testing: Allow DNS via TCP in net2net-dnscert scenario

New versions of Bind limit the maximum UDP message size to 1232 bytes,
which is the same that newer versions of libunbound propose as maximum via
EDNS in requests, so increasing the limit on the server wouldn't help.

Instead we allow DNS via TCP so the client can switch after receiving the
truncated UDP response.

diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
index b2c425289cabb35fece95aeb2f782883f40fd895..7d1bea9717b4ebe1ec4dbf2f0a3e5483c16894c5 100644 (file)
--- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
@@ -25,4 +25,8 @@
 -A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
 -A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
 
+# allow DNSSEC fetch from winnetou via TCP
+-A INPUT  -i eth0 -p tcp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
 COMMIT

diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
index b2c425289cabb35fece95aeb2f782883f40fd895..7d1bea9717b4ebe1ec4dbf2f0a3e5483c16894c5 100644 (file)
--- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
@@ -25,4 +25,8 @@
 -A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
 -A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
 
+# allow DNSSEC fetch from winnetou via TCP
+-A INPUT  -i eth0 -p tcp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
 COMMIT