From 1997c36ce4225c99f61b78bdffe10076ea258d28 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 15:39:37 +0100 Subject: [PATCH] Blackhole queries to root servers in tests Some tests don't have a mock root server configured, because they don't need one. However, these tests might still leak queries to actual name servers. Add a shared root hints file which can serve as a blackhole for these queries. (cherry picked from commit 8434e5abfc86532f7031c7f6256062431fe7ec8c) --- bin/tests/system/_common/root.hint.blackhole | 14 ++++++++++++++ bin/tests/system/journal/ns1/named.conf.in | 5 +++++ bin/tests/system/journal/ns2/named.conf.in | 5 +++++ bin/tests/system/kasp/ns3/named-fips.conf.in | 5 +++++ bin/tests/system/kasp/ns6/named.conf.in | 5 +++++ bin/tests/system/kasp/ns6/named2.conf.in | 5 +++++ bin/tests/system/nsupdate/ns3/named.conf.in | 5 +++++ 7 files changed, 44 insertions(+) create mode 100644 bin/tests/system/_common/root.hint.blackhole diff --git a/bin/tests/system/_common/root.hint.blackhole b/bin/tests/system/_common/root.hint.blackhole new file mode 100644 index 0000000000..d90ac89856 --- /dev/null +++ b/bin/tests/system/_common/root.hint.blackhole @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS ns99.root-servers.nil. +ns99.root-servers.nil. IN A 10.53.0.99 diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in index 55753f6445..107ada367d 100644 --- a/bin/tests/system/journal/ns1/named.conf.in +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -35,6 +35,11 @@ controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone . { + type hint; + file "../../_common/root.hint.blackhole"; +}; + zone changed { type primary; update-policy local; diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in index a24774a113..2e54e7ba89 100644 --- a/bin/tests/system/journal/ns2/named.conf.in +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -34,3 +34,8 @@ key rndc_key { controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; + +zone . { + type hint; + file "../../_common/root.hint.blackhole"; +}; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 54ce749d8e..1730d638d2 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -39,6 +39,11 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* Zones that are getting initially signed */ /* The default case: No keys created, using default policy. */ diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index c339c447db..7b0cba8478 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -39,6 +39,11 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* This zone switch from dynamic to inline-signing. */ zone "dynamic2inline.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 4d48fd9a7e..087fa7716f 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -38,6 +38,11 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* This zone switch from dynamic to inline-signing. */ zone "dynamic2inline.kasp" { type primary; diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index 0cfa1db216..041765a947 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -26,6 +26,11 @@ options { dnssec-validation yes; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + zone "example" { type primary; allow-update { any; };