tls tls-forward-secrecy {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../CA/certs/srv02.crt01.example.com.key";
+ cert-file "../CA/certs/srv02.crt01.example.com.pem";
dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-tls tls-forward-secrecy-remote-hostname {
- protocols { TLSv1.2; };
- ca-file "../CA/CA.pem";
- remote-hostname "srv03.crt01.example.com";
-};
-
-tls tls-forward-secrecy-bad-remote-hostname {
- protocols { TLSv1.2; };
- ca-file "../CA/CA.pem";
- remote-hostname "srv03-bad.crt01.example.com";
};
tls tls-forward-secrecy-mutual-tls {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
key-file "../CA/certs/srv02.crt01.example.com.key";
cert-file "../CA/certs/srv02.crt01.example.com.pem";
dhparam-file "../dhparam3072.pem";
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
+ key-file "../CA/certs/srv02.crt01-expired.example.com.key";
+ cert-file "../CA/certs/srv02.crt01-expired.example.com.pem";
dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-zone tls-x1 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 tls ephemeral; };
-};
-
-zone tls-x2 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-expired; };
-};
-
-zone tls-x3 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; };
-};
-
-zone tls-x4 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; };
-};
-
-zone tls-x5 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; };
-};
-
-zone tls-x6 {
- type primary;
- file "generic.db";
- notify explicit;
- also-notify { 10.53.0.3 port @EXTRAPORT4@ tls tls-expired; };
};
*/
tls-port @TLSPORT@;
+ listen-on tls ephemeral { 10.53.0.2; };
+ listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+ listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
+ listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.2; };
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 300 ; refresh (300 seconds)
+ 300 ; retry (300 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
tls tls-forward-secrecy {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
- key-file "../CA/certs/srv03.crt01.example.com.key";
- cert-file "../CA/certs/srv03.crt01.example.com.pem";
dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+tls tls-forward-secrecy-remote-hostname {
+ protocols { TLSv1.2; };
+ ca-file "../CA/CA.pem";
+ remote-hostname "srv02.crt01.example.com";
+};
+
+tls tls-forward-secrecy-bad-remote-hostname {
+ protocols { TLSv1.2; };
+ ca-file "../CA/CA.pem";
+ remote-hostname "srv02-bad.crt01.example.com";
};
tls tls-forward-secrecy-mutual-tls {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
key-file "../CA/certs/srv03.crt01.example.com.key";
cert-file "../CA/certs/srv03.crt01.example.com.pem";
dhparam-file "../dhparam3072.pem";
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
- key-file "../CA/certs/srv03.crt01-expired.example.com.key";
- cert-file "../CA/certs/srv03.crt01-expired.example.com.pem";
dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+zone tls-x1 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 tls ephemeral; };
+};
+
+zone tls-x2 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-expired; };
+};
+
+zone tls-x3 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; };
+};
+
+zone tls-x4 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; };
+};
+
+zone tls-x5 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; };
+};
+
+zone tls-x6 {
+ type primary;
+ file "generic.db";
+ notify explicit;
+ also-notify { 10.53.0.2 port @EXTRAPORT4@ tls tls-expired; };
};
*/
tls-port @TLSPORT@;
- listen-on tls ephemeral { 10.53.0.3; };
- listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.3; };
- listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.3; };
- listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.3; };
test_end
test_start "checking notify over TLS successful"
-grep "zone tls-x1/IN: notify to 10.53.0.3#${TLSPORT} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x2/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x3/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x5/IN: notify to 10.53.0.3#${EXTRAPORT3} successful" ns2/named.run >/dev/null || ret=1
+grep "zone tls-x1/IN: notify to 10.53.0.2#${TLSPORT} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x2/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x3/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x5/IN: notify to 10.53.0.2#${EXTRAPORT3} successful" ns3/named.run >/dev/null || ret=1
test_end
test_start "checking notify over TLS failed"
-grep "zone tls-x4/IN: notify to 10.53.0.3#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1
-grep "zone tls-x6/IN: notify to 10.53.0.3#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1
+grep "zone tls-x4/IN: notify to 10.53.0.2#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1
+grep "zone tls-x6/IN: notify to 10.53.0.2#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1
test_end
test_start "checking example2 loaded"
projects / thirdparty / bind9.git / commitdiff
