diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in new file mode 100644 index 0000000000..2b7b0f7df1 --- /dev/null +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -0,0 +1,71 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# We need a separate instance for the "rndc reconfig" test in order to +# ensure that it does not use ephemeral keys (these are costly to +# generate) and creates a minimal amount of TLS contexts, reducing the +# time needed for startup/reconfiguration. Long +# startup/reconfiguration was known to cause timeout issues in the CI +# system, where many tests run in parallel. + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +tls local { + key-file "../ns2/key.pem"; + cert-file "../ns2/cert.pem"; + dhparam-file "../ns2/dhparam3072.pem"; +}; + +http local { + endpoints { "/dns-query"; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on tls local { 10.53.0.4; }; // DoT + listen-on tls local http local { 10.53.0.4; }; // DoH + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +tls tls-v1.2-pfs { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls tls-v1.2-pfs; }; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index dcbdb21a0d..42d83d2dd5 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -27,3 +27,4 @@ done copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index 8514b0d4b5..b8abd1d624 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -44,7 +44,8 @@ wait_for_tls_xfer() ( shift zone_name="$1" shift - dig_with_tls_opts -b 10.53.0.3 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces + dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 return 0 ) @@ -55,7 +56,7 @@ n=0 n=$((n+1)) echo_i "testing XoT server functionality (using dig) ($n)" ret=0 -dig_with_tls_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp example.axfr.good dig.out.ns1.test$n || ret=1 if test $ret != 0 ; then echo_i "failed"; fi @@ -99,6 +100,19 @@ fi if test $ret != 0 ; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the third secondary) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 4 example; then + grep "^;" "dig.out.ns4.example.test$n" | cat_i + digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 +else + echo_i "timed out waiting for zone transfer" + ret=1 +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0 @@ -143,7 +157,7 @@ status=$((status + ret)) n=$((n+1)) echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)" ret=0 -dig_with_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -442,14 +456,14 @@ status=$((status + ret)) n=$((n + 1)) echo_i "doing rndc reconfig to see that queries keep being served after that ($n)" ret=0 -rndccmd 10.53.0.1 reconfig +rndccmd 10.53.0.4 reconfig if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) -echo_i "checking DoT query (ephemeral key) after a reconfiguration ($n)" +echo_i "checking DoT query after a reconfiguration ($n)" ret=0 -dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n +dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -457,7 +471,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) after a reconfiguration ($n)" ret=0 -dig_with_https_opts @10.53.0.1 . SOA > dig.out.test$n +dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret))