From b025e8dd2dfdf150227df7123dadebbd5102a6bc Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 15:18:17 +0100 Subject: [PATCH 1/4] Don't use root server in addzone test (cherry picked from commit 7037eb96d4271172612fff7ba40e14a8ad5c805b) --- bin/tests/system/addzone/ns3/named1.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in index 0202b8e328..117ca76204 100644 --- a/bin/tests/system/addzone/ns3/named1.conf.in +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -34,5 +34,5 @@ zone "." { }; primaries "test" { - 192.5.5.241; + 10.53.0.99; }; From 1997c36ce4225c99f61b78bdffe10076ea258d28 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 15:39:37 +0100 Subject: [PATCH 2/4] Blackhole queries to root servers in tests Some tests don't have a mock root server configured, because they don't need one. However, these tests might still leak queries to actual name servers. Add a shared root hints file which can serve as a blackhole for these queries. (cherry picked from commit 8434e5abfc86532f7031c7f6256062431fe7ec8c) --- bin/tests/system/_common/root.hint.blackhole | 14 ++++++++++++++ bin/tests/system/journal/ns1/named.conf.in | 5 +++++ bin/tests/system/journal/ns2/named.conf.in | 5 +++++ bin/tests/system/kasp/ns3/named-fips.conf.in | 5 +++++ bin/tests/system/kasp/ns6/named.conf.in | 5 +++++ bin/tests/system/kasp/ns6/named2.conf.in | 5 +++++ bin/tests/system/nsupdate/ns3/named.conf.in | 5 +++++ 7 files changed, 44 insertions(+) create mode 100644 bin/tests/system/_common/root.hint.blackhole diff --git a/bin/tests/system/_common/root.hint.blackhole b/bin/tests/system/_common/root.hint.blackhole new file mode 100644 index 0000000000..d90ac89856 --- /dev/null +++ b/bin/tests/system/_common/root.hint.blackhole @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS ns99.root-servers.nil. +ns99.root-servers.nil. IN A 10.53.0.99 diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in index 55753f6445..107ada367d 100644 --- a/bin/tests/system/journal/ns1/named.conf.in +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -35,6 +35,11 @@ controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone . { + type hint; + file "../../_common/root.hint.blackhole"; +}; + zone changed { type primary; update-policy local; diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in index a24774a113..2e54e7ba89 100644 --- a/bin/tests/system/journal/ns2/named.conf.in +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -34,3 +34,8 @@ key rndc_key { controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; + +zone . { + type hint; + file "../../_common/root.hint.blackhole"; +}; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 54ce749d8e..1730d638d2 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -39,6 +39,11 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* Zones that are getting initially signed */ /* The default case: No keys created, using default policy. */ diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index c339c447db..7b0cba8478 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -39,6 +39,11 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* This zone switch from dynamic to inline-signing. */ zone "dynamic2inline.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 4d48fd9a7e..087fa7716f 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -38,6 +38,11 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + /* This zone switch from dynamic to inline-signing. */ zone "dynamic2inline.kasp" { type primary; diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index 0cfa1db216..041765a947 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -26,6 +26,11 @@ options { dnssec-validation yes; }; +zone "." { + type hint; + file "../../_common/root.hint.blackhole"; +}; + zone "example" { type primary; allow-update { any; }; From d9fd971231876bcfaa88748b70a03c3323e91125 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 17:20:10 +0100 Subject: [PATCH 3/4] Ensure tests use mock root server if configured These tests have ns1 configured as a mock root server. Make sure it is used in all config files of those tests, otherwise some queries could leak to root nameservers. (cherry picked from commit 088fcf9a613c740910804e5954b32a538017c9b8) --- bin/tests/system/chain/ns2/named.conf.in | 5 +++++ bin/tests/system/dnssec/ns4/named4.conf.in | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/bin/tests/system/chain/ns2/named.conf.in b/bin/tests/system/chain/ns2/named.conf.in index 922d2fa5f9..6f75c0791a 100644 --- a/bin/tests/system/chain/ns2/named.conf.in +++ b/bin/tests/system/chain/ns2/named.conf.in @@ -26,6 +26,11 @@ options { notify yes; }; +zone . { + type hint; + file "../../_common/root.hint"; +}; + zone "example" { type primary; file "example.db.signed"; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index d192ceb4b3..941211993d 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -66,6 +66,11 @@ view auth { recursion no; allow-recursion { none; }; + zone "." { + type hint; + file "../../_common/root.hint"; + }; + zone secure.example { type secondary; primaries { 10.53.0.3; }; From e5403f39c11eb7fba9f03f4684d66a7588396a19 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 17:22:19 +0100 Subject: [PATCH 4/4] Delete unused config file in dnssec system test (cherry picked from commit f69df830c6091917fb378681ba16e899ceb042a4) --- bin/tests/system/dnssec/ns4/named5.conf.in | 40 ---------------------- 1 file changed, 40 deletions(-) delete mode 100644 bin/tests/system/dnssec/ns4/named5.conf.in diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in deleted file mode 100644 index 88caacaee1..0000000000 --- a/bin/tests/system/dnssec/ns4/named5.conf.in +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - bindkeys-file "managed.conf"; - dnssec-validation no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -key auth { - secret "1234abcd8765"; - algorithm hmac-sha256; -};