upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-31 03:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #164 from NLnetLabs/framestreams

Browse source 
Framestreams
This commit is contained in:
Wouter Wijngaards 2020-02-28 15:19:09 +01:00 committed by GitHub
commit 1c3f0293fd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
112 changed files with 10451 additions and 3670 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -37,6 +37,7 @@
/petal
/pktview
/streamtcp
/unbound-dnstap-socket
/testbound
/unittest
/contrib/libunbound.pc

19
Makefile.in
View file

@ -77,7 +77,7 @@ LINT=splint
LINTFLAGS=+quiet -weak -warnposix -unrecog -Din_addr_t=uint32_t -Du_int=unsigned -Du_char=uint8_t -preproc -Drlimit=rlimit64 -D__gnuc_va_list=va_list -formatcode
#-Dglob64=glob -Dglobfree64=globfree
# compat with openssl linux edition.
LINTFLAGS+="-DBN_ULONG=unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"ECDSA_SIG=DSA_SIG" -Dfstrm_res=int
LINTFLAGS+="-DBN_ULONG=unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"ECDSA_SIG=DSA_SIG"
# compat with NetBSD
LINTFLAGS+=@NETBSD_LINTFLAGS@
# compat with OpenBSD
@ -219,7 +219,7 @@ MEMSTATS_OBJ_LINK=$(MEMSTATS_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
$(SLDNS_OBJ)
ASYNCLOOK_SRC=testcode/asynclook.c
ASYNCLOOK_OBJ=asynclook.lo
ASYNCLOOK_OBJ_LINK=$(ASYNCLOOK_OBJ) log.lo locks.lo $(COMPAT_OBJ) @ASYNCLOOK_ALLOCCHECK_EXTRA_OBJ@
ASYNCLOOK_OBJ_LINK=$(ASYNCLOOK_OBJ) log.lo locks.lo $(CHECKLOCK_OBJ) $(COMPAT_OBJ) @ASYNCLOOK_ALLOCCHECK_EXTRA_OBJ@
STREAMTCP_SRC=testcode/streamtcp.c
STREAMTCP_OBJ=streamtcp.lo
STREAMTCP_OBJ_LINK=$(STREAMTCP_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
@ -233,6 +233,10 @@ DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
$(SLDNS_OBJ)
IPSET_SRC=@IPSET_SRC@
IPSET_OBJ=@IPSET_OBJ@
DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c
DNSTAP_SOCKET_OBJ=unbound-dnstap-socket.lo
DNSTAP_SOCKET_OBJ_LINK=$(DNSTAP_SOCKET_OBJ) $(COMMON_OBJ) \
$(COMPAT_OBJ) $(SLDNS_OBJ)
LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \
libunbound/libworker.c
LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo
@ -259,7 +263,7 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
$(TESTBOUND_SRC) $(LOCKVERIFY_SRC) $(PKTVIEW_SRC) \
$(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \
$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) \
$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\
$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
@ -267,7 +271,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
$(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \
$(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \
$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) \
$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\
$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
@ -306,6 +310,7 @@ rsrc_unbound_checkconf.o: $(srcdir)/winrc/rsrc_unbound_checkconf.rc config.h
TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
unbound-dnstap-socket$(EXEEXT) \
testbound$(EXEEXT) unittest$(EXEEXT)
tests: all $(TEST_BIN)
@ -401,7 +406,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
@-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi
$(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto
unbound-dnstap-socket$(EXEEXT): $(DNSTAP_SOCKET_OBJ_LINK)
$(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS)
dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h
dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h
unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h $(srcdir)/dnstap/dtstream.h
# dnscrypt
dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \

78
configure vendored
View file

@ -649,6 +649,7 @@ ENABLE_DNSCRYPT
ENABLE_DNSCRYPT_XCHACHA20
DNSTAP_OBJ
DNSTAP_SRC
DNSTAP_SOCKET_PATH
opt_dnstap_socket_path
ENABLE_DNSTAP
PROTOC_C
@ -883,7 +884,6 @@ enable_allsymbols
enable_dnstap
with_dnstap_socket_path
with_protobuf_c
with_libfstrm
enable_dnscrypt
with_libsodium
enable_cachedb
@ -1572,7 +1572,7 @@ Optional Features:
--enable-allsymbols export all symbols from libunbound and link binaries
to it, smaller install size but libunbound export
table is polluted by internal symbols
--enable-dnstap Enable dnstap support (requires fstrm, protobuf-c)
--enable-dnstap Enable dnstap support (requires protobuf-c)
--enable-dnscrypt Enable dnscrypt support (requires libsodium)
--enable-cachedb enable cachedb module that can use external cache
storage
@ -1634,7 +1634,6 @@ Optional Packages:
--with-dnstap-socket-path=pathname
set default dnstap socket path
--with-protobuf-c=path Path where protobuf-c is installed, for dnstap
--with-libfstrm=path Path where libfstrm is installed, for dnstap
--with-libsodium=path Path where libsodium is installed, for dnscrypt
--with-libmnl=path specify explicit path for libmnl.
--with-libunbound-only do not build daemon and tool programs
@ -20968,73 +20967,6 @@ else
fi
# Check whether --with-libfstrm was given.
if test "${with_libfstrm+set}" = set; then :
withval=$with_libfstrm;
CFLAGS="$CFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fstrm_iothr_init" >&5
$as_echo_n "checking for library containing fstrm_iothr_init... " >&6; }
if ${ac_cv_search_fstrm_iothr_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char fstrm_iothr_init ();
int
main ()
{
return fstrm_iothr_init ();
;
return 0;
}
_ACEOF
for ac_lib in '' fstrm; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search_fstrm_iothr_init=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search_fstrm_iothr_init+:} false; then :
break
fi
done
if ${ac_cv_search_fstrm_iothr_init+:} false; then :
else
ac_cv_search_fstrm_iothr_init=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fstrm_iothr_init" >&5
$as_echo "$ac_cv_search_fstrm_iothr_init" >&6; }
ac_res=$ac_cv_search_fstrm_iothr_init
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
else
as_fn_error $? "The fstrm library was not found. Please install fstrm!" "$LINENO" 5
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
$as_echo_n "checking for library containing protobuf_c_message_pack... " >&6; }
if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
@ -21108,10 +21040,12 @@ cat >>confdefs.h <<_ACEOF
#define DNSTAP_SOCKET_PATH "$hdr_dnstap_socket_path"
_ACEOF
DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path"
DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c"
DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo"
DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"
DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"
else

5
configure.ac
View file

@ -1688,9 +1688,10 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock],
ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path)
AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH,
["$hdr_dnstap_socket_path"], [default dnstap socket path])
AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"])
AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c"])
AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo"])
AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"])
AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"])
],
[
AC_SUBST([ENABLE_DNSTAP], [0])

4
daemon/daemon.c
View file

@ -451,11 +451,9 @@ daemon_create_workers(struct daemon* daemon)
fatal_exit("out of memory during daemon init");
if(daemon->cfg->dnstap) {
#ifdef USE_DNSTAP
daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path,
(unsigned int)daemon->num);
daemon->dtenv = dt_create(daemon->cfg);
if (!daemon->dtenv)
fatal_exit("dt_create failed");
dt_apply_cfg(daemon->dtenv, daemon->cfg);
#else
fatal_exit("dnstap enabled in config but not built with dnstap support");
#endif

40
daemon/worker.c
View file

@ -79,6 +79,7 @@
#include "sldns/wire2str.h"
#include "util/shm_side/shm_main.h"
#include "dnscrypt/dnscrypt.h"
#include "dnstap/dtstream.h"
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
@ -1914,6 +1915,20 @@ worker_init(struct worker* worker, struct config_file *cfg,
) {
auth_xfer_pickup_initial(worker->env.auth_zones, &worker->env);
}
#ifdef USE_DNSTAP
if(worker->daemon->cfg->dnstap
#ifndef THREADS_DISABLED
&& worker->thread_num == 0
#endif
) {
if(!dt_io_thread_start(dtenv->dtio, comm_base_internal(
worker->base), worker->daemon->num)) {
log_err("could not start dnstap io thread");
worker_delete(worker);
return 0;
}
}
#endif /* USE_DNSTAP */
if(!worker->env.mesh || !worker->env.scratch_buffer) {
worker_delete(worker);
return 0;
@ -1961,6 +1976,16 @@ worker_delete(struct worker* worker)
wsvc_desetup_worker(worker);
#endif /* UB_ON_WINDOWS */
}
#ifdef USE_DNSTAP
if(worker->daemon->cfg->dnstap
#ifndef THREADS_DISABLED
&& worker->thread_num == 0
#endif
) {
dt_io_thread_stop(worker->dtenv.dtio);
}
dt_deinit(&worker->dtenv);
#endif /* USE_DNSTAP */
comm_base_delete(worker->base);
ub_randfree(worker->rndstate);
alloc_clear(&worker->alloc);
@ -2099,3 +2124,18 @@ int codeline_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
return 0;
}
#ifdef USE_DNSTAP
void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif
#ifdef USE_DNSTAP
void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif

90
dnstap/dnstap.c
View file

@ -49,13 +49,12 @@
#include "util/netevent.h"
#include "util/log.h"
#include <fstrm.h>
#include <protobuf-c/protobuf-c.h>
#include "dnstap/dnstap.h"
#include "dnstap/dtstream.h"
#include "dnstap/dnstap.pb-c.h"
#define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap"
#define DNSTAP_INITIAL_BUF_SIZE 256
struct dt_msg {
@ -90,13 +89,7 @@ dt_pack(const Dnstap__Dnstap *d, void **buf, size_t *sz)
static void
dt_send(const struct dt_env *env, void *buf, size_t len_buf)
{
fstrm_res res;
if (!buf)
return;
res = fstrm_iothr_submit(env->iothr, env->ioq, buf, len_buf,
fstrm_free_wrapper, NULL);
if (res != fstrm_res_success)
free(buf);
dt_msg_queue_submit(env->msgqueue, buf, len_buf);
}
static void
@ -135,56 +128,33 @@ check_socket_file(const char* socket_path)
}
struct dt_env *
dt_create(const char *socket_path, unsigned num_workers)
dt_create(struct config_file* cfg)
{
#ifdef UNBOUND_DEBUG
fstrm_res res;
#endif
struct dt_env *env;
struct fstrm_iothr_options *fopt;
struct fstrm_unix_writer_options *fuwopt;
struct fstrm_writer *fw;
struct fstrm_writer_options *fwopt;
verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
socket_path);
log_assert(socket_path != NULL);
log_assert(num_workers > 0);
check_socket_file(socket_path);
if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] &&
(cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) {
verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
cfg->dnstap_socket_path);
check_socket_file(cfg->dnstap_socket_path);
}
env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
if (!env)
return NULL;
fwopt = fstrm_writer_options_init();
#ifdef UNBOUND_DEBUG
res =
#else
(void)
#endif
fstrm_writer_options_add_content_type(fwopt,
DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1);
log_assert(res == fstrm_res_success);
fuwopt = fstrm_unix_writer_options_init();
fstrm_unix_writer_options_set_socket_path(fuwopt, socket_path);
fw = fstrm_unix_writer_init(fuwopt, fwopt);
log_assert(fw != NULL);
fopt = fstrm_iothr_options_init();
fstrm_iothr_options_set_num_input_queues(fopt, num_workers);
env->iothr = fstrm_iothr_init(fopt, &fw);
if (env->iothr == NULL) {
verbose(VERB_DETAIL, "dt_create: fstrm_iothr_init() failed");
fstrm_writer_destroy(&fw);
env->dtio = dt_io_thread_create();
if(!env->dtio) {
log_err("malloc failure");
free(env);
env = NULL;
return NULL;
}
fstrm_iothr_options_destroy(&fopt);
fstrm_unix_writer_options_destroy(&fuwopt);
fstrm_writer_options_destroy(&fwopt);
if(!dt_io_thread_apply_cfg(env->dtio, cfg)) {
dt_io_thread_delete(env->dtio);
free(env);
return NULL;
}
dt_apply_cfg(env, cfg);
return env;
}
@ -272,19 +242,33 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg)
int
dt_init(struct dt_env *env)
{
env->ioq = fstrm_iothr_get_input_queue(env->iothr);
if (env->ioq == NULL)
env->msgqueue = dt_msg_queue_create();
if(!env->msgqueue) {
log_err("malloc failure");
return 0;
}
if(!dt_io_thread_register_queue(env->dtio, env->msgqueue)) {
log_err("malloc failure");
dt_msg_queue_delete(env->msgqueue);
env->msgqueue = NULL;
return 0;
}
return 1;
}
void
dt_deinit(struct dt_env* env)
{
dt_io_thread_unregister_queue(env->dtio, env->msgqueue);
dt_msg_queue_delete(env->msgqueue);
}
void
dt_delete(struct dt_env *env)
{
if (!env)
return;
verbose(VERB_OPS, "closing dnstap socket");
fstrm_iothr_destroy(&env->iothr);
dt_io_thread_delete(env->dtio);
free(env->identity);
free(env->version);
free(env);

22
dnstap/dnstap.h
View file

@ -40,16 +40,16 @@
#ifdef USE_DNSTAP
struct config_file;
struct fstrm_io;
struct fstrm_queue;
struct sldns_buffer;
struct dt_msg_queue;
struct dt_env {
/** dnstap I/O thread */
struct fstrm_iothr *iothr;
/** the io thread (made by the struct daemon) */
struct dt_io_thread* dtio;
/** dnstap I/O thread input queue */
struct fstrm_iothr_queue *ioq;
/** valid in worker struct, not in daemon struct, the per-worker
* message list */
struct dt_msg_queue* msgqueue;
/** dnstap "identity" field, NULL if disabled */
char *identity;
@ -84,12 +84,11 @@ struct dt_env {
* of the structure) to ensure lock-free access to its own per-worker circular
* queue. Duplicate the environment object if more than one worker needs to
* share access to the dnstap I/O socket.
* @param socket_path: path to dnstap logging socket, must be non-NULL.
* @param num_workers: number of worker threads, must be > 0.
* @param cfg: with config settings.
* @return dt_env object, NULL on failure.
*/
struct dt_env *
dt_create(const char *socket_path, unsigned num_workers);
dt_create(struct config_file* cfg);
/**
* Apply config settings.
@ -107,6 +106,11 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg);
int
dt_init(struct dt_env *env);
/**
* Deletes the per-worker state created by dt_init
*/
void dt_deinit(struct dt_env *env);
/**
* Delete dnstap environment object. Closes dnstap I/O socket and deletes all
* per-worker I/O queues.

9
dnstap/dnstap.m4
View file

@ -7,7 +7,7 @@ AC_DEFUN([dt_DNSTAP],
[
AC_ARG_ENABLE([dnstap],
AS_HELP_STRING([--enable-dnstap],
[Enable dnstap support (requires fstrm, protobuf-c)]),
[Enable dnstap support (requires protobuf-c)]),
[opt_dnstap=$enableval], [opt_dnstap=no])
AC_ARG_WITH([dnstap-socket-path],
@ -40,13 +40,6 @@ AC_DEFUN([dt_DNSTAP],
fi
fi
])
AC_ARG_WITH([libfstrm], AC_HELP_STRING([--with-libfstrm=path],
[Path where libfstrm is installed, for dnstap]), [
CFLAGS="$CFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"
])
AC_SEARCH_LIBS([fstrm_iothr_init], [fstrm], [],
AC_MSG_ERROR([The fstrm library was not found. Please install fstrm!]))
AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
AC_MSG_ERROR([The protobuf-c library was not found. Please install protobuf-c!]))
$2

208
dnstap/dnstap_fstrm.c Normal file
View file

@ -0,0 +1,208 @@
/*
* dnstap/dnstap_fstrm.c - Frame Streams protocol for dnstap
*
* Copyright (c) 2020, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**
* \file
*
* Definitions for the Frame Streams data transport protocol for
* dnstap message logs.
*/
#include "config.h"
#include "dnstap/dnstap_fstrm.h"
#include "sldns/sbuffer.h"
#include "sldns/wire2str.h"
void* fstrm_create_control_frame_start(char* contenttype, size_t* len)
{
uint32_t* control;
size_t n;
/* start framestream message:
* 4byte 0: control indicator.
* 4byte bigendian: length of control frame
* 4byte bigendian: type START
* 4byte bigendian: option: content-type
* 4byte bigendian: length of string
* string of content type (dnstap)
*/
n = 4+4+4+4+4+strlen(contenttype);
control = malloc(n);
if(!control)
return NULL;
control[0] = 0;
control[1] = htonl(4+4+4+strlen(contenttype));
control[2] = htonl(FSTRM_CONTROL_FRAME_START);
control[3] = htonl(FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE);
control[4] = htonl(strlen(contenttype));
memmove(&control[5], contenttype, strlen(contenttype));
*len = n;
return control;
}
void* fstrm_create_control_frame_stop(size_t* len)
{
uint32_t* control;
size_t n;
/* stop framestream message:
* 4byte 0: control indicator.
* 4byte bigendian: length of control frame
* 4byte bigendian: type STOP
*/
n = 4+4+4;
control = malloc(n);
if(!control)
return NULL;
control[0] = 0;
control[1] = htonl(4);
control[2] = htonl(FSTRM_CONTROL_FRAME_STOP);
*len = n;
return control;
}
void* fstrm_create_control_frame_accept(char* contenttype, size_t* len)
{
uint32_t* control;
size_t n;
/* control frame on reply:
* 4 bytes 0 escape
* 4 bytes bigendian length of frame
* 4 bytes bigendian type ACCEPT
* 4 bytes bigendian frame option content type
* 4 bytes bigendian length of string
* string of content type.
*/
/* len includes the escape and framelength */
n = 4+4+4+4+4+strlen(contenttype);
control = malloc(n);
if(!control) {
return NULL;
}
control[0] = 0;
control[1] = htonl(4+4+4+strlen(contenttype));
control[2] = htonl(FSTRM_CONTROL_FRAME_ACCEPT);
control[3] = htonl(FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE);
control[4] = htonl(strlen(contenttype));
memmove(&control[5], contenttype, strlen(contenttype));
*len = n;
return control;
}
void* fstrm_create_control_frame_finish(size_t* len)
{
uint32_t* control;
size_t n;
/* control frame on reply:
* 4 bytes 0 escape
* 4 bytes bigendian length of frame
* 4 bytes bigendian type FINISH
*/
/* len includes the escape and framelength */
n = 4+4+4;
control = malloc(n);
if(!control) {
return NULL;
}
control[0] = 0;
control[1] = htonl(4);
control[2] = htonl(FSTRM_CONTROL_FRAME_FINISH);
*len = n;
return control;
}
char* fstrm_describe_control(void* pkt, size_t len)
{
uint32_t frametype = 0;
char buf[512];
char* str = buf;
size_t remain, slen = sizeof(buf);
uint8_t* pos;
buf[0]=0;
if(len < 4) {
snprintf(buf, sizeof(buf), "malformed control frame, "
"too short, len=%u", (unsigned int)len);
return strdup(buf);
}
frametype = sldns_read_uint32(pkt);
if(frametype == FSTRM_CONTROL_FRAME_ACCEPT) {
(void)sldns_str_print(&str, &slen, "accept");
} else if(frametype == FSTRM_CONTROL_FRAME_START) {
(void)sldns_str_print(&str, &slen, "start");
} else if(frametype == FSTRM_CONTROL_FRAME_STOP) {
(void)sldns_str_print(&str, &slen, "stop");
} else if(frametype == FSTRM_CONTROL_FRAME_READY) {
(void)sldns_str_print(&str, &slen, "ready");
} else if(frametype == FSTRM_CONTROL_FRAME_FINISH) {
(void)sldns_str_print(&str, &slen, "finish");
} else {
(void)sldns_str_print(&str, &slen, "type%d", (int)frametype);
}
/* show the content type options */
pos = pkt + 4;
remain = len - 4;
while(remain >= 8) {
uint32_t field_type = sldns_read_uint32(pos);
uint32_t field_len = sldns_read_uint32(pos+4);
if(remain < field_len) {
(void)sldns_str_print(&str, &slen, "malformed_field");
break;
}
if(field_type == FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE) {
char tempf[512];
(void)sldns_str_print(&str, &slen, " content-type(");
if(field_len < sizeof(tempf)-1) {
memmove(tempf, pos+8, field_len);
tempf[field_len] = 0;
(void)sldns_str_print(&str, &slen, "%s", tempf);
} else {
(void)sldns_str_print(&str, &slen, "<error-too-long>");
}
(void)sldns_str_print(&str, &slen, ")");
} else {
(void)sldns_str_print(&str, &slen,
" field(type %u, length %u)",
(unsigned int)field_type,
(unsigned int)field_len);
}
pos += 8 + field_len;
remain -= (8 + field_len);
}
if(remain > 0)
(void)sldns_str_print(&str, &slen, " trailing-bytes"
"(length %u)", (unsigned int)remain);
return strdup(buf);
}

179
dnstap/dnstap_fstrm.h Normal file
View file

@ -0,0 +1,179 @@
/*
* dnstap/dnstap_fstrm.h - Frame Streams protocol for dnstap
*
* Copyright (c) 2020, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**
* \file
*
* Definitions for the Frame Streams data transport protocol for
* dnstap message logs.
*/
#ifndef DNSTAP_FSTRM_H
#define DNSTAP_FSTRM_H
/* Frame Streams data transfer protocol encode for DNSTAP messages.
* The protocol looks to be specified in the libfstrm library.
*
* Quick writeup for DNSTAP usage, from reading fstrm/control.h eloquent
* comments and fstrm/control.c for some bytesize details (the content type
* length).
*
* The Frame Streams can be unidirectional or bi-directional.
* bi-directional streams use control frame types READY, ACCEPT and FINISH.
* uni-directional streams use control frame types START and STOP.
* unknown control frame types should be ignored by the receiver, they
* do not change the data frame encoding.
*
* bi-directional control frames implement a simple handshake protocol
* between sender and receiver.
*
* The uni-directional control frames have one start and one stop frame,
* before and after the data. The start frame can have a content type.
* The start and stop frames are not optional.
*
* data frames are preceded by 4byte length, bigendian.
* zero length data frames are not possible, they are an escape that
* signals the presence of a control frame.
*
* a control frame consists of 0 value in 4byte bigendian, this is really
* the data frame length, with 0 the escape sequence that indicates one
* control frame follows.
* Then, 4byte bigendian, length of the control frame message.
* Then, the control frame payload (of that length). with in it:
* 4byte bigendian, control type (eg. START, STOP, READY, ACCEPT, FINISH).
* perhaps nothing more (STOP, FINISH), but for other types maybe
* control fields
* 4byte bigendian, the control-field-type, currently only content-type.
* 4byte bigendian, length of the string for this option.
* .. bytes of that string.
*
* The START type can have only one field. Field max len 256.
* control frame max frame length 512 (excludes the 0-escape and control
* frame length bytes).
*
* the bidirectional type of transmission is like this:
* client sends READY (with content type included),
* client waits for ACCEPT (with content type included),
* client sends START (with matched content type from ACCEPT)
* .. data frames
* client sends STOP.
* client waits for FINISH frame.
*
*/
/** max length of Frame Streams content type field string */
#define FSTRM_CONTENT_TYPE_LENGTH_MAX 256
/** control frame value to denote the control frame ACCEPT */
#define FSTRM_CONTROL_FRAME_ACCEPT 0x01
/** control frame value to denote the control frame START */
#define FSTRM_CONTROL_FRAME_START 0x02
/** control frame value to denote the control frame STOP */
#define FSTRM_CONTROL_FRAME_STOP 0x03
/** control frame value to denote the control frame READY */
#define FSTRM_CONTROL_FRAME_READY 0x04
/** control frame value to denote the control frame FINISH */
#define FSTRM_CONTROL_FRAME_FINISH 0x05
/** the constant that denotes the control field type that is the
* string for the content type of the stream. */
#define FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE 0x01
/** the content type for DNSTAP frame streams */
#define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap"
/**
* This creates an FSTRM control frame of type START.
* @param contenttype: a zero delimited string with the content type.
* eg. use the constant DNSTAP_CONTENT_TYPE, which is defined as
* "protobuf:dnstap.Dnstap", for a dnstap frame stream.
* @param len: if a buffer is returned this is the length of that buffer.
* @return NULL on malloc failure. Returns a malloced buffer with the
* protocol message. The buffer starts with the 4 bytes of 0 that indicate
* a control frame. The buffer should be sent without preceding it with
* the 'len' variable (like data frames are), but straight the content of the
* buffer, because the lengths are included in the buffer. This is so that
* the zero control indicator can be included before the control frame length.
*/
void* fstrm_create_control_frame_start(char* contenttype, size_t* len);
/**
* This creates an FSTRM control frame of type STOP.
* @param len: if a buffer is returned this is the length of that buffer.
* @return NULL on malloc failure. Returns a malloced buffer with the
* protocol message. The buffer starts with the 4 bytes of 0 that indicate
* a control frame. The buffer should be sent without preceding it with
* the 'len' variable (like data frames are), but straight the content of the
* buffer, because the lengths are included in the buffer. This is so that
* the zero control indicator can be included before the control frame length.
*/
void* fstrm_create_control_frame_stop(size_t* len);
/**
* This creates an FSTRM control frame of type ACCEPT.
* @param contenttype: a zero delimited string with the content type.
* for dnstap streams use DNSTAP_CONTENT_TYPE.
* @param len: if a buffer is returned this is the length of that buffer.
* @return NULL on malloc failure. Returns a malloced buffer with the
* protocol message. The buffer starts with the 4 bytes of 0 that indicate
* a control frame. The buffer should be sent without preceding it with
* the 'len' variable (like data frames are), but straight the content of the
* buffer, because the lengths are included in the buffer. This is so that
* the zero control indicator can be included before the control frame length.
*/
void* fstrm_create_control_frame_accept(char* contenttype, size_t* len);
/**
* This creates an FSTRM control frame of type FINISH.
* @param len: if a buffer is returned this is the length of that buffer.
* @return NULL on malloc failure. Returns a malloced buffer with the
* protocol message. The buffer starts with the 4 bytes of 0 that indicate
* a control frame. The buffer should be sent without preceding it with
* the 'len' variable (like data frames are), but straight the content of the
* buffer, because the lengths are included in the buffer. This is so that
* the zero control indicator can be included before the control frame length.
*/
void* fstrm_create_control_frame_finish(size_t* len);
/**
* Return string that describes a control packet. For debug, logs.
* Like 'start content-type(protobuf:dnstap.Dnstap)' or 'stop'.
* @param pkt: the packet data, that is the data after the 4 zero start
* bytes and 4 length bytes.
* @param len: the length of the control packet data, in pkt. This is the
* ntohl of the 4 bytes length preceding the data.
* @return zero delimited string, malloced. Or NULL on malloc failure.
*/
char* fstrm_describe_control(void* pkt, size_t len);
#endif /* DNSTAP_FSTRM_H */

1840
dnstap/dtstream.c Normal file
View file

File diff suppressed because it is too large Load diff

305
dnstap/dtstream.h Normal file
View file

@ -0,0 +1,305 @@
/*
* dnstap/dtstream.h - Frame Streams thread for unbound DNSTAP
*
* Copyright (c) 2020, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**
* \file
*
* An implementation of the Frame Streams data transport protocol for
* the Unbound DNSTAP message logging facility.
*/
#ifndef DTSTREAM_H
#define DTSTREAM_H
#include "util/locks.h"
struct dt_msg_entry;
struct dt_io_list_item;
struct dt_io_thread;
struct config_file;
/**
* A message buffer with dnstap messages queued up. It is per-worker.
* It has locks to synchronize. If the buffer is full, a new message
* cannot be added and is discarded. A thread reads the messages and sends
* them.
*/
struct dt_msg_queue {
/** lock of the buffer structure. Hold this lock to add or remove
* entries to the buffer. Release it so that other threads can also
* put messages to log, or a message can be taken out to send away
* by the writer thread.
*/
lock_basic_type lock;
/** the maximum size of the buffer, in bytes */
size_t maxsize;
/** current size of the buffer, in bytes. data bytes of messages.
* If a new message make it more than maxsize, the buffer is full */
size_t cursize;
/** list of messages. The messages are added to the back and taken
* out from the front. */
struct dt_msg_entry* first, *last;
/** reference to the io thread to wakeup */
struct dt_io_thread* dtio;
};
/**
* An entry in the dt_msg_queue. contains one DNSTAP message.
* It is malloced.
*/
struct dt_msg_entry {
/** next in the list. */
struct dt_msg_entry* next;
/** the buffer with the data to send, an encoded DNSTAP message */
void* buf;
/** the length to send. */
size_t len;
};
/**
* IO thread that reads from the queues and writes them.
*/
struct dt_io_thread {
/** the thread number for the dtio thread,
* must be first to cast thread arg to int* in checklock code. */
int threadnum;
/** event base, for event handling */
void* event_base;
/** list of queues that is registered to get written */
struct dt_io_list_item* io_list;
/** iterator point in the io_list, to pick from them in a
* round-robin fashion, instead of only from the first when busy.
* if NULL it means start at the start of the list. */
struct dt_io_list_item* io_list_iter;
/** thread id, of the io thread */
ub_thread_type tid;
/** if the io processing has started */
int started;
/** ssl context for the io thread, for tls connections. type SSL_CTX* */
void* ssl_ctx;
/** file descriptor that the thread writes to */
int fd;
/** event structure that the thread uses */
void* event;
/** the event is added */
int event_added;
/** event added is a write event */
int event_added_is_write;
/** check for nonblocking connect errors on fd */
int check_nb_connect;
/** ssl for current connection, type SSL* */
void* ssl;
/** true if the handshake for SSL is done, 0 if not */
int ssl_handshake_done;
/** true if briefly the SSL wants a read event, 0 if not.
* This happens during negotiation, we then do not want to write,
* but wait for a read event. */
int ssl_brief_read;
/** the buffer that currently getting written, or NULL if no
* (partial) message written now */
void* cur_msg;
/** length of the current message */
size_t cur_msg_len;
/** number of bytes written for the current message */
size_t cur_msg_done;
/** number of bytes of the length that have been written,
* for the current message length that precedes the frame */
size_t cur_msg_len_done;
/** command pipe that stops the pipe if closed. Used to quit
* the program. [0] is read, [1] is written to. */
int commandpipe[2];
/** the event to listen to the commandpipe */
void* command_event;
/** the io thread wants to exit */
int want_to_exit;
/** in stop flush, this is nonNULL and references the stop_ev */
void* stop_flush_event;
/** the timer event for connection retries */
void* reconnect_timer;
/** if the reconnect timer is added to the event base */
int reconnect_is_added;
/** the current reconnection timeout, it is increased with
* exponential backoff, in msec */
int reconnect_timeout;
/** If the log server is connected to over unix domain sockets,
* eg. a file is named that is created to log onto. */
int upstream_is_unix;
/** if the log server is connected to over TCP. The ip address and
* port are used */
int upstream_is_tcp;
/** if the log server is connected to over TLS. ip address, port,
* and client certificates can be used for authentication. */
int upstream_is_tls;
/** the file path for unix socket (or NULL) */
char* socket_path;
/** the ip address and port number (or NULL) */
char* ip_str;
/** is the TLS upstream authenticated by name, if nonNULL,
* we use the same cert bundle as used by other TLS streams. */
char* tls_server_name;
/** are client certificates in use */
int use_client_certs;
/** client cert files: the .key file */
char* client_key_file;
/** client cert files: the .pem file */
char* client_cert_file;
};
/**
* IO thread list of queues list item
* lists a worker queue that should be looked at and sent to the log server.
*/
struct dt_io_list_item {
/** next in the list of buffers to inspect */
struct dt_io_list_item* next;
/** buffer of this worker */
struct dt_msg_queue* queue;
};
/**
* Create new (empty) worker message queue. Limit set to default on max.
* @return NULL on malloc failure or a new queue (not locked).
*/
struct dt_msg_queue* dt_msg_queue_create(void);
/**
* Delete a worker message queue. It has to be unlinked from access,
* so it can be deleted without lock worries. The queue is emptied (deleted).
* @param mq: message queue.
*/
void dt_msg_queue_delete(struct dt_msg_queue* mq);
/**
* Submit a message to the queue. The queue is locked by the routine,
* the message is inserted, and then the queue is unlocked so the
* message can be picked up by the writer thread.
* @param mq: message queue.
* @param buf: buffer with message (dnstap contents).
* The buffer must have been malloced by caller. It is linked in
* the queue, and is free()d after use. If the routine fails
* the buffer is freed as well (and nothing happens, the item
* could not be logged).
* @param len: length of buffer.
*/
void dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len);
/**
* Create IO thread.
* @return new io thread object. not yet started. or NULL malloc failure.
*/
struct dt_io_thread* dt_io_thread_create(void);
/**
* Delete the IO thread structure.
* @param dtio: the io thread that is deleted. It must not be running.
*/
void dt_io_thread_delete(struct dt_io_thread* dtio);
/**
* Apply config to the dtio thread
* @param dtio: io thread, not yet started.
* @param cfg: config file struct.
* @return false on malloc failure.
*/
int dt_io_thread_apply_cfg(struct dt_io_thread* dtio,
struct config_file *cfg);
/**
* Register a msg queue to the io thread. It will be polled to see if
* there are messages and those then get removed and sent, when the thread
* is running.
* @param dtio: the io thread.
* @param mq: message queue to register.
* @return false on failure (malloc failure).
*/
int dt_io_thread_register_queue(struct dt_io_thread* dtio,
struct dt_msg_queue* mq);
/**
* Unregister queue from io thread.
* @param dtio: the io thread.
* @param mq: message queue.
*/
void dt_io_thread_unregister_queue(struct dt_io_thread* dtio,
struct dt_msg_queue* mq);
/**
* Start the io thread
* @param dtio: the io thread.
* @param event_base_nothr: the event base to attach the events to, in case
* we are running without threads. With threads, this is ignored
* and a thread is started to process the dnstap log messages.
* @param numworkers: number of worker threads. The dnstap io thread is
* that number +1 as the threadnumber (in logs).
* @return false on failure.
*/
int dt_io_thread_start(struct dt_io_thread* dtio, void* event_base_nothr,
int numworkers);
/**
* Stop the io thread
* @param dtio: the io thread.
*/
void dt_io_thread_stop(struct dt_io_thread* dtio);
/** callback for the dnstap reconnect, to start reconnecting to output */
void dtio_reconnect_timeout_cb(int fd, short bits, void* arg);
/** callback for the dnstap events, to write to the output */
void dtio_output_cb(int fd, short bits, void* arg);
/** callback for the dnstap commandpipe, to stop the dnstap IO */
void dtio_cmd_cb(int fd, short bits, void* arg);
/** callback for the timer when the thread stops and wants to finish up */
void dtio_stop_timer_cb(int fd, short bits, void* arg);
/** callback for the output when the thread stops and wants to finish up */
void dtio_stop_ev_cb(int fd, short bits, void* arg);
/** callback for unbound-dnstap-socket */
void dtio_tap_callback(int fd, short bits, void* arg);
/** callback for unbound-dnstap-socket */
void dtio_mainfdcallback(int fd, short bits, void* arg);
#endif /* DTSTREAM_H */

1562
dnstap/unbound-dnstap-socket.c Normal file
View file

File diff suppressed because it is too large Load diff

32
doc/example.conf.in
View file

@ -1019,6 +1019,38 @@ remote-control:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
# # if "" use the unix socket in dnstap-socket-path, otherwise,
# # set it to "IPaddress[@port]" of the destination.
# dnstap-ip: ""
# # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""
# # cert file for client authentication, or "" disabled.
# dnstap-tls-client-cert-file: ""
# dnstap-send-identity: no
# dnstap-send-version: no
# # if "" it uses the hostname.
# dnstap-identity: ""
# # if "" it uses the package version.
# dnstap-version: ""
# dnstap-log-resolver-query-messages: no
# dnstap-log-resolver-response-messages: no
# dnstap-log-client-query-messages: no
# dnstap-log-client-response-messages: no
# dnstap-log-forwarder-query-messages: no
# dnstap-log-forwarder-response-messages: no
# Response Policy Zones
# RPZ policies. Applied in order of configuration. QNAME and Response IP
# Address trigger are the only supported triggers. Supported actions are:

76
doc/unbound.conf.5.in
View file

@ -2121,6 +2121,82 @@ If this timeout expires Unbound closes the connection, treats it as
if the Redis server does not have the requested data, and will try to
re-establish a new connection later.
This option defaults to 100 milliseconds.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts an extra thread (when compiled with threading) that writes
the log information to the destination. If unbound is compiled without
threading it does not spawn a thread, but connects per-process to the
destination.
.TP
.B dnstap-enable: \fI<yes or no>
If dnstap is enabled. Default no. If yes, it connects to the dnstap server
and if any of the dnstap-log-..-messages options is enabled it sends logs
for those messages to the server.
.TP
.B dnstap-socket-path: \fI<file name>
Sets the unix socket file name for connecting to the server that is
listening on that socket. Default is "@DNSTAP_SOCKET_PATH@".
.TP
.B dnstap-ip: \fI<IPaddress[@port]>
If "", the unix socket is used, if set with an IP address (IPv4 or IPv6)
that address is used to connect to the server.
.TP
.B dnstap-tls: \fI<yes or no>
Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
The default is yes. If set to no, TCP is used to connect to the server.
.TP
.B dnstap-tls-server-name: \fI<name of TLS authentication>
The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, default "".
.TP
.B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
The pem file with certs to verify the TLS server certificate. If "" the
server default cert bundle is used, or the windows cert bundle on windows.
Default is "".
.TP
.B dnstap-tls-client-key-file: \fI<file name>
The client key file for TLS client authentication. If "" client
authentication is not used. Default is "".
.TP
.B dnstap-tls-client-cert-file: \fI<file name>
The client cert file for TLS client authentication. Default is "".
.TP
.B dnstap-send-identity: \fI<yes or no>
If enabled, the server identity is included in the log messages.
Default is no.
.TP
.B dnstap-send-version: \fI<yes or no>
If enabled, the server version if included in the log messages.
Default is no.
.TP
.B dnstap-identity: \fI<string>
The identity to send with messages, if "" the hostname is used.
Default is "".
.TP
.B dnstap-version: \fI<string>
The version to send with messages, if "" the package version is used.
Default is "".
.TP
.B dnstap-log-resolver-query-messages: \fI<yes or no>
Enable to log resolver query messages. Default is no.
These are messages from unbound to upstream servers.
.TP
.B dnstap-log-resolver-response-messages: \fI<yes or no>
Enable to log resolver response messages. Default is no.
These are replies from upstream servers to unbound.
.TP
.B dnstap-log-client-query-messages: \fI<yes or no>
Enable to log client query messages. Default is no.
These are client queries to unbound.
.TP
.B dnstap-log-client-response-messages: \fI<yes or no>
Enable to log client response messages. Default is no.
These are responses from unbound to clients.
.TP
.B dnstap-log-forwarder-query-messages: \fI<yes or no>
Enable to log forwarder query messages. Default is no.
.TP
.B dnstap-log-forwarder-response-messages: \fI<yes or no>
Enable to log forwarder response messages. Default is no.
.SS Response Policy Zone Options
.LP
Response Policy Zones are configured with \fBrpz:\fR, and each one must have a

16
libunbound/libworker.c
View file

@ -1047,3 +1047,19 @@ wsvc_cron_cb(void* ATTR_UNUSED(arg))
log_assert(0);
}
#endif /* UB_ON_WINDOWS */
#ifdef USE_DNSTAP
void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif
#ifdef USE_DNSTAP
void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif

44
services/outside_network.c
View file

@ -373,47 +373,15 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
#endif
pend->c->ssl_shake_state = comm_ssl_shake_write;
if(w->tls_auth_name) {
if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name)) {
pend->c->fd = s;
#ifdef HAVE_SSL
(void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
SSL_free(pend->c->ssl);
#endif
pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
#ifdef HAVE_SSL_SET1_HOST
if(w->tls_auth_name) {
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
/* setting the hostname makes openssl verify the
* host name in the x509 certificate in the
* SSL connection*/
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
SSL_free(pend->c->ssl);
pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
}
#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
/* openssl 1.0.2 has this function that can be used for
* set1_host like verification */
if(w->tls_auth_name) {
X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
# ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
# endif
if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
log_err("X509_VERIFY_PARAM_set1_host failed");
pend->c->fd = s;
SSL_free(pend->c->ssl);
pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
}
#else
verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
#endif /* HAVE_SSL_SET1_HOST */
}
w->pkt = NULL;
w->next_waiting = (void*)pend;

16
smallapp/worker_cb.c
View file

@ -248,3 +248,19 @@ void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#ifdef USE_DNSTAP
void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif
#ifdef USE_DNSTAP
void dtio_mainfdcallback(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev),
void* ATTR_UNUSED(arg))
{
log_assert(0);
}
#endif

10
testcode/testbound.c
View file

@ -577,3 +577,13 @@ void wsvc_cron_cb(void* ATTR_UNUSED(arg))
}
#endif /* UB_ON_WINDOWS */
int tcp_connect_errno_needs_log(struct sockaddr* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen))
{
return 1;
}
int squelch_err_ssl_handshake(unsigned long ATTR_UNUSED(err))
{
return 0;
}

40
testdata/dnstap.tdir/dnstap.conf vendored Normal file
View file

@ -0,0 +1,40 @@
server:
verbosity: 2
num-threads: 3
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap.tdir/dnstap.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap
Version: 1.0
Description: test dnstap socket communication
CreationDate: Tue Jan 21 13:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap.pre
Post: dnstap.post
Test: dnstap.test
AuxFiles:
Passed:
Failure:

16
testdata/dnstap.tdir/dnstap.post vendored Normal file
View file

@ -0,0 +1,16 @@
# #-- dnstap.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
exit 0

55
testdata/dnstap.tdir/dnstap.pre vendored Normal file
View file

@ -0,0 +1,55 @@
# #-- dnstap.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 3
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up and make the dnstap.socket file
wait_server_up "tap.errlog" "creating unix socket"
if test ! -S dnstap.socket; then
echo "the dnstap.socket file does not exist!"
fi
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < dnstap.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

86
testdata/dnstap.tdir/dnstap.test vendored Normal file
View file

@ -0,0 +1,86 @@
# #-- dnstap.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> make 10 queries to spread them over threads"
dig @127.0.0.1 -p $UNBOUND_PORT q1.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q2.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q3.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q4.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q5.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q6.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q7.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q8.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q9.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q10.example.net.
for x in q1 q2 q3 q4 5 q6 q7 q8 q9 q10; do
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 10; fi
if grep "$x.example.net" tap.log; then echo "yes it is in tap.log";
else
echo "$x.example.net. information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
done
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
echo "> OK"
exit 0

22
testdata/dnstap.tdir/dnstap.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

40
testdata/dnstap_reconnect.tdir/dnstap_reconnect.conf vendored Normal file
View file

@ -0,0 +1,40 @@
server:
verbosity: 2
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_reconnect.tdir/dnstap_reconnect.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_reconnect
Version: 1.0
Description: test dnstap reconnect
CreationDate: Tue Jan 21 13:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_reconnect.pre
Post: dnstap_reconnect.post
Test: dnstap_reconnect.test
AuxFiles:
Passed:
Failure:

16
testdata/dnstap_reconnect.tdir/dnstap_reconnect.post vendored Normal file
View file

@ -0,0 +1,16 @@
# #-- dnstap_reconnect.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
exit 0

55
testdata/dnstap_reconnect.tdir/dnstap_reconnect.pre vendored Normal file
View file

@ -0,0 +1,55 @@
# #-- dnstap_reconnect.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 3
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_reconnect.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up and make the dnstap.socket file
wait_server_up "tap.errlog" "creating unix socket"
if test ! -S dnstap.socket; then
echo "the dnstap.socket file does not exist!"
fi
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < dnstap_reconnect.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

98
testdata/dnstap_reconnect.tdir/dnstap_reconnect.test vendored Normal file
View file

@ -0,0 +1,98 @@
# #-- dnstap_reconnect.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo ""
echo "> test disconnect from the upstream server"
kill_pid $DNSTAP_SOCKET_PID
dig @127.0.0.1 -p $UNBOUND_PORT down.example.net.
# bring log socket back up
$PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap2.errlog >tap2.log &
if test $? -ne 0; then
echo "could not start (again) unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up and make the dnstap.socket file
wait_server_up "tap2.errlog" "creating unix socket"
dig @127.0.0.1 -p $UNBOUND_PORT up.example.net.
sleep 2
dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net.
for x in down up up2; do
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 10; fi
if grep "$x.example.net" tap2.log; then echo "yes it is in tap2.log";
else
echo "$x.example.net. information not in tap2.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
cat tap2.log
cat tap2.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
done
echo "> cat logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
cat tap2.log
cat tap2.errlog
cat fwd.log
echo "> OK"
exit 0

22
testdata/dnstap_reconnect.tdir/dnstap_reconnect.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_reconnect.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_reconnect.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_reconnect.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_reconnect.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

42
testdata/dnstap_tcp.tdir/dnstap_tcp.conf vendored Normal file
View file

@ -0,0 +1,42 @@
server:
verbosity: 2
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: no
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tcp.tdir/dnstap_tcp.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tcp
Version: 1.0
Description: test dnstap tcp and reconnect
CreationDate: Tue Feb 14 14:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tcp.pre
Post: dnstap_tcp.post
Test: dnstap_tcp.test
AuxFiles:
Passed:
Failure:

23
testdata/dnstap_tcp.tdir/dnstap_tcp.post vendored Normal file
View file

@ -0,0 +1,23 @@
# #-- dnstap_tcp.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
if test -f tap2.log; then cat tap2.log; fi
if test -f tap2.errlog; then cat tap2.errlog; fi
cat fwd.log
exit 0

54
testdata/dnstap_tcp.tdir/dnstap_tcp.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tcp.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tcp.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -s "127.0.0.1@$TAP_PORT" -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tcp.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

95
testdata/dnstap_tcp.tdir/dnstap_tcp.test vendored Normal file
View file

@ -0,0 +1,95 @@
# #-- dnstap_tcp.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo ""
echo "> test disconnect from the upstream server"
kill_pid $DNSTAP_SOCKET_PID
dig @127.0.0.1 -p $UNBOUND_PORT down.example.net.
# bring log socket back up
$PRE/unbound-dnstap-socket -s "127.0.0.1@$TAP_PORT" -l -vvvv 2>tap2.errlog >tap2.log &
if test $? -ne 0; then
echo "could not start (again) unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap2.errlog" "start of service"
dig @127.0.0.1 -p $UNBOUND_PORT up.example.net.
sleep 2
dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net.
for x in down up up2; do
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 10; fi
if grep "$x.example.net" tap2.log; then echo "yes it is in tap2.log";
else
echo "$x.example.net. information not in tap2.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
cat tap2.log
cat tap2.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
done
echo "> OK"
exit 0

22
testdata/dnstap_tcp.tdir/dnstap_tcp.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tcp.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tcp.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tcp.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tcp.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

42
testdata/dnstap_tls.tdir/dnstap_tls.conf vendored Normal file
View file

@ -0,0 +1,42 @@
server:
verbosity: 2
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: yes
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tls.tdir/dnstap_tls.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tls
Version: 1.0
Description: test dnstap tls and reconnect
CreationDate: Tue Feb 14 14:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tls.pre
Post: dnstap_tls.post
Test: dnstap_tls.test
AuxFiles:
Passed:
Failure:

23
testdata/dnstap_tls.tdir/dnstap_tls.post vendored Normal file
View file

@ -0,0 +1,23 @@
# #-- dnstap_tls.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
if test -f tap2.log; then cat tap2.log; fi
if test -f tap2.errlog; then cat tap2.errlog; fi
cat fwd.log
exit 0

54
testdata/dnstap_tls.tdir/dnstap_tls.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tls.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tls.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

95
testdata/dnstap_tls.tdir/dnstap_tls.test vendored Normal file
View file

@ -0,0 +1,95 @@
# #-- dnstap_tls.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo ""
echo "> test disconnect from the upstream server"
kill_pid $DNSTAP_SOCKET_PID
dig @127.0.0.1 -p $UNBOUND_PORT down.example.net.
# bring log socket back up
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap2.errlog >tap2.log &
if test $? -ne 0; then
echo "could not start (again) unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap2.errlog" "start of service"
dig @127.0.0.1 -p $UNBOUND_PORT up.example.net.
sleep 2
dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net.
for x in down up up2; do
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 10; fi
if grep "$x.example.net" tap2.log; then echo "yes it is in tap2.log";
else
echo "$x.example.net. information not in tap2.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
echo "> tap2 logfiles"
cat tap2.log
cat tap2.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
done
echo "> OK"
exit 0

22
testdata/dnstap_tls.tdir/dnstap_tls.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tls.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tls.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

48
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.conf vendored Normal file
View file

@ -0,0 +1,48 @@
server:
verbosity: 4
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: yes
dnstap-tls-server-name: "unbound"
# the actual tls cert bundle that authenticates the server
# is the unbound_server.pem bundle.
# we pass the wrong bundle. (of another key we also use in the client
# authentication test)
dnstap-tls-cert-bundle: "unbound_control.pem"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tls_badcert
Version: 1.0
Description: test dnstap tls with bad cert for authentication
CreationDate: Tue Feb 18 13:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tls_badcert.pre
Post: dnstap_tls_badcert.post
Test: dnstap_tls_badcert.test
AuxFiles:
Passed:
Failure:

20
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post vendored Normal file
View file

@ -0,0 +1,20 @@
# #-- dnstap_tls_badcert.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
exit 0

54
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tls_badcert.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tls_badcert.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_badcert.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

51
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test vendored Normal file
View file

@ -0,0 +1,51 @@
# #-- dnstap_tls_badcert.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log; then
echo "it is in tap.log";
echo "but there should not be a connection"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
else
echo "information not in tap.log"
fi
echo "> OK"
exit 0

22
testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tls_badcert.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_badcert.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tls_badcert.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_badcert.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

46
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.conf vendored Normal file
View file

@ -0,0 +1,46 @@
server:
verbosity: 4
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: yes
# actual certificate name: "unbound"
# we enter another name here.
dnstap-tls-server-name: "anothername"
dnstap-tls-cert-bundle: "unbound_server.pem"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tls_badname
Version: 1.0
Description: test dnstap tls test bad peer name for authentication
CreationDate: Tue Feb 18 13:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tls_badname.pre
Post: dnstap_tls_badname.post
Test: dnstap_tls_badname.test
AuxFiles:
Passed:
Failure:

20
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post vendored Normal file
View file

@ -0,0 +1,20 @@
# #-- dnstap_tls_badname.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
exit 0

54
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tls_badname.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tls_badname.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_badname.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

51
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test vendored Normal file
View file

@ -0,0 +1,51 @@
# #-- dnstap_tls_badname.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log; then
echo "it is in tap.log";
echo "but there should not be a connection"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
else
echo "information not in tap.log"
fi
echo "> OK"
exit 0

22
testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tls_badname.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_badname.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tls_badname.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_badname.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

46
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.conf vendored Normal file
View file

@ -0,0 +1,46 @@
server:
verbosity: 4
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: yes
dnstap-tls-server-name: "unbound"
dnstap-tls-cert-bundle: "unbound_server.pem"
dnstap-tls-client-key-file: "unbound_control.key"
dnstap-tls-client-cert-file: "unbound_control.pem"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tls_clientauth
Version: 1.0
Description: test dnstap tls with client authentication
CreationDate: Tue Feb 18 14:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tls_clientauth.pre
Post: dnstap_tls_clientauth.post
Test: dnstap_tls_clientauth.test
AuxFiles:
Passed:
Failure:

20
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post vendored Normal file
View file

@ -0,0 +1,20 @@
# #-- dnstap_tls_clientauth.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
exit 0

54
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tls_clientauth.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tls_clientauth.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -z unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_clientauth.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

50
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test vendored Normal file
View file

@ -0,0 +1,50 @@
# #-- dnstap_tls_clientauth.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> OK"
exit 0

22
testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tls_clientauth.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_clientauth.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tls_clientauth.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_clientauth.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

44
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.conf vendored Normal file
View file

@ -0,0 +1,44 @@
server:
verbosity: 4
num-threads: 1
outgoing-range: 16
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
local-zone: "example.net." redirect
local-data: "example.net. IN A 10.20.30.41"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.socket"
dnstap-ip: "127.0.0.1@@TAPPORT@"
dnstap-tls: yes
dnstap-tls-server-name: "unbound"
dnstap-tls-cert-bundle: "unbound_server.pem"
dnstap-send-identity: yes
dnstap-send-version: yes
#dnstap-identity
#dnstap-version
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes

16
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: dnstap_tls_peername
Version: 1.0
Description: test dnstap tls with auth name and tls authentication
CreationDate: Tue Feb 14 14:00:38 CET 2020
Maintainer: dr. W.C.A. Wijngaards
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: dnstap_tls_peername.pre
Post: dnstap_tls_peername.post
Test: dnstap_tls_peername.test
AuxFiles:
Passed:
Failure:

20
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post vendored Normal file
View file

@ -0,0 +1,20 @@
# #-- dnstap_tls_peername.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
kill_pid $DNSTAP_SOCKET_PID
kill_pid $FWD_PID
kill $UNBOUND_PID
kill $UNBOUND_PID >/dev/null 2>&1
cat unbound.log
echo "> tap logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
exit 0

54
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre vendored Normal file
View file

@ -0,0 +1,54 @@
# #-- dnstap_tls_peername.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
TAP_PORT=$(($RND_PORT + 3))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT dnstap_tls_peername.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# start the dnstap log server
# the -vvvv flag prints protocol and connection information from the
# unbound-dnstap-socket server.
# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
# stderr is the '-vvvv' server logs and errors.
# stdout is the one-line packet logs (or with -l, multiline).
$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
if test $? -ne 0; then
echo "could not start unbound-dnstap-socket server"
exit 1
fi
DNSTAP_SOCKET_PID=$!
echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
# wait for the server to go up
wait_server_up "tap.errlog" "start of service"
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_peername.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

50
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test vendored Normal file
View file

@ -0,0 +1,50 @@
# #-- dnstap_tls_peername.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
PRE="../.."
if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
# test if the server is up.
echo "> dig www.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> check tap.log for dnstap info"
# see if it logged the information in tap.log
# wait for a moment for filesystem to catch up.
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
else
echo "information not in tap.log"
echo "failed"
echo "> cat logfiles"
cat tap.log
cat tap.errlog
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "> OK"
exit 0

22
testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.testns vendored Normal file
View file

@ -0,0 +1,22 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA SERVFAIL
ADJUST copy_id
SECTION QUESTION
www.example.net. IN A
ENTRY_END

15
testdata/dnstap_tls_peername.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_peername.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
-----END CERTIFICATE-----

15
testdata/dnstap_tls_peername.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/dnstap_tls_peername.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

Some files were not shown because too many files have changed in this diff Show more