[new release] dnssec, dns, dns-tsig, dns-stub, dns-server, dns-resolver, dns-mirage, dns-client, dns-client-mirage, dns-client-lwt, dns-cli and dns-certify (7.0.2)

[hannesm]

DNSSec support for OCaml-DNS

• Project page: https://github.com/mirage/ocaml-dns
• Documentation: https://mirage.github.io/ocaml-dns/

CHANGES:

• dns-server: for secondary servers use the right zone transfers and keys, fixed
  in use the right key for the secondary and their zone transfers mirage/ocaml-dns#339 by @hannesm
• dns: add support for null record (arbitrary binary data) (add NULL record mirage/ocaml-dns#338 @RyanGibb)

[haochenx]

CI is failing on some macos configs. might be flaky since there's no consistency which configs fail the test.

(excerpt from CI Log)

[ERROR] The compilation of dnssec.7.0.2 failed at "dune runtest -p dnssec -j 7".

#=== ERROR while compiling dnssec.7.0.2 =======================================#
# context              2.1.4 | macos/arm64 | ocaml-base-compiler.4.14.1 | pinned(https://github.com/mirage/ocaml-dns/releases/download/v7.0.2/dns-7.0.2.tbz)
# path                 ~/.opam/4.14.1/.opam-switch/build/dnssec.7.0.2
# command              ~/.opam/opam-init/hooks/sandbox.sh build dune runtest -p dnssec -j 7
# exit-code            1
# env-file             ~/.opam/log/dnssec-59656-eb1bdf.env
# output-file          ~/.opam/log/dnssec-59656-eb1bdf.out
### output ###
# File "test/dune", line 44, characters 7-18:
# 44 |  (name test_dnssec)
#             ^^^^^^^^^^^
# (cd _build/default/test && ./test_dnssec.exe)
# Testing `DNSSEC tests'.
# This run has ID `K2U21NNM'.
# 
#   [OK]          DNSSEC tests            0   root.
# > [FAIL]        DNSSEC tests            1   ns for ripe.net.
#   [OK]          DNSSEC tests            2   ds for afnoc.af.mil.
#   [OK]          DNSSEC tests            3   nxdomain for or (nsec).
#   [OK]          DNSSEC tests            4   nxdomain for zz (nsec).
#   [OK]          DNSSEC tests            5   nxdomain for aa (nsec).
#   [OK]          DNSSEC tests            6   nodata for a se (nsec).
#   [OK]          DNSSEC tests            7   nodata for DS a.se (nsec).
#   [OK]          DNSSEC tests            8   nxdomain for DS a.a.se (nsec).
#   [OK]          DNSSEC tests            9   nxdomain for DS b.a.se (nsec).
#   [FAIL]        DNSSEC tests           10   nodata for PTR isc.org (nsec).
#   [FAIL]        DNSSEC tests           11   nodomain for PTR doesntexist.isc....
#   [OK]          DNSSEC tests           12   nodata (cname) for DS trac.ietf.o...
#   [OK]          DNSSEC tests           13   NS trac.ietf.org (with cname).
#   [OK]          DNSSEC tests           14   nodata for CAA ietf.org (nsec).
#   [FAIL]        DNSSEC tests           15   wildcard match and cname for sure...
#   [FAIL]        DNSSEC tests           16   wildcard match and cname, nodata ...
#   [OK]          DNSSEC tests           17   nodata for a.de (nsec3).
#   [OK]          DNSSEC tests           18   nodomain for AAAA asd.house.gov (...
#   [OK]          RFC 4035 tests          0   MX (B1).
#   [OK]          RFC 4035 tests          1   NS (B1).
#   [OK]          RFC 4035 tests          2   A (B1).
#   [OK]          RFC 4035 tests          3   AAAA (B1).
#   [OK]          RFC 4035 tests          4   A NS1 (B1).
#   [OK]          RFC 4035 tests          5   A NS2 (B1).
#   [OK]          RFC 4035 tests          6   NXDOMAIN (B2).
#   [OK]          RFC 4035 tests          7   NODATA (B3).
#   [OK]          RFC 4035 tests          8   signed delegate (B4).
#   [OK]          RFC 4035 tests          9   unsigned delegate (B5).
#   [OK]          RFC 4035 tests         10   wildcard expansion (B6).
#   [OK]          RFC 4035 tests         11   wildcard nodata (B7).
#   [OK]          RFC 4035 tests         12   DS nodata (B8).
#   [OK]          RFC 5155 tests          0   name error (b1).
#   [OK]          RFC 5155 tests          1   no data error (b2).
#   [OK]          RFC 5155 tests          2   no data (ENT) error (b2.1).
#   [OK]          RFC 5155 tests          3   refer to unsigned zone (b3).
#   [OK]          RFC 5155 tests          4   wildcard (b4).
#   [OK]          RFC 5155 tests          5   wildcard no data (b5).
#   [OK]          RFC 5155 tests          6   DS no data (b6).
# 
# ┌──────────────────────────────────────────────────────────────────────────────┐
# │ [FAIL]        DNSSEC tests            1   ns for ripe.net.                   │
# └──────────────────────────────────────────────────────────────────────────────┘
# test_dnssec.exe: [DEBUG] verifying ripe.net (NS)
# test_dnssec.exe: [DEBUG] validating for ripe.net typ NS
# test_dnssec.exe: [DEBUG] found 1 key-rrsig pairs
# test_dnssec.exe: [DEBUG] verifying for ripe.net (with P256 / ECDSAP256SHA256)
# test_dnssec.exe: [DEBUG] using rrsig 00 02 0d 02 00 01 51 80  61 af 37 b3 61 9c ad 9b
#                                      d9 23 04 72 69 70 65 03  6e 65 74 00
# test_dnssec.exe: [WARNING] RRSIG verification for ripe.net 	20275	NS	manus.authdns.ripe.net.
# 	20275	NS	ns3.lacnic.net.
# 	20275	NS	rirns.arin.net.
# 	20275	NS	ns4.apnic.net.
# 	20275	NS	ns3.afrinic.net. failed: signature verification failed
# test_dnssec.exe: [DEBUG] validating ripe.net (NS)
# test_dnssec.exe: [DEBUG] has_delegation with 0 in 
# ASSERT File "test/test_dnssec.ml", line 234, characters 21-28
# FAIL File "test/test_dnssec.ml", line 234, characters 21-28
# 
#    Expected: `Ok
#                 	172800	NS	manus.authdns.ripe.net.
# 	172800	NS	ns3.lacnic.net.
# 	172800	NS	rirns.arin.net.
# 	172800	NS	ns4.apnic.net.
# 	172800	NS	ns3.afrinic.net.'
# 
#    Received: `Error error no SOA in authority'
# 
# Raised at Alcotest_engine__Test.check in file "src/alcotest-engine/test.ml", line 200, characters 4-261
# Called from Alcotest_engine__Core.Make.protect_test.(fun) in file "src/alcotest-engine/core.ml", line 181, characters 17-23
# Called from Alcotest_engine__Monad.Identity.catch in file "src/alcotest-engine/monad.ml", line 24, characters 31-35
# 
# Logs saved to `~/.opam/4.14.1/.opam-switch/build/dnssec.7.0.2/_build/default/test/_build/_tests/DNSSEC tests/DNSSEC tests.001.output'.
#  ──────────────────────────────────────────────────────────────────────────────
# 
# Full test results in `~/.opam/4.14.1/.opam-switch/build/dnssec.7.0.2/_build/default/test/_build/_tests/DNSSEC tests'.
# 5 failures! in 0.026s. 39 tests run.

[haochenx]

rebuilding https://toxis.caelum.ci.dev/github/ocaml/opam-repository/commit/abf4533c7cd2c36b2f4930af1b30948c0abc2ac5/variant/macos,macos-homebrew-ocaml-5.0-arm64,dnssec.7.0.2,tests (a different failed config) to see whether the test failure is flaky.

update: it failed again with the same errors.

[hannesm]

I'm sorry to hear that your macos CI machines are failing the tests. Since I do not own a macos computer, and the tests are running fine here and on other CI systems, I'm not sure how to debug. It may be the same issue @samoht was debugging recently in respect to mirage-crypto-ec and some llvm compiler version (see mit-plv/fiat-crypto#1606 (comment) and followups) -- so could you provide information which llvm compiler is used on that machine for compiing mirage-crypto? and also run the test case from Thomas on that machine to check whether it triggers this miscompilation?

[haochenx]

Actually the test passes on my local machine. It's on the opam ci machine where the tests are failing.
You can access the test results from this PR page:

I'll see whether I could find more information about the CI machine.

[haochenx]

A quick question: does tests in test/test_dnssec.ml access the internet as part of the test?

[hannesm]

A quick question: does tests in test/test_dnssec.ml access the internet as part of the test?

no, they do not access the Internet.

[haochenx]

it seems that the test fails on the Apple Silicon machines. The ones ran the failing tests were the following two

• https://infra.ocaml.org/machines/m1-worker-01.html
• https://infra.ocaml.org/machines/m1-worker-03.html

I don't personally have more information regarding the llvm compiler version there.
@avsm @mseri @kit-ty-kate can you provide more details about those machine?

[haochenx]

On the other hand, if the failures are only due to platform package and only failing on a handful of targets, these alone probably won't be a blocker for merging this PR imo.

[hannesm]

from my point of view, this is ready to being merge.

[haochenx]

It seems that there's another CI failure
which checks installabilty of reverse dependencies.

In this case cca.0.5 failed to install as (iiuc) dependency resolution failed.
I'm not sure what's the correct action here so some other maintainer here need to take a look.

# Run eval $(opam env) to update the current shell environment
2023-06-13 11:42.27 ---> saved as "0298ab547521d3ba7805b69be20af9b02584c66e6be90ea79b99c6cf68a3d236"

/home/opam: (env OPAMCRITERIA -removed,-count[avoid-version,changed],-count[version-lag,request],-count[version-lag,changed],-count[missing-depexts,changed],-changed)

/home/opam: (env OPAMFIXUPCRITERIA -removed,-count[avoid-version,changed],-count[version-lag,request],-count[version-lag,changed],-count[missing-depexts,changed],-changed)

/home/opam: (env OPAMUPGRADECRITERIA -removed,-count[avoid-version,changed],-count[version-lag,request],-count[version-lag,changed],-count[missing-depexts,changed],-changed)

/home/opam: (run (cache (opam-archives (target /home/opam/.opam/download-cache)))
                 (network host)
                 (shell  "opam reinstall cca.0.5;\
                        \n        res=$?;\
                        \n        test \"$res\" != 31 && exit \"$res\";\
                        \n        export OPAMCLI=2.0;\
                        \n        build_dir=$(opam var prefix)/.opam-switch/build;\
                        \n        failed=$(ls \"$build_dir\");\
                        \n        partial_fails=\"\";\
                        \n        for pkg in $failed; do\
                        \n          if opam show -f x-ci-accept-failures: \"$pkg\" | grep -qF \"\\\"debian-11\\\"\"; then\
                        \n            echo \"A package failed and has been disabled for CI using the 'x-ci-accept-failures' field.\";\
                        \n          fi;\
                        \n          test \"$pkg\" != 'cca.0.5' && partial_fails=\"$partial_fails $pkg\";\
                        \n        done;\
                        \n        test \"${partial_fails}\" != \"\" && echo \"opam-repo-ci detected dependencies failing: ${partial_fails}\";\
                        \n        exit 1"))
cca.0.5 is not installed. Install it? [y/n] y
[ERROR] Sorry, resolution of the request timed out.
        Try to specify a more precise request, use a different solver, or increase the allowed time by setting OPAMSOLVERTIMEOUT to a bigger value (currently, it is set to 500.0 seconds).
"/bin/bash" "-c" "opam reinstall cca.0.5;
        res=$?;
        test "$res" != 31 && exit "$res";
        export OPAMCLI=2.0;
        build_dir=$(opam var prefix)/.opam-switch/build;
        failed=$(ls "$build_dir");
        partial_fails="";
        for pkg in $failed; do
          if opam show -f x-ci-accept-failures: "$pkg" | grep -qF "\"debian-11\""; then
            echo "A package failed and has been disabled for CI using the 'x-ci-accept-failures' field.";
          fi;
          test "$pkg" != 'cca.0.5' && partial_fails="$partial_fails $pkg";
        done;
        test "${partial_fails}" != "" && echo "opam-repo-ci detected dependencies failing: ${partial_fails}";
        exit 1" failed with exit status 60
2023-06-13 11:52.32: Job failed: Failed: Build failed
2023-06-13 11:52.32: Log analysis:
2023-06-13 11:52.32: >>> 
[ERROR] Sorry, resolution of the request timed out.
 (score = 20)
2023-06-13 11:52.32: Sorry, resolution of the request timed out.

[haochenx]

It seems that cca.0.5 is the only package that has a problem, maybe https://github.com/hannesm/opam-repository/pull/1/files#diff-bbb37c467d851e59d1caf88793c2f51b0f9ad0587b885a407b9dd6acd195835dR27 will fix the problem.

[hannesm]

Thanks! My experience with "timed out" is that the solver didn't find anything in time, and I ignore these CI failures.

[haochenx]

Thanks! My experience with "timed out" is that the solver didn't find anything in time, and I ignore these CI failures.

I see. I'm not experienced enough to tell whether timing out for the solver is ignorable. But I'm definitely not against merging this PR in its current form if it looks good to the other opam-repository maintainers.

[avsm]

Thanks for the triage @haochenx and for the package, @hannesm. I think the arm64 failure is the same as the one @samoht is trying to chase down, so not a blocker.
You may want to announce this on https://discuss.ocaml.org, where we have a Community category and an announce tag for this purpose.