 'recursive-clients 10;' by running
# 20 parallel queries with simulated network latency.
while [ $num -lt 20 ]; do
$DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 &
num=$((num+1))
done;
_dig_data() {
$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1
grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
}
retry_quiet 5 _dig_data || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
#############################################
# Test for stale-answer-client-timeout off. #
#############################################
@ -1930,8 +1991,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
wait_for_rrset_refresh() {
nextpart ns3/named.run | grep 'data.example.*2.*TXT.*"A text record with a 2 second ttl"' > /dev/null && return 0
return 1
$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1
grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1
}
# This test ensures that after we get stale data due to
@ -1941,10 +2004,6 @@ n=$((n+1))
ret=0
echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)"
retry_quiet 10 wait_for_rrset_refresh || ret=1
$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@ -2124,10 +2183,6 @@ n=$((n+1))
ret=0
echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
retry_quiet 10 wait_for_rrset_refresh || ret=1
$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))

78
external/mpl/bind/dist/bin/tests/system/shutdown/tests_shutdown.py vendored
View File

@ -70,7 +70,6 @@ def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries):
# We're going to execute queries in parallel by means of a thread pool.
# dnspython functions block, so we need to circunvent that.
with ThreadPoolExecutor(n_workers + 1) as executor:
# Helper dict, where keys=Future objects and values are tags used
# to process results later.
futures = {}
@ -132,6 +131,31 @@ def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries):
assert ret_code == 0
def wait_for_named_loaded(resolver, retries=10):
for _ in range(retries):
try:
resolver.query("version.bind", "TXT", "CH")
return True
except (dns.resolver.NoNameservers, dns.exception.Timeout):
time.sleep(1)
return False
def wait_for_proc_termination(proc, max_timeout=10):
for _ in range(max_timeout):
if proc.poll() is not None:
return True
time.sleep(1)
proc.send_signal(signal.SIGABRT)
for _ in range(max_timeout):
if proc.poll() is not None:
return True
time.sleep(1)
return False
def test_named_shutdown(named_port, control_port):
# pylint: disable-msg=too-many-locals
cfg_dir = os.path.join(os.getcwd(), "resolver")
@ -168,40 +192,18 @@ def test_named_shutdown(named_port, control_port):
for kill_method in ("rndc", "sigterm"):
named_cmdline = [named, "-c", cfg_file, "-f"]
with subprocess.Popen(named_cmdline, cwd=cfg_dir) as named_proc:
# Ensure named is running
assert named_proc.poll() is None
# wait for named to finish loading
for _ in range(10):
try:
resolver.query("version.bind", "TXT", "CH")
break
except (dns.resolver.NoNameservers, dns.exception.Timeout):
time.sleep(1)
do_work(
named_proc, resolver, rndc_cmd, kill_method, n_workers=12, n_queries=16
)
# Wait named to exit for a maximum of MAX_TIMEOUT seconds.
MAX_TIMEOUT = 10
is_dead = False
for _ in range(MAX_TIMEOUT):
if named_proc.poll() is not None:
is_dead = True
break
time.sleep(1)
if not is_dead:
named_proc.send_signal(signal.SIGABRT)
for _ in range(MAX_TIMEOUT):
if named_proc.poll() is not None:
is_dead = True
break
time.sleep(1)
if not is_dead:
named_proc.kill()
assert is_dead
# Ensures that named exited gracefully.
# If it crashed (abort()) exitcode will be non zero.
assert named_proc.returncode == 0
try:
assert named_proc.poll() is None, "named isn't running"
assert wait_for_named_loaded(resolver)
do_work(
named_proc,
resolver,
rndc_cmd,
kill_method,
n_workers=12,
n_queries=16,
)
assert wait_for_proc_termination(named_proc)
assert named_proc.returncode == 0, "named crashed"
finally: # Ensure named is terminated in case of an exception
named_proc.kill()

4
external/mpl/bind/dist/bin/tests/system/statschannel/generic.py vendored
View File

@ -58,7 +58,6 @@ def check_manykeys(name, zone=None):
def zone_mtime(zonedir, name):
try:
si = os.stat(os.path.join(zonedir, "{}.db".format(name)))
except FileNotFoundError:
@ -70,7 +69,6 @@ def zone_mtime(zonedir, name):
def test_zone_timers_primary(fetch_zones, load_timers, **kwargs):
statsip = kwargs["statsip"]
statsport = kwargs["statsport"]
zonedir = kwargs["zonedir"]
@ -84,7 +82,6 @@ def test_zone_timers_primary(fetch_zones, load_timers, **kwargs):
def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs):
statsip = kwargs["statsip"]
statsport = kwargs["statsport"]
zonedir = kwargs["zonedir"]
@ -98,7 +95,6 @@ def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs):
def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs):
statsip = kwargs["statsip"]
statsport = kwargs["statsport"]

3
external/mpl/bind/dist/bin/tests/system/statschannel/generic_dnspython.py vendored
View File

@ -28,7 +28,6 @@ def create_msg(qname, qtype):
def udp_query(ip, port, msg):
ans = dns.query.udp(msg, ip, TIMEOUT, port=port)
assert ans.rcode() == dns.rcode.NOERROR
@ -36,7 +35,6 @@ def udp_query(ip, port, msg):
def tcp_query(ip, port, msg):
ans = dns.query.tcp(msg, ip, TIMEOUT, port=port)
assert ans.rcode() == dns.rcode.NOERROR
@ -90,7 +88,6 @@ def check_traffic(data, expected):
def test_traffic(fetch_traffic, **kwargs):
statsip = kwargs["statsip"]
statsport = kwargs["statsport"]
port = kwargs["port"]

3
external/mpl/bind/dist/bin/tests/system/statschannel/tests_json.py vendored
View File

@ -24,7 +24,6 @@ requests = pytest.importorskip("requests")
# JSON helper functions
def fetch_zones_json(statsip, statsport):
r = requests.get(
"http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600
)
@ -35,7 +34,6 @@ def fetch_zones_json(statsip, statsport):
def fetch_traffic_json(statsip, statsport):
r = requests.get(
"http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600
)
@ -47,7 +45,6 @@ def fetch_traffic_json(statsip, statsport):
def load_timers_json(zone, primary=True):
name = zone["name"]
# Check if the primary zone timer exists

2
external/mpl/bind/dist/bin/tests/system/statschannel/tests_xml.py vendored
View File

@ -25,7 +25,6 @@ requests = pytest.importorskip("requests")
# XML helper functions
def fetch_zones_xml(statsip, statsport):
r = requests.get(
"http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600
)
@ -75,7 +74,6 @@ def fetch_traffic_xml(statsip, statsport):
def load_timers_xml(zone, primary=True):
name = zone.attrib["name"]
loaded_el = zone.find("loaded")

2
external/mpl/bind/dist/bin/tests/system/tcp/tests_tcp.py vendored
View File

@ -43,7 +43,6 @@ def create_socket(host, port):
# Regression test for CVE-2022-0396
def test_close_wait(named_port):
with create_socket("10.53.0.7", named_port) as sock:
msg = create_msg("a.example.", "A")
(sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
(response, rtime) = dns.query.receive_tcp(sock, timeout())
@ -66,7 +65,6 @@ def test_close_wait(named_port):
# request. If it gets stuck in CLOSE_WAIT state, there is no connection
# available for the query below and it will time out.
with create_socket("10.53.0.7", named_port) as sock:
msg = create_msg("a.example.", "A")
(sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
(response, rtime) = dns.query.receive_tcp(sock, timeout())

12
external/mpl/bind/dist/bin/tests/system/testcrypto.sh vendored
View File

@ -15,6 +15,7 @@ SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
prog=$0
args=""
quiet=0
dir=""
msg="cryptography"
if test -z "$KEYGEN"; then
@ -75,9 +76,18 @@ if test -z "$alg"; then
exit 1
fi
if test -n "$TMPDIR"; then
dir=$(mktemp -d "$TMPDIR/XXXXXX")
args="$args -K $dir"
fi
if $KEYGEN $args $alg foo > /dev/null 2>&1
then
rm -f Kfoo*
if test -z "$dir"; then
rm -f Kfoo*
else
rm -rf "$dir"
fi
else
if test $quiet -eq 0; then
echo_i "This test requires support for $msg" >&2

10
external/mpl/bind/dist/bin/tests/system/tsig/ns1/named.conf.in vendored
View File

@ -23,10 +23,7 @@ options {
notify no;
};
key "md5" {
secret "97rnFx24Tfna4mHPfgnerA==";
algorithm hmac-md5;
};
# md5 key appended by setup.sh at the end
key "sha1" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@ -53,10 +50,7 @@ key "sha512" {
algorithm hmac-sha512;
};
key "md5-trunc" {
secret "97rnFx24Tfna4mHPfgnerA==";
algorithm hmac-md5-80;
};
# md5-trunc key appended by setup.sh at the end
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";

16
external/mpl/bind/dist/bin/tests/system/tsig/setup.sh vendored
View File

@ -17,3 +17,19 @@ SYSTEMTESTTOP=..
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
if $FEATURETEST --md5
then
cat >> ns1/named.conf << EOF
# Conditionally included when support for MD5 is available
key "md5" {
secret "97rnFx24Tfna4mHPfgnerA==";
algorithm hmac-md5;
};
key "md5-trunc" {
secret "97rnFx24Tfna4mHPfgnerA==";
algorithm hmac-md5-80;
};
EOF
fi

65
external/mpl/bind/dist/bin/tests/system/tsig/tests.sh vendored
View File

@ -28,20 +28,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
status=0
echo_i "fetching using hmac-md5 (old form)"
ret=0
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
if $FEATURETEST --md5
then
echo_i "fetching using hmac-md5 (old form)"
ret=0
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
echo_i "fetching using hmac-md5 (new form)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
echo_i "fetching using hmac-md5 (new form)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
else
echo_i "skipping using hmac-md5"
fi
echo_i "fetching using hmac-sha1"
@ -89,12 +94,17 @@ fi
# Truncated TSIG
#
#
echo_i "fetching using hmac-md5 (trunc)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
if $FEATURETEST --md5
then
echo_i "fetching using hmac-md5 (trunc)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
else
echo_i "skipping using hmac-md5 (trunc)"
fi
echo_i "fetching using hmac-sha1 (trunc)"
@ -143,12 +153,17 @@ fi
# Check for bad truncation.
#
#
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
if $FEATURETEST --md5
then
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
ret=0
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
else
echo_i "skipping using hmac-md5-80 (BADTRUNC)"
fi
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"

6
external/mpl/bind/dist/bin/tests/system/ttl/clean.sh vendored
View File

@ -11,11 +11,7 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f ./dig.out.*
rm -f ./*/named.conf
rm -f ./*/named.memstats
rm -f ./*/named.run
rm -f ./ns*/named.lock
rm -f ./ns*/_default.nzf
rm -f ./ns*/_default.nzd*
rm -f ./ns*/managed-keys.bind* ns*/*.mkeys*
rm -f ./ns*/managed-keys.bind*

31
external/mpl/bind/dist/bin/tests/system/ttl/prereq.sh vendored Normal file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if test -n "$PYTHON"
then
if $PYTHON -c "import dns" 2> /dev/null
then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi
exit 0

1
external/mpl/bind/dist/bin/tests/system/ttl/setup.sh vendored
View File

@ -13,6 +13,5 @@
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf

32
external/mpl/bind/dist/bin/tests/system/ttl/tests_cache_ttl.py vendored Normal file
View File

@ -0,0 +1,32 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import pytest
pytest.importorskip("dns")
import dns.message
import dns.query
@pytest.mark.parametrize(
"qname,rdtype,expected_ttl",
[
("min-example.", "SOA", 60),
("min-example.", "MX", 30),
("max-example.", "SOA", 120),
("max-example.", "MX", 60),
],
)
def test_cache_ttl(qname, rdtype, expected_ttl, named_port):
msg = dns.message.make_query(qname, rdtype)
response = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port)
for rr in response.answer + response.authority:
assert rr.ttl == expected_ttl

26
external/mpl/bind/dist/configure.ac vendored
View File

@ -707,9 +707,9 @@ AC_CHECK_FUNCS([pthread_setname_np pthread_set_name_np])
AC_CHECK_HEADERS([pthread_np.h], [], [], [#include <pthread.h>])
# libuv
AC_MSG_CHECKING(for libuv)
PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [],
[AC_MSG_ERROR([libuv not found])])
PKG_CHECK_MODULES([LIBUV], [libuv >= 1.37.0], [],
[PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0 libuv < 1.35.0], [],
[AC_MSG_ERROR([libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found])])])
AX_SAVE_FLAGS([libuv])
CFLAGS="$CFLAGS $LIBUV_CFLAGS"
@ -939,7 +939,12 @@ PKCS11_MANS=
#
# was --enable-native-pkcs11 specified?
#
# [pairwise: --enable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --without-dlopen]
# DNSRPS builds are included in pairwise testing here and not later because both
# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the
# ordering of the set of ./configure arguments generated during pairwise testing
# is random.
#
# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen]
AC_ARG_ENABLE(native-pkcs11,
AS_HELP_STRING([--enable-native-pkcs11],
[use native PKCS11 for public-key crypto [default=no]]),
@ -2153,6 +2158,14 @@ AC_PATH_PROG([XELATEX], [xelatex], [:])
AC_PATH_PROG([LATEXMK], [latexmk], [:])
AM_CONDITIONAL([HAVE_XELATEX], [test "$XELATEX" != ":" && test "$LATEXMK" != ":"])
#
# Build the man pages only if we have prebuilt manpages or we can build them from RST sources
#
BUILD_MANPAGES=
AS_IF([test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":"],
[BUILD_MANPAGES=man])
AC_SUBST([BUILD_MANPAGES])
#
# Pull release date from CHANGES file last modification date
# for reproducible builds
@ -2583,8 +2596,9 @@ AC_COMPILE_IFELSE(
AC_MSG_RESULT([no])
])
# DNSRPS is not included in pairwise testing as the librpz library is not
# present in the relevant Docker image.
# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11
# tests above as both of these features require --with-dlopen (see also the
# relevant comment there).
#
# [pairwise: skip]
AC_ARG_ENABLE([dnsrps-dl],

33
external/mpl/bind/dist/dangerfile.py vendored
View File

@ -60,7 +60,7 @@ mr = proj.mergerequests.get(os.environ["CI_MERGE_REQUEST_IID"])
#
# - FAIL if any of the following is true for any commit on the MR branch:
#
# * The subject line starts with "fixup!" or "Apply suggestion".
# * The subject line starts with "fixup!", "amend!" or "Apply suggestion".
#
# * The subject line starts with a prohibited word indicating a work in
# progress commit (e.g. "WIP").
@ -98,7 +98,9 @@ for commit in danger.git.commits:
message_lines = commit.message.splitlines()
subject = message_lines[0]
if not fixup_error_logged and (
subject.startswith("fixup!") or subject.startswith("Apply suggestion")
subject.startswith("fixup!")
or subject.startswith("amend!")
or subject.startswith("Apply suggestion")
):
fail(
"Fixup commits are still present in this merge request. "
@ -123,8 +125,9 @@ for commit in danger.git.commits:
if (
len(message_lines) < 3
and "fixup! " not in subject
and " CHANGES " not in subject
and " release note" not in subject
and "CHANGES " not in subject
and "release note" not in subject.lower()
and "GL #" not in subject
):
warn(f"Please write a log message for commit {commit.sha}.")
for line in message_lines[2:]:
@ -284,7 +287,7 @@ elif not approved:
# * The merge request adds a new CHANGES entry that is not a placeholder and
# does not contain any GitLab/RT issue/MR identifiers.
changes_modified = "CHANGES" in modified_files
changes_modified = "CHANGES" in modified_files or "CHANGES.SE" in modified_files
no_changes_label_set = "No CHANGES" in mr_labels
if not changes_modified and not no_changes_label_set:
fail(
@ -297,7 +300,7 @@ if changes_modified and no_changes_label_set:
"Revert `CHANGES` modifications or unset the *No Changes* label."
)
changes_added_lines = added_lines(target_branch, ["CHANGES"])
changes_added_lines = added_lines(target_branch, ["CHANGES", "CHANGES.SE"])
placeholders_added = lines_containing(changes_added_lines, "[placeholder]")
identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines)
if changes_added_lines:
@ -393,11 +396,19 @@ switches_added = lines_containing(
configure_added_lines, "AC_ARG_ENABLE"
) + lines_containing(configure_added_lines, "AC_ARG_WITH")
annotations_added = lines_containing(configure_added_lines, "# [pairwise: ")
if len(switches_added) > len(annotations_added):
fail(
"This merge request adds at least one new `./configure` switch that "
"is not annotated for pairwise testing purposes."
)
if switches_added:
if len(switches_added) > len(annotations_added):
fail(
"This merge request adds at least one new `./configure` switch that "
"is not annotated for pairwise testing purposes."
)
else:
message(
"**Before merging**, please start a full CI pipeline for this "
"branch with the `PAIRWISE_TESTING` variable set to any "
"non-empty value (e.g. `1`). This will cause the `pairwise` "
"job to exercise the new `./configure` switches."
)
###############################################################################
# USER-VISIBLE LOG LEVELS

2
external/mpl/bind/dist/doc/Makefile.in vendored
View File

@ -17,7 +17,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = man arm misc doxygen
SUBDIRS = @BUILD_MANPAGES@ arm misc doxygen
TARGETS =
@BIND9_MAKE_RULES@

10
external/mpl/bind/dist/doc/arm/build.rst vendored
View File

@ -83,10 +83,12 @@ To build BIND 9, the following packages must be installed:
- ``perl``
- ``pkg-config`` / ``pkgconfig`` / ``pkgconf``
BIND 9.16 requires ``libuv`` 1.x or higher. On older systems, an updated
``libuv`` package needs to be installed from sources such as EPEL, PPA,
or other native sources. The other option is to build and install
``libuv`` from source.
BIND 9.16 requires ``libuv`` 1.0.0 or higher, using ``libuv`` >= 1.40.0
is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is
not supported, as this could lead to an assertion failure in the UDP
receive code. On older systems, an updated ``libuv`` package needs to be
installed from sources such as EPEL, PPA, or other native sources. The
other option is to build and install ``libuv`` from source.
OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed
in a nonstandard location, specify the prefix using

5
external/mpl/bind/dist/doc/arm/notes.rst vendored
View File

@ -46,6 +46,11 @@ for Microsoft Windows operating systems.
.. include:: ../notes/notes-known-issues.rst
.. include:: ../notes/notes-9.16.42.rst
.. include:: ../notes/notes-9.16.41.rst
.. include:: ../notes/notes-9.16.40.rst
.. include:: ../notes/notes-9.16.39.rst
.. include:: ../notes/notes-9.16.38.rst
.. include:: ../notes/notes-9.16.37.rst
.. include:: ../notes/notes-9.16.36.rst
.. include:: ../notes/notes-9.16.35.rst

10
external/mpl/bind/dist/doc/arm/platforms.rst vendored
View File

@ -42,16 +42,16 @@ able to offer support on a “best effort” basis for some.
Regularly tested platforms
~~~~~~~~~~~~~~~~~~~~~~~~~~
As of August 2022, BIND 9.16 is fully supported and regularly tested on the
Current versions of BIND 9 are fully supported and regularly tested on the
following systems:
- Debian 10, 11
- Ubuntu LTS 18.04, 20.04, 22.04
- Fedora 37
- Fedora 38
- Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
- FreeBSD 12.3, 13.1
- OpenBSD 7.2
- Alpine Linux 3.16
- FreeBSD 12.4, 13.2
- OpenBSD 7.3
- Alpine Linux 3.18
The amd64, i386, armhf and arm64 CPU architectures are all fully
supported.

36
external/mpl/bind/dist/doc/arm/reference.rst vendored
View File

@ -416,12 +416,11 @@ To disable the command channel, use an empty ``controls`` statement:
``include`` Statement Definition and Usage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``include`` statement inserts the specified file (or files if a valid glob
expression is detected) at the point where the ``include`` statement is
encountered. The ``include`` statement facilitates the administration of
configuration files by permitting the reading or writing of some things but not
others. For example, the statement could include private keys that are readable
only by the name server.
The ``include`` statement inserts the specified file at the point where the
``include`` statement is encountered. The ``include`` statement facilitates
the administration of configuration files by permitting the reading or
writing of some things but not others. For example, the statement could
include private keys that are readable only by the name server.
.. _key_grammar:
@ -1160,14 +1159,20 @@ default is used.
effective user ID of the ``named`` process.
``qname-minimization``
This option controls QNAME minimization behavior in the BIND
resolver. When set to ``strict``, BIND follows the QNAME
When this is set to ``strict``, BIND follows the QNAME
minimization algorithm to the letter, as specified in :rfc:`7816`.
Setting this option to ``relaxed`` causes BIND to fall back to
normal (non-minimized) query mode when it receives either NXDOMAIN or
other unexpected responses (e.g., SERVFAIL, improper zone cut,
REFUSED) to a minimized query. ``disabled`` disables QNAME
minimization completely. The current default is ``relaxed``, but it
REFUSED) to a minimized query. A resolver can use a leading
underscore, like ``_.example.com``, in an attempt to improve
interoperability. (See :rfc:`7816` section 3.)
``disabled`` disables QNAME minimization completely.
``off`` is a synonym for ``disabled``.
The current default is ``relaxed``, but it
may be changed to ``strict`` in a future release.
``tkey-gssapi-keytab``
@ -3090,6 +3095,11 @@ system.
default value of that option (90% of physical memory for each
individual cache) may lead to memory exhaustion over time.
.. note::
``max-cache-size`` does not work reliably for the maximum
amount of memory of 100 MB or lower.
Upon startup and reconfiguration, caches with a limited size
preallocate a small amount of memory (less than 1% of
``max-cache-size`` for a given view). This preallocation serves as an
@ -3560,9 +3570,8 @@ Tuning
to be sent without fragmentation at the minimum MTU sizes for
Ethernet and IPv6 networks.)
The ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets.
According to the measurements done by multiple parties this should not be
causing any operational problems as most of the Internet "core" is able to
According to the measurements done by multiple parties the default value
should not be causing the fragmentation as most of the Internet "core" is able to
cope with IP message sizes between 1400-1500 bytes, the 1232 size was picked
as a conservative minimal number that could be changed by the DNS operator to
a estimated path MTU minus the estimated header space. In practice, the
@ -6542,6 +6551,7 @@ This example generates A and AAAA records using modifiers; the AAAA
is equivalent to:
::
HOST-0000.EXAMPLE. A 1.2.3.1
HOST-0001.EXAMPLE. A 1.2.3.2
HOST-0002.EXAMPLE. A 1.2.3.3

2
external/mpl/bind/dist/doc/dnssec-guide/validation.rst vendored
View File

@ -112,8 +112,6 @@ confirm that it is in fact validating DNS responses.
- `Internet.nl <https://en.conn.internet.nl/connection/>`__
- `DNSSEC Resolver Test (uni-due.de) <https://dnssec.vs.uni-due.de/>`__
- `DNSSEC or Not (VeriSign) <https://www.dnssec-or-not.com/>`__
.. _using_dig_to_verify:

8
external/mpl/bind/dist/doc/man/ddns-confgen.8in vendored
View File

@ -58,7 +58,7 @@ be used from a remote system.
This option specifies the algorithm to use for the TSIG key. Available
choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384,
and hmac\-sha512. The default is hmac\-sha256. Options are
case\-insensitive, and the "hmac\-" prefix may be omitted.
case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted.
.TP
.B \fB\-h\fP
This option prints a short summary of options and arguments.
@ -79,15 +79,15 @@ explanatory text or usage examples. This is essentially identical to
.B \fB\-s name\fP
This option generates a configuration example to allow dynamic updates
of a single hostname. The example \fBnamed.conf\fP text shows how to set
an update policy for the specified name using the "name" nametype. The
default key name is \fBddns\-key.name\fP\&. Note that the "self" nametype
an update policy for the specified name using the \(dqname\(dq nametype. The
default key name is \fBddns\-key.name\fP\&. Note that the \(dqself\(dq nametype
cannot be used, since the name to be updated may differ from the key
name. This option cannot be used with the \fB\-z\fP option.
.TP
.B \fB\-z zone\fP
This option generates a configuration example to allow
dynamic updates of a zone. The example \fBnamed.conf\fP text shows how
to set an update policy for the specified zone using the "zonesub"
to set an update policy for the specified zone using the \(dqzonesub\(dq
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the \fB\-s\fP option.
.UNINDENT

26
external/mpl/bind/dist/doc/man/delv.1in vendored
View File

@ -53,7 +53,7 @@ simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
.sp
By default, responses are validated using the built\-in DNSSEC trust anchor
for the root zone ("."). Records returned by \fBdelv\fP are either fully
for the root zone (\(dq.\(dq). Records returned by \fBdelv\fP are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
in detail. Because \fBdelv\fP does not rely on an external server to carry
@ -66,7 +66,7 @@ addresses are found, \fBdelv\fP sends queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.sp
When no command\-line arguments or options are given, \fBdelv\fP
performs an NS query for "." (the root zone).
performs an NS query for \(dq.\(dq (the root zone).
.SH SIMPLE USAGE
.sp
A typical invocation of \fBdelv\fP looks like:
@ -114,7 +114,7 @@ supplied, \fBdelv\fP performs a lookup for an A record.
.B \fB\-a anchor\-file\fP
This option specifies a file from which to read DNSSEC trust anchors. The default
is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one
or more trust anchors for the root zone (".").
or more trust anchors for the root zone (\(dq.\(dq).
.sp
Keys that do not match the root zone name are ignored. An alternate
key name can be specified using the \fB+root=NAME\fP options.
@ -135,7 +135,7 @@ or \fB::\fP\&. An optional source port may be specified by appending
.TP
.B \fB\-c class\fP
This option sets the query class for the requested data. Currently, only class
"IN" is supported in \fBdelv\fP and any other value is ignored.
\(dqIN\(dq is supported in \fBdelv\fP and any other value is ignored.
.TP
.B \fB\-d level\fP
This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
@ -168,8 +168,8 @@ non\-standard port number.
This option sets the query name to \fBname\fP\&. While the query name can be
specified without using the \fB\-q\fP option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
up the name \(dqns\(dq, which could be misinterpreted as the type NS, or
\(dqch\(dq, which could be misinterpreted as class CH).
.TP
.B \fB\-t type\fP
This option sets the query type to \fBtype\fP, which can be any valid query type
@ -178,8 +178,8 @@ with \fB\-q\fP, this is useful to distinguish query\-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
.sp
The default query type is "A", unless the \fB\-x\fP option is supplied
to indicate a reverse lookup, in which case it is "PTR".
The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied
to indicate a reverse lookup, in which case it is \(dqPTR\(dq.
.TP
.B \fB\-v\fP
This option prints the \fBdelv\fP version and exits.
@ -235,7 +235,7 @@ and validation process, including the original query
and all subsequent queries to follow CNAMEs and to establish a chain
of trust for DNSSEC validation.
.sp
This is equivalent to setting the debug level to 1 in the "resolver"
This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq
logging category. Setting the systemwide debug level to 1 using the
\fB\-d\fP option produces the same output, but affects other
logging categories as well.
@ -245,8 +245,8 @@ This option toggles message logging. This produces a detailed dump of the
responses received by \fBdelv\fP in the process of carrying out the
resolution and validation process.
.sp
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq
module of the \(dqresolver\(dq logging category. Setting the systemwide
debug level to 10 using the \fB\-d\fP option produces the same
output, but affects other logging categories as well.
.TP
@ -256,7 +256,7 @@ validator as it determines whether an answer is validly signed,
unsigned, or invalid.
.sp
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the
systemwide debug level to 3 using the \fB\-d\fP option produces the
same output, but affects other logging categories as well.
.TP
@ -313,7 +313,7 @@ always occurs unless suppressed by the use of \fB\-i\fP or
.B \fB+[no]root[=ROOT]\fP
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built\-in key. If
trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If
specifying a different trust anchor, then \fB\-a\fP must be used to specify a
file containing the key.
.TP

12
external/mpl/bind/dist/doc/man/dig.1in vendored
View File

@ -58,7 +58,7 @@ of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
addresses are found, \fBdig\fP sends the query to the local host.
.sp
When no command\-line arguments or options are given, \fBdig\fP
performs an NS query for "." (the root).
performs an NS query for \(dq.\(dq (the root).
.sp
It is possible to set per\-user defaults for \fBdig\fP via
\fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied
@ -67,8 +67,8 @@ feature, for scripts that need predictable behavior.
.sp
The IN and CH class names overlap with the IN and CH top\-level domain
names. Either use the \fB\-t\fP and \fB\-c\fP options to specify the type and
class, use the \fB\-q\fP to specify the domain name, or use "IN." and
"CH." when looking up these top\-level domains.
class, use the \fB\-q\fP to specify the domain name, or use \(dqIN.\(dq and
\(dqCH.\(dq when looking up these top\-level domains.
.SH SIMPLE USAGE
.sp
A typical invocation of \fBdig\fP looks like:
@ -120,8 +120,8 @@ This option indicates that only IPv6 should be used.
.TP
.B \fB\-b address[#port]\fP
This option sets the source IP address of the query. The \fBaddress\fP must be a
valid address on one of the host\(aqs network interfaces, or "0.0.0.0"
or "::". An optional port may be specified by appending \fB#port\fP\&.
valid address on one of the host\(aqs network interfaces, or \(dq0.0.0.0\(dq
or \(dq::\(dq. An optional port may be specified by appending \fB#port\fP\&.
.TP
.B \fB\-c class\fP
This option sets the query class. The default \fBclass\fP is IN; other classes are
@ -575,7 +575,7 @@ presentation format.
.B \fB+[no]vc\fP
This option uses [or does not use] TCP when querying name servers. This alternate
syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The
\fBvc\fP stands for "virtual circuit."
\fBvc\fP stands for \(dqvirtual circuit.\(dq
.TP
.B \fB+[no]yaml\fP
When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the

Some files were not shown because too many files have changed in this diff Show More