From ae4296729cd6e1f5027617351faf970b5d1b438d Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 28 Sep 2022 09:01:19 +0000
Subject: [PATCH] Test dynamic update forwarding when using a TLS-enabled
 primary

Add several test cases in the 'upforwd' system test to make sure
that different scenarios of Dynamic DNS update forwarding are
tested, in particular when both the original and forwarded requests
are over Do53, or DoT, or they use different transports.
---
 bin/tests/system/upforwd/knowngood.after2  |  4 +-
 bin/tests/system/upforwd/knowngood.after3  | 13 ++++
 bin/tests/system/upforwd/ns1/named.conf.in |  2 +
 bin/tests/system/upforwd/ns3/named.conf.in |  4 +-
 bin/tests/system/upforwd/tests.sh          | 83 ++++++++++++++++++++--
 5 files changed, 96 insertions(+), 10 deletions(-)
 create mode 100644 bin/tests/system/upforwd/knowngood.after3

diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2
index eab7a2cf06..04a001f813 100644
--- a/bin/tests/system/upforwd/knowngood.after2
+++ b/bin/tests/system/upforwd/knowngood.after2
@@ -4,8 +4,8 @@ example.		3600	IN	NS	ns3.example.
 ns1.example.		3600	IN	A	10.53.0.1
 ns2.example.		3600	IN	A	10.53.0.2
 ns3.example.		3600	IN	A	10.53.0.3
-unsigned.example.	600	IN	TXT	"Foo"
-unsigned.example.	600	IN	A	10.10.10.1
 updated.example.	600	IN	TXT	"Foo"
 updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
 example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200
diff --git a/bin/tests/system/upforwd/knowngood.after3 b/bin/tests/system/upforwd/knowngood.after3
new file mode 100644
index 0000000000..18407f09e6
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.after3
@@ -0,0 +1,13 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+unsigned.example.	600	IN	TXT	"Foo"
+unsigned.example.	600	IN	A	10.10.10.1
+updated.example.	600	IN	TXT	"Foo"
+updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 83ba6040c4..dad7b2ffbf 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -21,8 +21,10 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
 	notify yes;
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named.conf.in
index 75eed2ed93..abb6770c09 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@@ -16,8 +16,10 @@ options {
 	notify-source 10.53.0.3;
 	transfer-source 10.53.0.3;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
+	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
@@ -37,7 +39,7 @@ zone "example" {
 	type secondary;
 	file "example.bk";
 	allow-update-forwarding { any; };
-	primaries { 10.53.0.1; };
+	primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
 };
 
 zone "example2" {
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 6d53af1c61..33227c363d 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -78,7 +78,7 @@ digcomp knowngood.before dig.out.ns2 || ret=1
 digcomp knowngood.before dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "updating zone (signed) ($n)"
+echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
 server 10.53.0.3 ${PORT}
@@ -119,9 +119,51 @@ digcomp knowngood.after1 dig.out.ns2 || ret=1
 digcomp knowngood.after1 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "checking 'forwarding update for zone' is logged ($n)"
+echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
 ret=0
-grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+server 10.53.0.3 ${TLSPORT}
+update add updated-dot.example. 600 A 10.10.10.1
+update add updated-dot.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after2 dig.out.ns1 || ret=1
+digcomp knowngood.after2 dig.out.ns2 || ret=1
+digcomp knowngood.after2 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking 'forwarding update for zone' is logged twice ($n)"
+ret=0
+cnt=$(grep -F "forwarding update for zone 'example/IN'" ns3/named.run | wc -l || ret=1)
+test "${cnt}" -eq 2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`
 
@@ -171,9 +213,9 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after2 dig.out.ns1 || ret=1
-digcomp knowngood.after2 dig.out.ns2 || ret=1
-digcomp knowngood.after2 dig.out.ns3 || ret=1
+digcomp knowngood.after3 dig.out.ns1 || ret=1
+digcomp knowngood.after3 dig.out.ns2 || ret=1
+digcomp knowngood.after3 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 if $FEATURETEST --enable-dnstap
@@ -222,7 +264,7 @@ fi
 
 if test -f keyname
 then
-	echo_i "checking update forwarding to with sig0 ($n)"
+	echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
@@ -248,6 +290,33 @@ EOF
 		status=`expr $status + $ret`
 		n=`expr $n + 1`
 	fi
+
+	echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+	ret=0
+	keyname=`cat keyname`
+	$NSUPDATE -k $keyname.private -S -O -- - <<EOF
+	server 10.53.0.3 ${TLSPORT}
+	zone example2
+	update add unsigned-dot.example2. 600 A 10.10.10.1
+	update add unsigned-dot.example2. 600 TXT Foo
+	send
+EOF
+	$DIG -p ${PORT} unsigned-dot.example2 A @10.53.0.1 > dig.out.ns1.test$n
+	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+
+	if $FEATURETEST --enable-dnstap
+	then
+		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+		ret=0
+		capture_dnstap
+		uq_equals_ur || ret=1
+		if [ $ret != 0 ] ; then echo_i "failed"; fi
+		status=`expr $status + $ret`
+		n=`expr $n + 1`
+	fi
 fi
 
 echo_i "exit status: $status"