- xfr-tsig, add tdir test that performs tsig signed zone transfer.

diff --git a/testdata/auth_tsig.tdir/auth_tsig.dsc b/testdata/auth_tsig.tdir/auth_tsig.dsc
new file mode 100644 (file)
index 0000000..7c9f392
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.dsc
@@ -0,0 +1,16 @@
+BaseName: auth_tsig
+Version: 1.0
+Description: Perform AXFR with TSIG for authority zone.
+CreationDate: Fri 12 Sep 09:35:40 CEST 2025
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: auth_tsig.pre
+Post: auth_tsig.post
+Test: auth_tsig.test
+AuxFiles: 
+Passed:
+Failure:

diff --git a/testdata/auth_tsig.tdir/auth_tsig.nsd.conf b/testdata/auth_tsig.tdir/auth_tsig.nsd.conf
new file mode 100644 (file)
index 0000000..e03f91f
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.nsd.conf
@@ -0,0 +1,23 @@
+server:
+       logfile: "/dev/stderr"
+       xfrdfile: xfrd.state
+       username: ""
+       chroot: ""
+       zonesdir: ""
+       pidfile: "nsd.pid"
+       zonelistfile: "zone.list"
+       verbosity: 5
+       port: @NSD_PORT@
+       interface: 127.0.0.1@@NSD_PORT@
+
+key:
+       name: "test.key"
+       algorithm: sha256
+       secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+zone:
+       name: "example.com"
+       zonefile: "example.com.zone"
+       provide-xfr: 0.0.0.0/0 test.key
+       provide-xfr: ::0/0 test.key
+       notify: 127.0.0.1@@UNBOUND_PORT@ test.key

diff --git a/testdata/auth_tsig.tdir/auth_tsig.post b/testdata/auth_tsig.tdir/auth_tsig.post
new file mode 100644 (file)
index 0000000..276ad07
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.post
@@ -0,0 +1,14 @@
+# #-- auth_tsig.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $NSD_PID
+kill_pid $UNBOUND_PID
+echo "nsd.log"
+cat nsd.log
+echo "unbound.log"
+cat unbound.log

diff --git a/testdata/auth_tsig.tdir/auth_tsig.pre b/testdata/auth_tsig.tdir/auth_tsig.pre
new file mode 100644 (file)
index 0000000..c5f9d9f
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.pre
@@ -0,0 +1,59 @@
+# #-- auth_tsig.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+#skip_test "Skip test due to no UDP service for SOA query"
+PRE="../.."
+if test -n "$NSD"; then
+       :
+else
+       if `which nsd >/dev/null 2>&1`; then
+               NSD="nsd"
+       else
+               if test -f $PRE/../nsd/nsd; then
+                       NSD="$PRE/../nsd/nsd"
+               else
+                       skip_test "need nsd"
+               fi
+       fi
+fi
+echo "NSD=$NSD"
+
+if test -f $PRE/unbound_do_valgrind_in_test; then
+       do_valgrind=yes
+else
+       do_valgrind=no
+fi
+VALGRIND_FLAGS="--leak-check=full --show-leak-kinds=all"
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+NSD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "NSD_PORT=$NSD_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tsig.ub.conf > ub.conf
+sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tsig.nsd.conf > nsd.conf
+
+# start nsd
+$NSD -d -c nsd.conf >nsd.log 2>&1 &
+NSD_PID=$!
+echo "NSD_PID=$NSD_PID" >> .tpkg.var.test
+
+# start unbound in the background
+if test $do_valgrind = "yes"; then
+valgrind $VALGRIND_FLAGS $PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+else
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+fi
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_nsd_up nsd.log
+wait_unbound_up unbound.log

diff --git a/testdata/auth_tsig.tdir/auth_tsig.test b/testdata/auth_tsig.tdir/auth_tsig.test
new file mode 100644 (file)
index 0000000..b5ba4f7
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.test
@@ -0,0 +1,103 @@
+# #-- auth_tsig.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+echo "> check answer"
+if grep "1.2.3.4" outfile; then
+       echo "OK"
+else
+       echo "Not OK"
+       exit 1
+fi
+
+# update the zonefile.
+echo "www2.example.com. IN A 1.2.3.5" >> example.com.zone
+mv example.com.zone tmp.zone
+sed -e 's/2024082400/2024082401/' <tmp.zone >example.com.zone
+echo ""
+echo "new example.com.zone:"
+cat example.com.zone
+echo ""
+
+# NSD reloads the zone file,
+# sends notify to unbound, with TSIG.
+# unbound replies to the notify, with TSIG.
+# unbound fetches SOA record, with TSIG.
+# unbound fetches zone transfer, with TSIG.
+kill -1 `cat nsd.pid`
+
+# test if the zone has updated.
+dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+echo "> check answer"
+if grep "1.2.3.5" outfile; then
+       echo "OK"
+else
+       echo "Not OK"
+       exit 1
+fi
+
+exit 0

diff --git a/testdata/auth_tsig.tdir/auth_tsig.ub.conf b/testdata/auth_tsig.tdir/auth_tsig.ub.conf
new file mode 100644 (file)
index 0000000..cfcf477
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.ub.conf
@@ -0,0 +1,26 @@
+server:
+       verbosity: 7
+       num-threads: 1
+       interface: 127.0.0.1
+       port: @UNBOUND_PORT@
+       use-syslog: no
+       directory: ""
+       pidfile: "unbound.pid"
+       chroot: ""
+       username: ""
+       do-not-query-localhost: no
+       log-queries: yes
+
+# This tsig key is used for testing.
+tsig-key:
+       name: "test.key"
+       algorithm: sha256
+       secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+auth-zone:
+       name: "example.com"
+       zonefile: "unbound-example.com.zone"
+       for-upstream: yes
+       for-downstream: yes
+       primary-tsig: "127.0.0.1@@NSD_PORT@" test.key
+       allow-notify-tsig: "127.0.0.2@@NSD_PORT@" test.key

diff --git a/testdata/auth_tsig.tdir/example.com.zone b/testdata/auth_tsig.tdir/example.com.zone
new file mode 100644 (file)
index 0000000..18b5b40
--- /dev/null
+++ b/testdata/auth_tsig.tdir/example.com.zone
@@ -0,0 +1,4 @@
+example.com.           240     IN      SOA     ns.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2024082400 28800 7200 604800 240
+example.com. NS ns.example.com.
+ns.example.com. IN A 192.0.2.1
+www.example.com. A 1.2.3.4