DoT test

Preliminary test for DNSoverTLS - add the dot-port template to system
tests, test a simple query to an authoritative.

bin/named/config.c

@@ -93,7 +93,7 @@ options {\n\
 	nta-recheck 300;\n\
 #	pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
 	port 53;\n\
-	dot-port 853;\n\
+	tls-port 853;\n\
 	prefetch 2 9;\n\
 	recursing-file \"named.recursing\";\n\
 	recursive-clients 1000;\n\

bin/named/include/named/globals.h

@@ -72,7 +72,7 @@ EXTERN const char *named_g_srcid       INIT(PACKAGE_SRCID);
 EXTERN const char *named_g_configargs  INIT(PACKAGE_CONFIGARGS);
 EXTERN const char *named_g_builder     INIT(PACKAGE_BUILDER);
 EXTERN in_port_t named_g_port	       INIT(0);
-EXTERN in_port_t named_g_dot_port      INIT(0);
+EXTERN in_port_t named_g_tlsport       INIT(0);
 EXTERN isc_dscp_t named_g_dscp	       INIT(-1);
 
 EXTERN named_server_t *named_g_server INIT(NULL);

bin/named/main.c

@@ -703,10 +703,40 @@ parse_T_opt(char *option) {
 	}
 }
 
+static void
+parse_port(char *arg) {
+	enum { DNSPORT, TLSPORT } ptype = DNSPORT;
+	char *value = arg;
+	int port;
+
+	if (strncmp(arg, "dns=", 4) == 0) {
+		value = arg + 4;
+	} else if (strncmp(arg, "tls=", 4) == 0) {
+		value = arg + 4;
+		ptype = TLSPORT;
+	}
+
+	port = parse_int(value, "port");
+	if (port < 1 || port > 65535) {
+		named_main_earlyfatal("port '%s' out of range", value);
+	}
+
+	switch (ptype) {
+	case DNSPORT:
+		named_g_port = port;
+		break;
+	case TLSPORT:
+		named_g_tlsport = port;
+		break;
+	default:
+		INSIST(0);
+		ISC_UNREACHABLE();
+	}
+}
+
 static void
 parse_command_line(int argc, char *argv[]) {
 	int ch;
-	int port;
 	const char *p;
 
 	save_command_line(argc, argv);
@@ -788,14 +818,7 @@ parse_command_line(int argc, char *argv[]) {
 			}
 			break;
 		case 'p':
-			port = parse_int(isc_commandline_argument, "port");
-			if (port < 1 || port > 64735) {
-				named_main_earlyfatal("port '%s' out of range",
-						      isc_commandline_argument);
-			}
-			named_g_port = port;
-			/* XXXWPK have a separate option for that. */
-			named_g_dot_port = port + 800;
+			parse_port(isc_commandline_argument);
 			break;
 		case 's':
 			/* XXXRTH temporary syntax */

bin/named/named.conf.rst

@@ -231,7 +231,6 @@ OPTIONS
   	    size ) ] [ versions ( unlimited | integer ) ] [ suffix (
   	    increment | timestamp ) ];
   	dnstap-version ( quoted_string | none );
-  	dot-port integer;
   	dscp integer;
   	dual-stack-servers [ port integer ] { ( quoted_string [ port
   	    integer ] [ dscp integer ] | ipv4_address [ port
@@ -415,6 +414,7 @@ OPTIONS
   	tkey-domain quoted_string;
   	tkey-gssapi-credential quoted_string;
   	tkey-gssapi-keytab quoted_string;
+  	tls-port integer;
   	transfer-format ( many-answers | one-answer );
   	transfer-message-size integer;
   	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [

bin/named/named.rst

@@ -108,9 +108,13 @@ Options
    present and creates one thread per CPU. If it is unable to determine
    the number of CPUs, a single worker thread is created.
 
-``-p port``
-   This option listens for queries on ``port``. If not specified, the default is
-   port 53.
+``-p value``
+   This option specifies the port(s) on which the server will listen
+   for queries. If ``value`` is of the form ``<portnum>`` or
+   ``dns=<portnum>``, the server will listen for DNS queries on
+   ``portnum``; if not not specified, the default is port 53. If
+   ``value`` is of the form ``tls=<portnum>``, the server will
+   listen for TLS queries on ``portnum``; the default is 853.
 
 ``-s``
    This option writes memory usage statistics to ``stdout`` on exit.

bin/named/server.c

@@ -10914,11 +10914,11 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 	portobj = cfg_tuple_get(listener, "port");
 	if (!cfg_obj_isuint32(portobj)) {
 		if (tls) {
-			if (named_g_dot_port != 0) {
-				port = named_g_dot_port;
+			if (named_g_tlsport != 0) {
+				port = named_g_tlsport;
 			} else {
 				result = named_config_getport(
-					config, "dot-port", &port);
+					config, "tls-port", &port);
 				if (result != ISC_R_SUCCESS) {
 					return (result);
 				}

bin/tests/system/Makefile.am

@@ -174,6 +174,7 @@ TESTS +=		\
 	nsupdate	\
 	resolver	\
 	statistics	\
+	dot		\
 	upforwd		\
 	zero
 

bin/tests/system/conf.sh.common

@@ -668,6 +668,7 @@ copy_setports() {
     # this file and produces conf.sh.
     atsign="@"
     sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
+        -e "s/${atsign}TLSPORT${atsign}/${TLSPORT}/g" \
         -e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
         -e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
         -e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \

bin/tests/system/dot/clean.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f */named.stats*
+rm -f dig.out*
+rm -f rndc.out*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*

bin/tests/system/dot/ns1/named.conf.in

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	listen-on tls ephemeral { 10.53.0.1; };
+	recursion no;
+	notify no;
+	statistics-file "named.stats";
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	allow-transfer { any; };
+};

bin/tests/system/dot/setup.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf

bin/tests/system/dot/tests.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=../conf.sh
+. ../conf.sh
+
+dig_dot_with_opts() {
+	"${DIG}" -p "${TLSPORT}" +tls "$@"
+}
+
+status=0
+n=0
+
+n=$((n + 1))
+echo_i "checking DoT query response ($n)"
+ret=0
+dig_dot_with_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoT XFR ($n)"
+ret=0
+dig_dot_with_opts +comment @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/get_ports.sh

@@ -81,6 +81,7 @@ while getopts "p:-:" OPT; do
 done
 
 echo "export PORT=$(get_port "$baseport")"
+echo "export TLSPORT=$(get_port)"
 echo "export EXTRAPORT1=$(get_port)"
 echo "export EXTRAPORT2=$(get_port)"
 echo "export EXTRAPORT3=$(get_port)"

bin/tests/system/run.sh.in

@@ -149,7 +149,7 @@ stop_servers() {
 echostart "S:$systest:$(date_with_args)"
 echoinfo  "T:$systest:1:A"
 echoinfo  "A:$systest:System test $systest"
-echoinfo  "I:$systest:PORTS:${PORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}"
+echoinfo  "I:$systest:PORTS:${PORT},${TLSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}"
 
 $PERL ${srcdir}/testsock.pl -p "$PORT"  || {
     echowarn "I:$systest:Network interface aliases not set up.  Skipping test."

doc/man/named.8in

@@ -108,9 +108,13 @@ not specified, \fBnamed\fP tries to determine the number of CPUs
 present and creates one thread per CPU. If it is unable to determine
 the number of CPUs, a single worker thread is created.
 .TP
-.B \fB\-p port\fP
-This option listens for queries on \fBport\fP\&. If not specified, the default is
-port 53.
+.B \fB\-p value\fP
+This option specifies the port(s) on which the server will listen
+for queries. If \fBvalue\fP is of the form \fB<portnum>\fP or
+\fBdns=<portnum>\fP, the server will listen for DNS queries on
+\fBportnum\fP; if not not specified, the default is port 53. If
+\fBvalue\fP is of the form \fBtls=<portnum>\fP, the server will
+listen for TLS queries on \fBportnum\fP; the default is 853.
 .TP
 .B \fB\-s\fP
 This option writes memory usage statistics to \fBstdout\fP on exit.

doc/man/named.conf.5in

@@ -477,6 +477,7 @@ options {
       tkey\-domain quoted_string;
       tkey\-gssapi\-credential quoted_string;
       tkey\-gssapi\-keytab quoted_string;
+      tls\-port integer;
       transfer\-format ( many\-answers | one\-answer );
       transfer\-message\-size integer;
       transfer\-source ( ipv4_address | * ) [ port ( integer | * ) ] [

doc/misc/options

@@ -173,7 +173,6 @@ options {
             <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
             increment | timestamp ) ];
         dnstap-version ( <quoted_string> | none );
-        dot-port <integer>;
         dscp <integer>;
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -382,6 +381,7 @@ options {
         tkey-domain <quoted_string>;
         tkey-gssapi-credential <quoted_string>;
         tkey-gssapi-keytab <quoted_string>;
+        tls-port <integer>;
         topology { <address_match_element>; ... }; // ancient
         transfer-format ( many-answers | one-answer );
         transfer-message-size <integer>;

doc/misc/options.active

@@ -159,7 +159,6 @@ options {
             <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
             increment | timestamp ) ];
         dnstap-version ( <quoted_string> | none );
-        dot-port <integer>;
         dscp <integer>;
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -343,6 +342,7 @@ options {
         tkey-domain <quoted_string>;
         tkey-gssapi-credential <quoted_string>;
         tkey-gssapi-keytab <quoted_string>;
+        tls-port <integer>;
         transfer-format ( many-answers | one-answer );
         transfer-message-size <integer>;
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [

doc/misc/options.grammar.rst

@@ -89,7 +89,6 @@
   	    <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
   	    increment | timestamp ) ];
   	dnstap-version ( <quoted_string> | none );
-  	dot-port <integer>;
   	dscp <integer>;
   	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
   	    <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -273,6 +272,7 @@
   	tkey-domain <quoted_string>;
   	tkey-gssapi-credential <quoted_string>;
   	tkey-gssapi-keytab <quoted_string>;
+  	tls-port <integer>;
   	transfer-format ( many-answers | one-answer );
   	transfer-message-size <integer>;
   	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [

lib/isccfg/namedconf.c

@@ -1201,7 +1201,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "notify-rate", &cfg_type_uint32, 0 },
 	{ "pid-file", &cfg_type_qstringornone, 0 },
 	{ "port", &cfg_type_uint32, 0 },
-	{ "dot-port", &cfg_type_uint32, 0 },
+	{ "tls-port", &cfg_type_uint32, 0 },
 	{ "querylog", &cfg_type_boolean, 0 },
 	{ "random-device", &cfg_type_qstringornone, 0 },
 	{ "recursing-file", &cfg_type_qstring, 0 },
@@ -3841,6 +3841,3 @@ static cfg_type_t cfg_type_optional_tls = {
 	"tlsoptional",	       parse_optional_keyvalue, print_keyvalue,
 	doc_optional_keyvalue, &cfg_rep_string,		&tls_kw
 };
-static cfg_type_t cfg_type_tls = { "tls",	    parse_keyvalue,
-				   print_keyvalue,  doc_keyvalue,
-				   &cfg_rep_string, &tls_kw };

util/copyrights

@@ -363,6 +363,9 @@
 ./bin/tests/system/dnstap/setup.sh		SH	2018,2019,2020
 ./bin/tests/system/dnstap/tests.sh		SH	2015,2016,2017,2018,2019,2020
 ./bin/tests/system/dnstap/ydump.py		PYTHON	2016,2017,2018,2019,2020
+./bin/tests/system/dot/clean.sh			SH	2020
+./bin/tests/system/dot/setup.sh			SH	2020
+./bin/tests/system/dot/tests.sh			SH	2020
 ./bin/tests/system/dscp/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020
 ./bin/tests/system/dscp/ns1/named.args		X	2013,2014,2018,2019,2020
 ./bin/tests/system/dscp/ns2/named.args		X	2013,2014,2018,2019,2020