From f138a1447af7f522d0b580ac0b03bf807df7be42 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 22 Mar 2023 11:02:02 +1100 Subject: [PATCH] forward: Check if TLS is working in FIPS mode Skip test that depend on TLS working in FIPS mode --- bin/tests/system/forward/clean.sh | 10 +- .../system/forward/ns2/named-tls.conf.in | 40 ++++++ bin/tests/system/forward/ns2/named.conf.in | 34 +---- .../system/forward/ns2/options-tls.conf.in | 18 +++ .../system/forward/ns4/named-tls.conf.in | 83 ++++++++++++ bin/tests/system/forward/ns4/named.conf.in | 75 +---------- .../system/forward/ns4/options-tls.conf.in | 14 ++ bin/tests/system/forward/setup.sh | 26 +++- bin/tests/system/forward/tests.sh | 121 +++++++++++------- 9 files changed, 267 insertions(+), 154 deletions(-) create mode 100644 bin/tests/system/forward/ns2/named-tls.conf.in create mode 100644 bin/tests/system/forward/ns2/options-tls.conf.in create mode 100644 bin/tests/system/forward/ns4/named-tls.conf.in create mode 100644 bin/tests/system/forward/ns4/options-tls.conf.in diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh index 716f04cebf..936dbc4d79 100644 --- a/bin/tests/system/forward/clean.sh +++ b/bin/tests/system/forward/clean.sh @@ -14,14 +14,18 @@ # # Clean up after forward tests. # -rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run ./*/named.run.prev ./*/ans.run rm -f ./*/named_dump.db rm -f ./ans*/query.log -rm -f ./ns*/named.lock +rm -f ./dig.out.* rm -f ./ns*/managed-keys.bind* -rm -f ./ns1/root.db ./ns1/root.db.signed +rm -f ./ns*/named.lock rm -f ./ns*/trusted.conf rm -f ./ns1/K* ./ns1/dsset-* +rm -f ./ns1/root.db ./ns1/root.db.signed +rm -f ns2/named-tls.conf +rm -f ns2/options-tls.conf +rm -f ns4/named-tls.conf +rm -f ns4/options-tls.conf diff --git a/bin/tests/system/forward/ns2/named-tls.conf.in b/bin/tests/system/forward/ns2/named-tls.conf.in new file mode 100644 index 0000000000..2c68c6f287 --- /dev/null +++ b/bin/tests/system/forward/ns2/named-tls.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.nil.key"; + cert-file "../CA/certs/srv02.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.nil.key"; + cert-file "../CA/certs/srv02.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt02-expired.example.nil.key"; + cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; +}; diff --git a/bin/tests/system/forward/ns2/named.conf.in b/bin/tests/system/forward/ns2/named.conf.in index c8e5cb59f8..02da868fb2 100644 --- a/bin/tests/system/forward/ns2/named.conf.in +++ b/bin/tests/system/forward/ns2/named.conf.in @@ -11,33 +11,7 @@ * information regarding copyright ownership. */ -tls tls-forward-secrecy { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - key-file "../CA/certs/srv02.crt01.example.nil.key"; - cert-file "../CA/certs/srv02.crt01.example.nil.pem"; - dhparam-file "../dhparam3072.pem"; -}; - -tls tls-forward-secrecy-mutual-tls { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - key-file "../CA/certs/srv02.crt01.example.nil.key"; - cert-file "../CA/certs/srv02.crt01.example.nil.pem"; - dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -tls tls-expired { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - key-file "../CA/certs/srv02.crt02-expired.example.nil.key"; - cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem"; - dhparam-file "../dhparam3072.pem"; -}; +include "named-tls.conf"; options { query-source address 10.53.0.2; @@ -47,13 +21,9 @@ options { transfer-source 10.53.0.2; transfer-source-v6 fd92:7065:b8e:ffff::2; port @PORT@; - tls-port @TLSPORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; - listen-on tls ephemeral { 10.53.0.2; }; - listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; - listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; }; - listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; }; + include "options-tls.conf"; listen-on-v6 { fd92:7065:b8e:ffff::2; }; recursion no; dnssec-validation no; diff --git a/bin/tests/system/forward/ns2/options-tls.conf.in b/bin/tests/system/forward/ns2/options-tls.conf.in new file mode 100644 index 0000000000..fab1fa706d --- /dev/null +++ b/bin/tests/system/forward/ns2/options-tls.conf.in @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + tls-port @TLSPORT@; + listen-on tls ephemeral { 10.53.0.2; }; + listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; + listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; }; + listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; }; diff --git a/bin/tests/system/forward/ns4/named-tls.conf.in b/bin/tests/system/forward/ns4/named-tls.conf.in new file mode 100644 index 0000000000..ed8c86594c --- /dev/null +++ b/bin/tests/system/forward/ns4/named-tls.conf.in @@ -0,0 +1,83 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-forward-secrecy-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02.crt01.example.nil"; +}; + +tls tls-forward-secrecy-bad-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02-bad.crt01.example.nil"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + key-file "../CA/certs/srv04.crt01.example.nil.key"; + cert-file "../CA/certs/srv04.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +zone "example1." { + type forward; + forward first; + forwarders { 10.53.0.2 tls ephemeral; }; +}; + +zone "example3." { + type forward; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; +}; + +zone "example4." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; }; +}; + +zone "example8." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; }; +}; + +zone "example9." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; }; +}; + +zone "1.0.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; }; +}; diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in index 098b58a12c..f6524d5858 100644 --- a/bin/tests/system/forward/ns4/named.conf.in +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -11,12 +11,14 @@ * information regarding copyright ownership. */ +include "named-tls.conf"; + options { query-source address 10.53.0.4; notify-source 10.53.0.4; transfer-source 10.53.0.4; port @PORT@; - tls-port @TLSPORT@; + include "options-tls.conf"; pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; @@ -30,83 +32,12 @@ zone "." { file "root.db"; }; -tls tls-forward-secrecy { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -tls tls-forward-secrecy-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv02.crt01.example.nil"; -}; - -tls tls-forward-secrecy-bad-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv02-bad.crt01.example.nil"; -}; - -tls tls-forward-secrecy-mutual-tls { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - key-file "../CA/certs/srv04.crt01.example.nil.key"; - cert-file "../CA/certs/srv04.crt01.example.nil.pem"; - dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -tls tls-expired { - protocols { TLSv1.2; }; - ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -zone "example1." { - type forward; - forward first; - forwarders { 10.53.0.2 tls ephemeral; }; -}; - -zone "example3." { - type forward; - forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; -}; - -zone "example4." { - type forward; - forward only; - forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; }; -}; - zone "example5." { type forward; forward only; forwarders { 10.53.0.2; }; }; -zone "example8." { - type forward; - forward only; - forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; }; -}; - -zone "example9." { - type forward; - forward only; - forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; }; -}; - -zone "1.0.10.in-addr.arpa" { - type forward; - forward only; - forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; }; -}; - zone "grafted" { type forward; forward only; diff --git a/bin/tests/system/forward/ns4/options-tls.conf.in b/bin/tests/system/forward/ns4/options-tls.conf.in new file mode 100644 index 0000000000..fe3491e6c8 --- /dev/null +++ b/bin/tests/system/forward/ns4/options-tls.conf.in @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + tls-port @TLSPORT@; diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index 09624ca804..ddd56c9581 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -15,9 +15,31 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf + +if $FEATURETEST --have-fips-dh +then + copy_setports ns2/named-tls.conf.in ns2/named-tls.conf + copy_setports ns2/options-tls.conf.in ns2/options-tls.conf + copy_setports ns2/named.conf.in ns2/named.conf +else + cp /dev/null ns2/named-tls.conf + cp /dev/null ns2/options-tls.conf + copy_setports ns2/named.conf.in ns2/named.conf +fi + copy_setports ns3/named1.conf.in ns3/named.conf -copy_setports ns4/named.conf.in ns4/named.conf + +if $FEATURETEST --have-fips-dh +then + copy_setports ns4/named-tls.conf.in ns4/named-tls.conf + copy_setports ns4/options-tls.conf.in ns4/options-tls.conf + copy_setports ns4/named.conf.in ns4/named.conf +else + cp /dev/null ns4/named-tls.conf + cp /dev/null ns4/options-tls.conf + copy_setports ns4/named.conf.in ns4/named.conf +fi + copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 42e3ca9031..15546904f4 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -72,25 +72,35 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that DoT expired certificate does not work ($n)" -ret=0 -nextpart ns4/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1 -digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 -wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + nextpart ns4/named.run >/dev/null + dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 + dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1 + digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 + wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped." +fi n=$((n+1)) echo_i "checking that a forward zone works (DoT insecure) ($n)" -ret=0 -nextpart ns4/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 -digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 -wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + nextpart ns4/named.run >/dev/null + dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 + dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 + digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 + wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped." +fi n=$((n+1)) echo_i "checking that forwarding doesn't spontaneously happen ($n)" @@ -103,36 +113,52 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)" -ret=0 -nextpart ns4/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 -digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 -wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + nextpart ns4/named.run >/dev/null + dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 + dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 + digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 + wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped." +fi + n=$((n+1)) echo_i "checking that DoT remote-hostname works ($n)" -ret=0 -nextpart ns4/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1 -digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1 -wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + nextpart ns4/named.run >/dev/null + dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1 + dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1 + digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1 + wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped." +fi n=$((n+1)) echo_i "checking that DoT bad remote-hostname does not work ($n)" -ret=0 -nextpart ns4/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1 -digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 -wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + nextpart ns4/named.run >/dev/null + dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1 + dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1 + digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 + wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped." +fi n=$((n+1)) echo_i "checking that a forward only doesn't recurse ($n)" @@ -165,11 +191,16 @@ check_override() ( n=$((n+1)) echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)" -ret=0 -# retry loop in case the server restart above causes transient failure -retry_quiet 10 check_override || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --have-fips-dh +then + ret=0 + # retry loop in case the server restart above causes transient failure + retry_quiet 10 check_override || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_t "skipped." +fi n=$((n+1)) echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"