mirror of
https://github.com/certbot/certbot.git
synced 2026-06-06 15:22:38 -04:00
90557921e3
* tests: add certbot-dns-rfc2136 integration tests * dont use 'with' form of socket.socket fixes py2 crash * address some feedback: - conftest: make DNS server a global resource - conftest: add dns_xdist parameter into node config - conftest: add --dns-server=bind flag - conftest: if configured, point the ACME server to the DNS server - dnsserver: make it sort-of compatible with xdist (future-proofing) - context: parameterize dns-rfc2136 credentials file (future proofing) - context: reduce dns-rfc2136 propagation time to speed up tests - tox: add a integration-dns-rfc2136 target - rfc2136: add a test/zone for subdelegation - rfc2136: skip tests if no DNS server is configured * try add integration-dns-rfc2136 to CI * mock recursive dns via RPZ * update --dns-server args and tox.ini args * address more feedback: - dns_server: rename rfc2136 creds file to .tpl - dns_server: dont vary dns server port, instead we will vary zone names (#8455) - dns_server: log error if bind9 fails to stop cleanly - dns_server: replace assert with raise - context: remove redundant _worker_id - context: remove redundant cleanup override - context: fix seek/flush in credentials context manager - context: rename skip_if_no_server -> ...bind_server - context: add newline EOF * conftest: document _setup_primary_node sideeffects * ci: rfc2136-integration from standard->nightly * fix _stop_bind (function was renamed to stop) * ignore errors from shutil.rmtree during cleanup * dns_server: check for crash while polling * remove --dry-run from rfc2136 test
60 lines
1.9 KiB
Text
60 lines
1.9 KiB
Text
options {
|
|
directory "/var/cache/bind";
|
|
|
|
// Running inside Docker. Bind address on Docker host is 127.0.0.1.
|
|
listen-on { any; };
|
|
listen-on-v6 { any; };
|
|
|
|
// We are allowing BIND to service recursive queries, but only in an extremely limimited sense
|
|
// where it is entirely disconnected from public DNS:
|
|
// - Iterative queries are disabled. Only forwarding to a non-existent forwarder.
|
|
// - The only recursive answers we can get (that will not be a SERVFAIL) will come from the
|
|
// RPZ "mock-recursion" zone. Effectively this means we are mocking out the entirety of
|
|
// public DNS.
|
|
allow-recursion { any; }; // BIND will only answer using RPZ if recursion is enabled
|
|
forwarders { 192.0.2.254; }; // Nobody is listening, this is TEST-NET-1
|
|
forward only; // Do NOT perform iterative queries from the root zone
|
|
dnssec-validation no; // Do not bother fetching the root DNSKEY set (performance)
|
|
response-policy { // All recursive queries will be served from here.
|
|
zone "mock-recursion"
|
|
log yes;
|
|
} recursive-only no // Allow RPZs to affect authoritative zones too.
|
|
qname-wait-recurse no // No real recursion.
|
|
nsip-wait-recurse no; // No real recursion.
|
|
|
|
allow-transfer { none; };
|
|
allow-update { none; };
|
|
};
|
|
|
|
key "default-key." {
|
|
algorithm hmac-sha512;
|
|
secret "91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==";
|
|
};
|
|
|
|
zone "mock-recursion" {
|
|
type primary;
|
|
file "/var/lib/bind/rpz.mock-recursion";
|
|
allow-query {
|
|
none;
|
|
};
|
|
};
|
|
|
|
zone "example.com." {
|
|
type primary;
|
|
file "/var/lib/bind/db.example.com";
|
|
journal "/var/cache/bind/db.example.com.jnl";
|
|
|
|
update-policy {
|
|
grant default-key zonesub TXT;
|
|
};
|
|
};
|
|
|
|
zone "sub.example.com." {
|
|
type primary;
|
|
file "/var/lib/bind/db.sub.example.com";
|
|
journal "/var/cache/bind/db.sub.example.com.jnl";
|
|
|
|
update-policy {
|
|
grant default-key zonesub TXT;
|
|
};
|
|
};
|