swap ns2 and ns3 rolls in tls notify tests

Still need to regenerate the expired certificate as it has
the wrong IP address

(cherry picked from commit 87e287c984)

bin/tests/system/notify/ns2/named-tls.conf.in

@@ -14,25 +14,16 @@
 tls tls-forward-secrecy {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01.example.com.key";
+    cert-file "../CA/certs/srv02.crt01.example.com.pem";
     dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-tls tls-forward-secrecy-remote-hostname {
-    protocols { TLSv1.2; };
-    ca-file "../CA/CA.pem";
-    remote-hostname "srv03.crt01.example.com";
-};
-
-tls tls-forward-secrecy-bad-remote-hostname {
-    protocols { TLSv1.2; };
-    ca-file "../CA/CA.pem";
-    remote-hostname "srv03-bad.crt01.example.com";
 };
 
 tls tls-forward-secrecy-mutual-tls {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
     key-file "../CA/certs/srv02.crt01.example.com.key";
     cert-file "../CA/certs/srv02.crt01.example.com.pem";
     dhparam-file "../dhparam3072.pem";
@@ -43,48 +34,7 @@ tls tls-expired {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
     prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01-expired.example.com.key";
+    cert-file "../CA/certs/srv02.crt01-expired.example.com.pem";
     dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-zone tls-x1 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 tls ephemeral; };
-};
-
-zone tls-x2 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-expired; };
-};
-
-zone tls-x3 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; };
-};
-
-zone tls-x4 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; };
-};
-
-zone tls-x5 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; };
-};
-
-zone tls-x6 {
-	type primary;
-	file "generic.db";
-	notify explicit;
-	also-notify { 10.53.0.3 port @EXTRAPORT4@ tls tls-expired; };
 };

bin/tests/system/notify/ns2/options-tls.conf.in

@@ -12,3 +12,7 @@
  */
 
 	tls-port @TLSPORT@;
+	listen-on tls ephemeral { 10.53.0.2; };
+	listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+	listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
+	listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.2; };

bin/tests/system/notify/ns3/generic.db

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2     		A	10.53.0.2
+ns3     		A	10.53.0.3
+
+a			A	10.0.0.1

bin/tests/system/notify/ns3/named-tls.conf.in

@@ -14,16 +14,25 @@
 tls tls-forward-secrecy {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv03.crt01.example.com.key";
-    cert-file "../CA/certs/srv03.crt01.example.com.pem";
     dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-forward-secrecy-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02.crt01.example.com";
+};
+
+tls tls-forward-secrecy-bad-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02-bad.crt01.example.com";
 };
 
 tls tls-forward-secrecy-mutual-tls {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
     key-file "../CA/certs/srv03.crt01.example.com.key";
     cert-file "../CA/certs/srv03.crt01.example.com.pem";
     dhparam-file "../dhparam3072.pem";
@@ -34,7 +43,48 @@ tls tls-expired {
     protocols { TLSv1.2; };
     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
     prefer-server-ciphers yes;
-    key-file "../CA/certs/srv03.crt01-expired.example.com.key";
-    cert-file "../CA/certs/srv03.crt01-expired.example.com.pem";
     dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+zone tls-x1 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 tls ephemeral; };
+};
+
+zone tls-x2 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-expired; };
+};
+
+zone tls-x3 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; };
+};
+
+zone tls-x4 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; };
+};
+
+zone tls-x5 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; };
+};
+
+zone tls-x6 {
+	type primary;
+	file "generic.db";
+	notify explicit;
+	also-notify { 10.53.0.2 port @EXTRAPORT4@ tls tls-expired; };
 };

bin/tests/system/notify/ns3/options-tls.conf.in

@@ -12,7 +12,3 @@
  */
 
 	tls-port @TLSPORT@;
-	listen-on tls ephemeral { 10.53.0.3; };
-	listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.3; };
-	listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.3; };
-	listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.3; };

bin/tests/system/notify/tests.sh

@@ -119,15 +119,15 @@ grep 'refused notify from non-primary: fd92:7065:b8e:ffff::2#[0-9][0-9]*$' ns3/n
 test_end
 
 test_start "checking notify over TLS successful"
-grep "zone tls-x1/IN: notify to 10.53.0.3#${TLSPORT} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x2/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x3/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x5/IN: notify to 10.53.0.3#${EXTRAPORT3} successful" ns2/named.run >/dev/null || ret=1
+grep "zone tls-x1/IN: notify to 10.53.0.2#${TLSPORT} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x2/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x3/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x5/IN: notify to 10.53.0.2#${EXTRAPORT3} successful" ns3/named.run >/dev/null || ret=1
 test_end
 
 test_start "checking notify over TLS failed"
-grep "zone tls-x4/IN: notify to 10.53.0.3#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x6/IN: notify to 10.53.0.3#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1
+grep "zone tls-x4/IN: notify to 10.53.0.2#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x6/IN: notify to 10.53.0.2#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1
 test_end
 
 test_start "checking example2 loaded"