New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix a regression in axfr-rectify + test #5161

Merged
merged 3 commits into from May 18, 2017

Conversation

Projects
None yet
5 participants
@baloo
Contributor

baloo commented Mar 15, 2017

Short description

supersede #5083

This branch fixes a test for nsec3-optout.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master
@mind04

disable-axfr-rectify was invented for regression testing.
https://doc.powerdns.com/md/authoritative/settings/#disable-axfr-rectify
If you disable this option we are no longer checking axfr(in) rectify and pdnsutil rectify. May I suggest a nobackend test for axfr(out)-rectify

@baloo

This comment has been minimized.

Show comment
Hide comment
@baloo

baloo Mar 16, 2017

Contributor

@mind04 Got it, thanks for the tip

Contributor

baloo commented Mar 16, 2017

@mind04 Got it, thanks for the tip

@Habbie

This comment has been minimized.

Show comment
Hide comment
@Habbie

Habbie Apr 10, 2017

Member

Ping

Member

Habbie commented Apr 10, 2017

Ping

@mind04

This comment has been minimized.

Show comment
Hide comment
@mind04

mind04 Apr 12, 2017

Contributor

The test need improvement. You can't check axfr rectify with already rectified zones (bindbackend).
Right now the test will always pass, regardless of the value for the disable-axfr-rectify option.
Also use nsec3 optout zones for the test. Empty non terminals are no factor in the axfr output of nsec zones, and they are a big deal in the rectify process.

Contributor

mind04 commented Apr 12, 2017

The test need improvement. You can't check axfr rectify with already rectified zones (bindbackend).
Right now the test will always pass, regardless of the value for the disable-axfr-rectify option.
Also use nsec3 optout zones for the test. Empty non terminals are no factor in the axfr output of nsec zones, and they are a big deal in the rectify process.

@baloo

This comment has been minimized.

Show comment
Hide comment
@baloo

baloo Apr 12, 2017

Contributor

With the two commits from @mind04 reverted and pdns rebuilt here is the output of ./runtests rectify-axfr:

$ ./runtests rectify-axfr
+ cp -f ../regression-tests/zones/test.dyndns.orig ../regression-tests/zones/test.dyndns
+ pwd
+ export testsdir=/home/baloo/work/dev/pdns/regression-tests.nobackend
+ ../regression-tests/runtests rectify-axfr
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'sdig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'saxfr' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'pdns_notify' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'nsec3dig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
counters: 
This starts the server, does some IPv4 and IPv6 queries and checks if the
statistics emitted are correct.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/counters because it's not the specified single test

distributor: 
check if the distributor implements overload limit correctly
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/distributor because it's not the specified single test

edns-packet-cache: 
The authoritative packet cache does not check whether a cached packet and the
response is it being matched again, have the same EDNS status (present vs.
not-present).

Because it does take max reply length into account, the impact of this is
limited - non-EDNS clients would only get EDNS replies from the cache if the
EDNS bufsize happened to be 512.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns-packet-cache because it's not the specified single test

edns1: 
Make sure PowerDNS replies correctly to unknown EDNS version
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns1 because it's not the specified single test

gsqlite3-fk-insert: 
Check if we can insert a comment for a non-existing zone. We shouldn't be able to do that
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-insert because it's not the specified single test

gsqlite3-fk-remove: 
If we create a zone, add a comment and remove the zone, the comment should be
gone too.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-remove because it's not the specified single test

lua-policy: 
Test the Lua policy engine.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/lua-policy because it's not the specified single test

negcache-tests-dotted-cname: 
This test the correct workings of DNSName in combination with negative caching.
In the pre-DNSName era, it was possible for a pipe-backend to return a CNAME
with a dot on the end. When trying to look up the target of the CNAME, PowerDNS
would negatively cache _all_ names down to that name (i.e. ., com., powerdns.
for www.powerdns.com) and send out wrong answers for all domains after that.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/negcache-tests-dotted-cname because it's not the specified single test

rectify-axfr: 
Make sure pdns rectifies the zones when processing AXFR
100% done
13 domains were fully parsed, containing 20281 records
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone example.com secured
Adding NSEC3 opt-out hashed ordering information for 'example.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone test.com secured
Adding NSEC3 opt-out hashed ordering information for 'test.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone test.dyndns secured
Adding NSEC3 opt-out hashed ordering information for 'test.dyndns'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone wtest.com secured
Adding NSEC3 opt-out hashed ordering information for 'wtest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone nztest.com secured
Adding NSEC3 opt-out hashed ordering information for 'nztest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone dnssec-parent.com secured
Adding NSEC3 opt-out hashed ordering information for 'dnssec-parent.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone delegated.dnssec-parent.com secured
Adding NSEC3 opt-out hashed ordering information for 'delegated.dnssec-parent.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'secure-delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
8
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone minimal.com secured
Adding NSEC3 opt-out hashed ordering information for 'minimal.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone tsig.com secured
Adding NSEC3 opt-out hashed ordering information for 'tsig.com'
Syntax: import-tsig-key name algorithm key
Enabled TSIG key test for tsig.com
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone stest.com secured
Adding NSEC3 opt-out hashed ordering information for 'stest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone cdnskey-cds-test.com secured
Adding NSEC3 opt-out hashed ordering information for 'cdnskey-cds-test.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone 2.0.192.in-addr.arpa secured
Adding NSEC3 opt-out hashed ordering information for '2.0.192.in-addr.arpa'
Apr 12 20:48:50 Reading random entropy from '/dev/urandom'
Apr 12 20:48:50 Loading '../regression-tests/modules/libgsqlite3backend.so'
Apr 12 20:48:50 This is a standalone pdns
Apr 12 20:48:50 Listening on controlsocket in './pdns-gsqlite3.controlsocket'
Apr 12 20:48:50 UDP server bound to 0.0.0.0:5501
Apr 12 20:48:50 UDPv6 server bound to [::]:5501
Apr 12 20:48:50 TCP server bound to 0.0.0.0:5501
Apr 12 20:48:50 TCPv6 server bound to [::]:5501
Apr 12 20:48:50 PowerDNS Authoritative Server 0.0.balootest5083.ge3c6afbe5a6d5.dirty (C) 2001-2017 PowerDNS.COM BV
Apr 12 20:48:50 Using 64-bits mode. Built using gcc 6.3.0 20170321 on Apr 12 2017 20:43:03 by baloo@khany.gandi.net.
Apr 12 20:48:50 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Apr 12 20:48:50 Not validating response for security status update, this a non-release version.
Apr 12 20:48:50 Creating backend connection for TCP
Apr 12 20:48:50 About to create 3 backend threads for UDP
Apr 12 20:48:50 Done launching threads, ready to distribute questions
Apr 12 20:48:51 AXFR of domain 'test.com' initiated by 127.0.0.1
Apr 12 20:48:51 AXFR of domain 'test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:51 Cleared signature cache.
Apr 12 20:48:51 AXFR of domain 'test.com' to 127.0.0.1 finished
Apr 12 20:48:51 AXFR of domain 'test.dyndns' initiated by 127.0.0.1
Apr 12 20:48:51 AXFR of domain 'test.dyndns' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:51 AXFR of domain 'test.dyndns' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'wtest.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'wtest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'wtest.com' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'minimal.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'minimal.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'minimal.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'stest.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'stest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'stest.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' to 127.0.0.1 finished
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' initiated by 127.0.0.1
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' to 127.0.0.1 finished
	Failed test /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr

soa-edit: 
Verify that SOA updates Thursday midnight if SOA-EDIT is set.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/soa-edit because it's not the specified single test

supermaster-signed: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-signed because it's not the specified single test

supermaster-unsigned: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-unsigned because it's not the specified single test

tinydns-data-check: 
Check if the data.cdb file used for the tinydnsbackend is up-to-date with the 
zone-files of the regression tests. If this test fails, re-generate the 
data and data.cdb files in modules/tinydnsbackend/ using the generate-data.sh file.
After generating, you must check if all the regression-tests still work. If that is the
case, run this test again and copy real_results to expected_results as generating the 
data.cdb file has caused this test to fail.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/tinydns-data-check because it's not the specified single test

zone2json-rfc2308: 
This test verifies that we implement implicit TTL according to RFC2308.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2json-rfc2308 because it's not the specified single test

zone2sql-json-comments: 
Parse a zone file to see if json comments are parsed correctly by zone2sql
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2sql-json-comments because it's not the specified single test

0 out of 1 (0%) tests passed, 14 were skipped
+ ../regression-tests/toxml
+ cat failed_tests
+ wc -l
+ failed_tests=1
+ [ 1 = 0 ]
+ cat failed_tests
+ cat rectify-axfr/diff
--- /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/expected_result	2017-04-12 19:39:42.996454867 +0000
+++ /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/real_result	2017-04-12 20:48:54.340780311 +0000
@@ -42,7 +42,9 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone dnssec-parent.com
-zone verified.
+WARNING: NSEC3 RR for 7r6pbiscipot7md4qjkea2lgrd2srr19.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone dnssec-parent.com
+ exit 1

I also tried to run the tests with this patch:

diff --git a/regression-tests.nobackend/rectify-axfr/command b/regression-tests.nobackend/rectify-axfr/command
index 7cb09b97865d8..0777df990d491 100755
--- a/regression-tests.nobackend/rectify-axfr/command
+++ b/regression-tests.nobackend/rectify-axfr/command
@@ -56,7 +56,7 @@ done
 $RUNWRAPPER $PDNS --daemon=no --local-port=$port --socket-dir=./          \
         --no-shuffle $ARGS \
         --allow-axfr-ips=127.0.0.1 \
-        --cache-ttl=60 --module-dir=../regression-tests/modules >&2 &
+        --cache-ttl=60 --module-dir=../regression-tests/modules --disable-axfr-rectify=yes >&2 &
 
 check_process
 

but tests also succeeded (while I would have expected it to fail in the same way as without the previous two commis), I'm unsure to understand why though.

Contributor

baloo commented Apr 12, 2017

With the two commits from @mind04 reverted and pdns rebuilt here is the output of ./runtests rectify-axfr:

$ ./runtests rectify-axfr
+ cp -f ../regression-tests/zones/test.dyndns.orig ../regression-tests/zones/test.dyndns
+ pwd
+ export testsdir=/home/baloo/work/dev/pdns/regression-tests.nobackend
+ ../regression-tests/runtests rectify-axfr
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'sdig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'saxfr' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'pdns_notify' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'nsec3dig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
counters: 
This starts the server, does some IPv4 and IPv6 queries and checks if the
statistics emitted are correct.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/counters because it's not the specified single test

distributor: 
check if the distributor implements overload limit correctly
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/distributor because it's not the specified single test

edns-packet-cache: 
The authoritative packet cache does not check whether a cached packet and the
response is it being matched again, have the same EDNS status (present vs.
not-present).

Because it does take max reply length into account, the impact of this is
limited - non-EDNS clients would only get EDNS replies from the cache if the
EDNS bufsize happened to be 512.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns-packet-cache because it's not the specified single test

edns1: 
Make sure PowerDNS replies correctly to unknown EDNS version
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns1 because it's not the specified single test

gsqlite3-fk-insert: 
Check if we can insert a comment for a non-existing zone. We shouldn't be able to do that
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-insert because it's not the specified single test

gsqlite3-fk-remove: 
If we create a zone, add a comment and remove the zone, the comment should be
gone too.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-remove because it's not the specified single test

lua-policy: 
Test the Lua policy engine.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/lua-policy because it's not the specified single test

negcache-tests-dotted-cname: 
This test the correct workings of DNSName in combination with negative caching.
In the pre-DNSName era, it was possible for a pipe-backend to return a CNAME
with a dot on the end. When trying to look up the target of the CNAME, PowerDNS
would negatively cache _all_ names down to that name (i.e. ., com., powerdns.
for www.powerdns.com) and send out wrong answers for all domains after that.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/negcache-tests-dotted-cname because it's not the specified single test

rectify-axfr: 
Make sure pdns rectifies the zones when processing AXFR
100% done
13 domains were fully parsed, containing 20281 records
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone example.com secured
Adding NSEC3 opt-out hashed ordering information for 'example.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone test.com secured
Adding NSEC3 opt-out hashed ordering information for 'test.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone test.dyndns secured
Adding NSEC3 opt-out hashed ordering information for 'test.dyndns'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone wtest.com secured
Adding NSEC3 opt-out hashed ordering information for 'wtest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone nztest.com secured
Adding NSEC3 opt-out hashed ordering information for 'nztest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone dnssec-parent.com secured
Adding NSEC3 opt-out hashed ordering information for 'dnssec-parent.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone delegated.dnssec-parent.com secured
Adding NSEC3 opt-out hashed ordering information for 'delegated.dnssec-parent.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'secure-delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
8
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone minimal.com secured
Adding NSEC3 opt-out hashed ordering information for 'minimal.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone tsig.com secured
Adding NSEC3 opt-out hashed ordering information for 'tsig.com'
Syntax: import-tsig-key name algorithm key
Enabled TSIG key test for tsig.com
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone stest.com secured
Adding NSEC3 opt-out hashed ordering information for 'stest.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone cdnskey-cds-test.com secured
Adding NSEC3 opt-out hashed ordering information for 'cdnskey-cds-test.com'
NSEC3 (opt-out) set, please secure and rectify your zone.
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone 2.0.192.in-addr.arpa secured
Adding NSEC3 opt-out hashed ordering information for '2.0.192.in-addr.arpa'
Apr 12 20:48:50 Reading random entropy from '/dev/urandom'
Apr 12 20:48:50 Loading '../regression-tests/modules/libgsqlite3backend.so'
Apr 12 20:48:50 This is a standalone pdns
Apr 12 20:48:50 Listening on controlsocket in './pdns-gsqlite3.controlsocket'
Apr 12 20:48:50 UDP server bound to 0.0.0.0:5501
Apr 12 20:48:50 UDPv6 server bound to [::]:5501
Apr 12 20:48:50 TCP server bound to 0.0.0.0:5501
Apr 12 20:48:50 TCPv6 server bound to [::]:5501
Apr 12 20:48:50 PowerDNS Authoritative Server 0.0.balootest5083.ge3c6afbe5a6d5.dirty (C) 2001-2017 PowerDNS.COM BV
Apr 12 20:48:50 Using 64-bits mode. Built using gcc 6.3.0 20170321 on Apr 12 2017 20:43:03 by baloo@khany.gandi.net.
Apr 12 20:48:50 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Apr 12 20:48:50 Not validating response for security status update, this a non-release version.
Apr 12 20:48:50 Creating backend connection for TCP
Apr 12 20:48:50 About to create 3 backend threads for UDP
Apr 12 20:48:50 Done launching threads, ready to distribute questions
Apr 12 20:48:51 AXFR of domain 'test.com' initiated by 127.0.0.1
Apr 12 20:48:51 AXFR of domain 'test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:51 Cleared signature cache.
Apr 12 20:48:51 AXFR of domain 'test.com' to 127.0.0.1 finished
Apr 12 20:48:51 AXFR of domain 'test.dyndns' initiated by 127.0.0.1
Apr 12 20:48:51 AXFR of domain 'test.dyndns' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:51 AXFR of domain 'test.dyndns' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'wtest.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'wtest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'wtest.com' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:52 AXFR of domain 'delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'secure-delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'minimal.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'minimal.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'minimal.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'stest.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'stest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'stest.com' to 127.0.0.1 finished
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' initiated by 127.0.0.1
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:53 AXFR of domain 'cdnskey-cds-test.com' to 127.0.0.1 finished
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' initiated by 127.0.0.1
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 20:48:54 AXFR of domain '2.0.192.in-addr.arpa' to 127.0.0.1 finished
	Failed test /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr

soa-edit: 
Verify that SOA updates Thursday midnight if SOA-EDIT is set.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/soa-edit because it's not the specified single test

supermaster-signed: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-signed because it's not the specified single test

supermaster-unsigned: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-unsigned because it's not the specified single test

tinydns-data-check: 
Check if the data.cdb file used for the tinydnsbackend is up-to-date with the 
zone-files of the regression tests. If this test fails, re-generate the 
data and data.cdb files in modules/tinydnsbackend/ using the generate-data.sh file.
After generating, you must check if all the regression-tests still work. If that is the
case, run this test again and copy real_results to expected_results as generating the 
data.cdb file has caused this test to fail.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/tinydns-data-check because it's not the specified single test

zone2json-rfc2308: 
This test verifies that we implement implicit TTL according to RFC2308.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2json-rfc2308 because it's not the specified single test

zone2sql-json-comments: 
Parse a zone file to see if json comments are parsed correctly by zone2sql
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2sql-json-comments because it's not the specified single test

0 out of 1 (0%) tests passed, 14 were skipped
+ ../regression-tests/toxml
+ cat failed_tests
+ wc -l
+ failed_tests=1
+ [ 1 = 0 ]
+ cat failed_tests
+ cat rectify-axfr/diff
--- /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/expected_result	2017-04-12 19:39:42.996454867 +0000
+++ /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/real_result	2017-04-12 20:48:54.340780311 +0000
@@ -42,7 +42,9 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone dnssec-parent.com
-zone verified.
+WARNING: NSEC3 RR for 7r6pbiscipot7md4qjkea2lgrd2srr19.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone dnssec-parent.com
+ exit 1

I also tried to run the tests with this patch:

diff --git a/regression-tests.nobackend/rectify-axfr/command b/regression-tests.nobackend/rectify-axfr/command
index 7cb09b97865d8..0777df990d491 100755
--- a/regression-tests.nobackend/rectify-axfr/command
+++ b/regression-tests.nobackend/rectify-axfr/command
@@ -56,7 +56,7 @@ done
 $RUNWRAPPER $PDNS --daemon=no --local-port=$port --socket-dir=./          \
         --no-shuffle $ARGS \
         --allow-axfr-ips=127.0.0.1 \
-        --cache-ttl=60 --module-dir=../regression-tests/modules >&2 &
+        --cache-ttl=60 --module-dir=../regression-tests/modules --disable-axfr-rectify=yes >&2 &
 
 check_process
 

but tests also succeeded (while I would have expected it to fail in the same way as without the previous two commis), I'm unsure to understand why though.

@mind04

This comment has been minimized.

Show comment
Hide comment
@mind04

mind04 Apr 12, 2017

Contributor

After pdnsutil secure-zone your zone is properly rectified. To avoid the rectify use add-zone-key to secure the zones.

Contributor

mind04 commented Apr 12, 2017

After pdnsutil secure-zone your zone is properly rectified. To avoid the rectify use add-zone-key to secure the zones.

@baloo

This comment has been minimized.

Show comment
Hide comment
@baloo

baloo Apr 12, 2017

Contributor

Right, that works as expected with:

diff --git a/regression-tests.nobackend/rectify-axfr/command b/regression-tests.nobackend/rectify-axfr/command
index f13d45be6c5b1..5ad64fa5b1c90 100755
--- a/regression-tests.nobackend/rectify-axfr/command
+++ b/regression-tests.nobackend/rectify-axfr/command
@@ -51,7 +51,7 @@ done
 $RUNWRAPPER $PDNS --daemon=no --local-port=$port --socket-dir=./          \
         --no-shuffle $ARGS \
         --allow-axfr-ips=127.0.0.1 \
-        --cache-ttl=60 --module-dir=../regression-tests/modules >&2 &
+        --cache-ttl=60 --module-dir=../regression-tests/modules --disable-axfr-rectify=yes >&2 &
 
 check_process
 

the test output is:

$ ./runtests rectify-axfr
+ cp -f ../regression-tests/zones/test.dyndns.orig ../regression-tests/zones/test.dyndns
+ pwd
+ export testsdir=/home/baloo/work/dev/pdns/regression-tests.nobackend
+ ../regression-tests/runtests rectify-axfr
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'sdig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'saxfr' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'pdns_notify' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'nsec3dig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
counters: 
This starts the server, does some IPv4 and IPv6 queries and checks if the
statistics emitted are correct.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/counters because it's not the specified single test

distributor: 
check if the distributor implements overload limit correctly
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/distributor because it's not the specified single test

edns-packet-cache: 
The authoritative packet cache does not check whether a cached packet and the
response is it being matched again, have the same EDNS status (present vs.
not-present).

Because it does take max reply length into account, the impact of this is
limited - non-EDNS clients would only get EDNS replies from the cache if the
EDNS bufsize happened to be 512.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns-packet-cache because it's not the specified single test

edns1: 
Make sure PowerDNS replies correctly to unknown EDNS version
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns1 because it's not the specified single test

gsqlite3-fk-insert: 
Check if we can insert a comment for a non-existing zone. We shouldn't be able to do that
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-insert because it's not the specified single test

gsqlite3-fk-remove: 
If we create a zone, add a comment and remove the zone, the comment should be
gone too.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-remove because it's not the specified single test

lua-policy: 
Test the Lua policy engine.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/lua-policy because it's not the specified single test

negcache-tests-dotted-cname: 
This test the correct workings of DNSName in combination with negative caching.
In the pre-DNSName era, it was possible for a pipe-backend to return a CNAME
with a dot on the end. When trying to look up the target of the CNAME, PowerDNS
would negatively cache _all_ names down to that name (i.e. ., com., powerdns.
for www.powerdns.com) and send out wrong answers for all domains after that.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/negcache-tests-dotted-cname because it's not the specified single test

rectify-axfr: 
Make sure pdns rectifies the zones when processing AXFR
100% done
13 domains were fully parsed, containing 20281 records
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'example.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
1
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'test.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
2
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'test.dyndns.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
3
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'wtest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
4
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'nztest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
5
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
6
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
7
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'secure-delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
8
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'minimal.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
9
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'tsig.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
10
Syntax: import-tsig-key name algorithm key
Enabled TSIG key test for tsig.com
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'stest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
11
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'cdnskey-cds-test.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
12
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file '2.0.192.in-addr.arpa.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
13
Apr 12 22:08:29 Reading random entropy from '/dev/urandom'
Apr 12 22:08:29 Loading '../regression-tests/modules/libgsqlite3backend.so'
Apr 12 22:08:29 This is a standalone pdns
Apr 12 22:08:29 Listening on controlsocket in './pdns-gsqlite3.controlsocket'
Apr 12 22:08:29 UDP server bound to 0.0.0.0:5501
Apr 12 22:08:29 UDPv6 server bound to [::]:5501
Apr 12 22:08:29 TCP server bound to 0.0.0.0:5501
Apr 12 22:08:29 TCPv6 server bound to [::]:5501
Apr 12 22:08:29 PowerDNS Authoritative Server 0.0.balootest5083.ge3c6afbe5a6d5.dirty (C) 2001-2017 PowerDNS.COM BV
Apr 12 22:08:29 Using 64-bits mode. Built using gcc 6.3.0 20170321 on Apr 12 2017 20:43:03 by baloo@khany.gandi.net.
Apr 12 22:08:29 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Apr 12 22:08:29 Not validating response for security status update, this a non-release version.
Apr 12 22:08:29 Creating backend connection for TCP
Apr 12 22:08:29 About to create 3 backend threads for UDP
Apr 12 22:08:30 Done launching threads, ready to distribute questions
Apr 12 22:08:30 AXFR of domain 'test.com' initiated by 127.0.0.1
Apr 12 22:08:30 AXFR of domain 'test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:30 Cleared signature cache.
Apr 12 22:08:30 AXFR of domain 'test.com' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'test.dyndns' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'test.dyndns' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'test.dyndns' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'wtest.com' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'wtest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'wtest.com' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'minimal.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'minimal.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'minimal.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'stest.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'stest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'stest.com' to 127.0.0.1 finished
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' initiated by 127.0.0.1
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' to 127.0.0.1 finished
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' initiated by 127.0.0.1
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' to 127.0.0.1 finished
	Failed test /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr

soa-edit: 
Verify that SOA updates Thursday midnight if SOA-EDIT is set.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/soa-edit because it's not the specified single test

supermaster-signed: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-signed because it's not the specified single test

supermaster-unsigned: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-unsigned because it's not the specified single test

tinydns-data-check: 
Check if the data.cdb file used for the tinydnsbackend is up-to-date with the 
zone-files of the regression tests. If this test fails, re-generate the 
data and data.cdb files in modules/tinydnsbackend/ using the generate-data.sh file.
After generating, you must check if all the regression-tests still work. If that is the
case, run this test again and copy real_results to expected_results as generating the 
data.cdb file has caused this test to fail.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/tinydns-data-check because it's not the specified single test

zone2json-rfc2308: 
This test verifies that we implement implicit TTL according to RFC2308.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2json-rfc2308 because it's not the specified single test

zone2sql-json-comments: 
Parse a zone file to see if json comments are parsed correctly by zone2sql
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2sql-json-comments because it's not the specified single test

0 out of 1 (0%) tests passed, 14 were skipped
+ ../regression-tests/toxml
+ cat failed_tests
+ wc -l
+ failed_tests=1
+ [ 1 = 0 ]
+ cat failed_tests
+ cat rectify-axfr/diff
--- /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/expected_result	2017-04-12 19:39:42.996454867 +0000
+++ /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/real_result	2017-04-12 22:08:33.735761134 +0000
@@ -2,7 +2,16 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone test.com
-zone verified.
+WARNING: Missing NSEC3 for s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. corresponding to c.test.com.
+WARNING: Missing NSEC3 for vlvujatanof6feajoesti9kq4s0crst3.test.com. corresponding to a.b.c.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for b022o9dksaj737fh77e7kqqtj3om56ki.test.com. corresponding to test.test.com.
+WARNING: Missing NSEC3 for b022o9dksaj737fh77e7kqqtj3om56ki.test.com. corresponding to test.test.com.
+WARNING: NSEC3 RR for de592k86u3hevdj57jpbt7j5kv7doo78.test.com. appears to be extra.
+WARNING: NSEC3 RR for s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone test.com
@@ -16,7 +25,10 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone test.dyndns
-zone verified.
+WARNING: Missing NSEC3 for lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. corresponding to host.test.dyndns.
+WARNING: Missing NSEC3 for lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. corresponding to host.test.dyndns.
+WARNING: Missing NSEC3 for r9s1cj8dkmnmenjn95sti8nhh9utpq9k.test.dyndns. corresponding to wild.test.dyndns.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone test.dyndns
@@ -42,7 +54,14 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone dnssec-parent.com
-zone verified.
+WARNING: Missing NSEC3 for nih4l3odlug7en20penj8dgnu4ohc98f.dnssec-parent.com. corresponding to auth-ent.dnssec-parent.com.
+WARNING: NSEC3 RR for ba68h93vsta152ieks6qhgun23vsm98d.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for bt0pjs6ch1jq6i3qevr9u5hqbbb8b2m4.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for gc9i0chbuapglqul1jul6594ahs7tepl.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for ko35jum80eas4tdl30q5juuejp0vkd6c.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for u8j1v06p5iaqlkbo6v4j9evod1shvhnc.dnssec-parent.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone dnssec-parent.com
+ exit 1

Contributor

baloo commented Apr 12, 2017

Right, that works as expected with:

diff --git a/regression-tests.nobackend/rectify-axfr/command b/regression-tests.nobackend/rectify-axfr/command
index f13d45be6c5b1..5ad64fa5b1c90 100755
--- a/regression-tests.nobackend/rectify-axfr/command
+++ b/regression-tests.nobackend/rectify-axfr/command
@@ -51,7 +51,7 @@ done
 $RUNWRAPPER $PDNS --daemon=no --local-port=$port --socket-dir=./          \
         --no-shuffle $ARGS \
         --allow-axfr-ips=127.0.0.1 \
-        --cache-ttl=60 --module-dir=../regression-tests/modules >&2 &
+        --cache-ttl=60 --module-dir=../regression-tests/modules --disable-axfr-rectify=yes >&2 &
 
 check_process
 

the test output is:

$ ./runtests rectify-axfr
+ cp -f ../regression-tests/zones/test.dyndns.orig ../regression-tests/zones/test.dyndns
+ pwd
+ export testsdir=/home/baloo/work/dev/pdns/regression-tests.nobackend
+ ../regression-tests/runtests rectify-axfr
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'sdig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'saxfr' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'pdns_notify' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
make: Entering directory '/home/baloo/work/dev/pdns/pdns'
make: 'nsec3dig' is up to date.
make: Leaving directory '/home/baloo/work/dev/pdns/pdns'
counters: 
This starts the server, does some IPv4 and IPv6 queries and checks if the
statistics emitted are correct.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/counters because it's not the specified single test

distributor: 
check if the distributor implements overload limit correctly
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/distributor because it's not the specified single test

edns-packet-cache: 
The authoritative packet cache does not check whether a cached packet and the
response is it being matched again, have the same EDNS status (present vs.
not-present).

Because it does take max reply length into account, the impact of this is
limited - non-EDNS clients would only get EDNS replies from the cache if the
EDNS bufsize happened to be 512.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns-packet-cache because it's not the specified single test

edns1: 
Make sure PowerDNS replies correctly to unknown EDNS version
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/edns1 because it's not the specified single test

gsqlite3-fk-insert: 
Check if we can insert a comment for a non-existing zone. We shouldn't be able to do that
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-insert because it's not the specified single test

gsqlite3-fk-remove: 
If we create a zone, add a comment and remove the zone, the comment should be
gone too.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/gsqlite3-fk-remove because it's not the specified single test

lua-policy: 
Test the Lua policy engine.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/lua-policy because it's not the specified single test

negcache-tests-dotted-cname: 
This test the correct workings of DNSName in combination with negative caching.
In the pre-DNSName era, it was possible for a pipe-backend to return a CNAME
with a dot on the end. When trying to look up the target of the CNAME, PowerDNS
would negatively cache _all_ names down to that name (i.e. ., com., powerdns.
for www.powerdns.com) and send out wrong answers for all domains after that.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/negcache-tests-dotted-cname because it's not the specified single test

rectify-axfr: 
Make sure pdns rectifies the zones when processing AXFR
100% done
13 domains were fully parsed, containing 20281 records
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'example.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
1
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'test.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
2
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'test.dyndns.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
3
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'wtest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
4
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'nztest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
5
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
6
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
7
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'secure-delegated.dnssec-parent.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
8
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'minimal.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
9
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'tsig.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
10
Syntax: import-tsig-key name algorithm key
Enabled TSIG key test for tsig.com
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'stest.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
11
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file 'cdnskey-cds-test.com.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
12
NSEC3 (opt-out) set, please secure and rectify your zone.
Error: Unable to read file '2.0.192.in-addr.arpa.private' for generating DNS Private Key
Added a ZSK with algorithm = 8, active=1
Requested specific key size of 1024 bits
13
Apr 12 22:08:29 Reading random entropy from '/dev/urandom'
Apr 12 22:08:29 Loading '../regression-tests/modules/libgsqlite3backend.so'
Apr 12 22:08:29 This is a standalone pdns
Apr 12 22:08:29 Listening on controlsocket in './pdns-gsqlite3.controlsocket'
Apr 12 22:08:29 UDP server bound to 0.0.0.0:5501
Apr 12 22:08:29 UDPv6 server bound to [::]:5501
Apr 12 22:08:29 TCP server bound to 0.0.0.0:5501
Apr 12 22:08:29 TCPv6 server bound to [::]:5501
Apr 12 22:08:29 PowerDNS Authoritative Server 0.0.balootest5083.ge3c6afbe5a6d5.dirty (C) 2001-2017 PowerDNS.COM BV
Apr 12 22:08:29 Using 64-bits mode. Built using gcc 6.3.0 20170321 on Apr 12 2017 20:43:03 by baloo@khany.gandi.net.
Apr 12 22:08:29 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Apr 12 22:08:29 Not validating response for security status update, this a non-release version.
Apr 12 22:08:29 Creating backend connection for TCP
Apr 12 22:08:29 About to create 3 backend threads for UDP
Apr 12 22:08:30 Done launching threads, ready to distribute questions
Apr 12 22:08:30 AXFR of domain 'test.com' initiated by 127.0.0.1
Apr 12 22:08:30 AXFR of domain 'test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:30 Cleared signature cache.
Apr 12 22:08:30 AXFR of domain 'test.com' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'test.dyndns' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'test.dyndns' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'test.dyndns' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'wtest.com' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'wtest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'wtest.com' to 127.0.0.1 finished
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:31 AXFR of domain 'dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'secure-delegated.dnssec-parent.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'minimal.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'minimal.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'minimal.com' to 127.0.0.1 finished
Apr 12 22:08:32 AXFR of domain 'stest.com' initiated by 127.0.0.1
Apr 12 22:08:32 AXFR of domain 'stest.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:32 AXFR of domain 'stest.com' to 127.0.0.1 finished
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' initiated by 127.0.0.1
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:33 AXFR of domain 'cdnskey-cds-test.com' to 127.0.0.1 finished
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' initiated by 127.0.0.1
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' allowed: client IP 127.0.0.1 is in allow-axfr-ips
Apr 12 22:08:33 AXFR of domain '2.0.192.in-addr.arpa' to 127.0.0.1 finished
	Failed test /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr

soa-edit: 
Verify that SOA updates Thursday midnight if SOA-EDIT is set.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/soa-edit because it's not the specified single test

supermaster-signed: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-signed because it's not the specified single test

supermaster-unsigned: 
Tests that supermaster backend works and assigns TSIG keyname to zone on provision
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/supermaster-unsigned because it's not the specified single test

tinydns-data-check: 
Check if the data.cdb file used for the tinydnsbackend is up-to-date with the 
zone-files of the regression tests. If this test fails, re-generate the 
data and data.cdb files in modules/tinydnsbackend/ using the generate-data.sh file.
After generating, you must check if all the regression-tests still work. If that is the
case, run this test again and copy real_results to expected_results as generating the 
data.cdb file has caused this test to fail.
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/tinydns-data-check because it's not the specified single test

zone2json-rfc2308: 
This test verifies that we implement implicit TTL according to RFC2308.	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2json-rfc2308 because it's not the specified single test

zone2sql-json-comments: 
Parse a zone file to see if json comments are parsed correctly by zone2sql
	Skipped test /home/baloo/work/dev/pdns/regression-tests.nobackend/zone2sql-json-comments because it's not the specified single test

0 out of 1 (0%) tests passed, 14 were skipped
+ ../regression-tests/toxml
+ cat failed_tests
+ wc -l
+ failed_tests=1
+ [ 1 = 0 ]
+ cat failed_tests
+ cat rectify-axfr/diff
--- /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/expected_result	2017-04-12 19:39:42.996454867 +0000
+++ /home/baloo/work/dev/pdns/regression-tests.nobackend/rectify-axfr/real_result	2017-04-12 22:08:33.735761134 +0000
@@ -2,7 +2,16 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone test.com
-zone verified.
+WARNING: Missing NSEC3 for s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. corresponding to c.test.com.
+WARNING: Missing NSEC3 for vlvujatanof6feajoesti9kq4s0crst3.test.com. corresponding to a.b.c.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for 79u3das6ucctns1br3tvd8qkanni351l.test.com. corresponding to _tcp.dc.test.com.
+WARNING: Missing NSEC3 for b022o9dksaj737fh77e7kqqtj3om56ki.test.com. corresponding to test.test.com.
+WARNING: Missing NSEC3 for b022o9dksaj737fh77e7kqqtj3om56ki.test.com. corresponding to test.test.com.
+WARNING: NSEC3 RR for de592k86u3hevdj57jpbt7j5kv7doo78.test.com. appears to be extra.
+WARNING: NSEC3 RR for s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone test.com
@@ -16,7 +25,10 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone test.dyndns
-zone verified.
+WARNING: Missing NSEC3 for lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. corresponding to host.test.dyndns.
+WARNING: Missing NSEC3 for lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. corresponding to host.test.dyndns.
+WARNING: Missing NSEC3 for r9s1cj8dkmnmenjn95sti8nhh9utpq9k.test.dyndns. corresponding to wild.test.dyndns.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone test.dyndns
@@ -42,7 +54,14 @@
 RETVAL: 0
 
 --- jdnssec-verifyzone dnssec-parent.com
-zone verified.
+WARNING: Missing NSEC3 for nih4l3odlug7en20penj8dgnu4ohc98f.dnssec-parent.com. corresponding to auth-ent.dnssec-parent.com.
+WARNING: NSEC3 RR for ba68h93vsta152ieks6qhgun23vsm98d.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for bt0pjs6ch1jq6i3qevr9u5hqbbb8b2m4.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for gc9i0chbuapglqul1jul6594ahs7tepl.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for ko35jum80eas4tdl30q5juuejp0vkd6c.dnssec-parent.com. appears to be extra.
+WARNING: NSEC3 RR for u8j1v06p5iaqlkbo6v4j9evod1shvhnc.dnssec-parent.com. appears to be extra.
+zone did not verify.
 RETVAL: 0
 
 --- named-checkzone dnssec-parent.com
+ exit 1

@baloo

This comment has been minimized.

Show comment
Hide comment
@baloo

baloo Apr 13, 2017

Contributor

@mind04 is that okay for you now?

Contributor

baloo commented Apr 13, 2017

@mind04 is that okay for you now?

@mind04

mind04 suggested changes May 3, 2017 edited

Please add the root zone from regression-tests.rootzone to your test

@baloo

This comment has been minimized.

Show comment
Hide comment
@baloo

baloo May 10, 2017

Contributor

@mind04 let me know what you think

Contributor

baloo commented May 10, 2017

@mind04 let me know what you think

@mind04

last nits....

@mind04

mind04 approved these changes May 11, 2017

@mind04 mind04 referenced this pull request May 11, 2017

Closed

fix a regression in axfr-rectify #5083

2 of 6 tasks complete

@Habbie Habbie merged commit 6d5ffb7 into PowerDNS:master May 18, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Nov 7, 2017

pieterlexis added a commit to pieterlexis/pdns that referenced this pull request Nov 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment