Test dynamic update forwarding when using a TLS-enabled primary

Add several test cases in the 'upforwd' system test to make sure that different scenarios of Dynamic DNS update forwarding are tested, in particular when both the original and forwarded requests are over Do53, or DoT, or they use different transports.
2026-06-11 10:50:00 -04:00 · 2022-09-28 09:01:19 +00:00 · 2022-09-28 09:01:19 +00:00 · ae4296729c
commit ae4296729c
parent 3d7103bd21
5 changed files with 96 additions and 10 deletions
--- a/bin/tests/system/upforwd/knowngood.after2
+++ b/bin/tests/system/upforwd/knowngood.after2
@ -4,8 +4,8 @@ example.		3600	IN	NS	ns3.example.
 ns1.example.		3600	IN	A	10.53.0.1
 ns2.example.		3600	IN	A	10.53.0.2
 ns3.example.		3600	IN	A	10.53.0.3
-unsigned.example.	600	IN	TXT	"Foo"
-unsigned.example.	600	IN	A	10.10.10.1
 updated.example.	600	IN	TXT	"Foo"
 updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
 example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200
--- a/bin/tests/system/upforwd/knowngood.after3
+++ b/bin/tests/system/upforwd/knowngood.after3
@ -0,0 +1,13 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+unsigned.example.	600	IN	TXT	"Foo"
+unsigned.example.	600	IN	A	10.10.10.1
+updated.example.	600	IN	TXT	"Foo"
+updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@ -21,8 +21,10 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
 	notify yes;
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@ -16,8 +16,10 @@ options {
 	notify-source 10.53.0.3;
 	transfer-source 10.53.0.3;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
+	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
@ -37,7 +39,7 @@ zone "example" {
 	type secondary;
 	file "example.bk";
 	allow-update-forwarding { any; };
-	primaries { 10.53.0.1; };
+	primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
 };

 zone "example2" {
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@ -78,7 +78,7 @@ digcomp knowngood.before dig.out.ns2 || ret=1
 digcomp knowngood.before dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

-echo_i "updating zone (signed) ($n)"
+echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
 server 10.53.0.3 ${PORT}
@ -119,9 +119,51 @@ digcomp knowngood.after1 dig.out.ns2 || ret=1
 digcomp knowngood.after1 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

-echo_i "checking 'forwarding update for zone' is logged ($n)"
+echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
 ret=0
-grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+server 10.53.0.3 ${TLSPORT}
+update add updated-dot.example. 600 A 10.10.10.1
+update add updated-dot.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after2 dig.out.ns1 || ret=1
+digcomp knowngood.after2 dig.out.ns2 || ret=1
+digcomp knowngood.after2 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking 'forwarding update for zone' is logged twice ($n)"
+ret=0
+cnt=$(grep -F "forwarding update for zone 'example/IN'" ns3/named.run | wc -l || ret=1)
+test "${cnt}" -eq 2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

@ -171,9 +213,9 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after2 dig.out.ns1 || ret=1
-digcomp knowngood.after2 dig.out.ns2 || ret=1
-digcomp knowngood.after2 dig.out.ns3 || ret=1
+digcomp knowngood.after3 dig.out.ns1 || ret=1
+digcomp knowngood.after3 dig.out.ns2 || ret=1
+digcomp knowngood.after3 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 if $FEATURETEST --enable-dnstap
@ -222,7 +264,7 @@ fi

 if test -f keyname
 then
-	echo_i "checking update forwarding to with sig0 ($n)"
+	echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
@ -248,6 +290,33 @@ EOF
 		status=`expr $status + $ret`
 		n=`expr $n + 1`
 	fi
+
+	echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+	ret=0
+	keyname=`cat keyname`
+	$NSUPDATE -k $keyname.private -S -O -- - <<EOF
+	server 10.53.0.3 ${TLSPORT}
+	zone example2
+	update add unsigned-dot.example2. 600 A 10.10.10.1
+	update add unsigned-dot.example2. 600 TXT Foo
+	send
+EOF
+	$DIG -p ${PORT} unsigned-dot.example2 A @10.53.0.1 > dig.out.ns1.test$n
+	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+
+	if $FEATURETEST --enable-dnstap
+	then
+		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+		ret=0
+		capture_dnstap
+		uq_equals_ur || ret=1
+		if [ $ret != 0 ] ; then echo_i "failed"; fi
+		status=`expr $status + $ret`
+		n=`expr $n + 1`
+	fi
 fi

 echo_i "exit status: $status"