From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 12 Sep 2025 08:40:23 +0000 (+0200)
Subject: - xfr-tsig, add tdir test that performs tsig signed zone transfer.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b451cc4af7018ae99cdd5dc51c4cd418b11bdbe0;p=thirdparty%2Funbound.git

- xfr-tsig, add tdir test that performs tsig signed zone transfer.
---

diff --git a/testdata/auth_tsig.tdir/auth_tsig.dsc b/testdata/auth_tsig.tdir/auth_tsig.dsc
new file mode 100644
index 000000000..7c9f39249
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.dsc
@@ -0,0 +1,16 @@
+BaseName: auth_tsig
+Version: 1.0
+Description: Perform AXFR with TSIG for authority zone.
+CreationDate: Fri 12 Sep 09:35:40 CEST 2025
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: auth_tsig.pre
+Post: auth_tsig.post
+Test: auth_tsig.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/auth_tsig.tdir/auth_tsig.nsd.conf b/testdata/auth_tsig.tdir/auth_tsig.nsd.conf
new file mode 100644
index 000000000..e03f91fab
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.nsd.conf
@@ -0,0 +1,23 @@
+server:
+	logfile: "/dev/stderr"
+	xfrdfile: xfrd.state
+	username: ""
+	chroot: ""
+	zonesdir: ""
+	pidfile: "nsd.pid"
+	zonelistfile: "zone.list"
+	verbosity: 5
+	port: @NSD_PORT@
+	interface: 127.0.0.1@@NSD_PORT@
+
+key:
+	name: "test.key"
+	algorithm: sha256
+	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+zone:
+	name: "example.com"
+	zonefile: "example.com.zone"
+	provide-xfr: 0.0.0.0/0 test.key
+	provide-xfr: ::0/0 test.key
+	notify: 127.0.0.1@@UNBOUND_PORT@ test.key
diff --git a/testdata/auth_tsig.tdir/auth_tsig.post b/testdata/auth_tsig.tdir/auth_tsig.post
new file mode 100644
index 000000000..276ad070f
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.post
@@ -0,0 +1,14 @@
+# #-- auth_tsig.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $NSD_PID
+kill_pid $UNBOUND_PID
+echo "nsd.log"
+cat nsd.log
+echo "unbound.log"
+cat unbound.log
diff --git a/testdata/auth_tsig.tdir/auth_tsig.pre b/testdata/auth_tsig.tdir/auth_tsig.pre
new file mode 100644
index 000000000..c5f9d9f37
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.pre
@@ -0,0 +1,59 @@
+# #-- auth_tsig.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+#skip_test "Skip test due to no UDP service for SOA query"
+PRE="../.."
+if test -n "$NSD"; then
+	:
+else
+	if `which nsd >/dev/null 2>&1`; then
+		NSD="nsd"
+	else
+		if test -f $PRE/../nsd/nsd; then
+			NSD="$PRE/../nsd/nsd"
+		else
+			skip_test "need nsd"
+		fi
+	fi
+fi
+echo "NSD=$NSD"
+
+if test -f $PRE/unbound_do_valgrind_in_test; then
+	do_valgrind=yes
+else
+	do_valgrind=no
+fi
+VALGRIND_FLAGS="--leak-check=full --show-leak-kinds=all"
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+NSD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "NSD_PORT=$NSD_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tsig.ub.conf > ub.conf
+sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tsig.nsd.conf > nsd.conf
+
+# start nsd
+$NSD -d -c nsd.conf >nsd.log 2>&1 &
+NSD_PID=$!
+echo "NSD_PID=$NSD_PID" >> .tpkg.var.test
+
+# start unbound in the background
+if test $do_valgrind = "yes"; then
+valgrind $VALGRIND_FLAGS $PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+else
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+fi
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_nsd_up nsd.log
+wait_unbound_up unbound.log
diff --git a/testdata/auth_tsig.tdir/auth_tsig.test b/testdata/auth_tsig.tdir/auth_tsig.test
new file mode 100644
index 000000000..b5ba4f726
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.test
@@ -0,0 +1,103 @@
+# #-- auth_tsig.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+echo "> check answer"
+if grep "1.2.3.4" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# update the zonefile.
+echo "www2.example.com. IN A 1.2.3.5" >> example.com.zone
+mv example.com.zone tmp.zone
+sed -e 's/2024082400/2024082401/' <tmp.zone >example.com.zone
+echo ""
+echo "new example.com.zone:"
+cat example.com.zone
+echo ""
+
+# NSD reloads the zone file,
+# sends notify to unbound, with TSIG.
+# unbound replies to the notify, with TSIG.
+# unbound fetches SOA record, with TSIG.
+# unbound fetches zone transfer, with TSIG.
+kill -1 `cat nsd.pid`
+
+# test if the zone has updated.
+dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+if grep NXDOMAIN outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www2.example.com. | tee outfile
+fi
+echo "> check answer"
+if grep "1.2.3.5" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/auth_tsig.tdir/auth_tsig.ub.conf b/testdata/auth_tsig.tdir/auth_tsig.ub.conf
new file mode 100644
index 000000000..cfcf477b9
--- /dev/null
+++ b/testdata/auth_tsig.tdir/auth_tsig.ub.conf
@@ -0,0 +1,26 @@
+server:
+	verbosity: 7
+	num-threads: 1
+	interface: 127.0.0.1
+	port: @UNBOUND_PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	log-queries: yes
+
+# This tsig key is used for testing.
+tsig-key:
+	name: "test.key"
+	algorithm: sha256
+	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
+
+auth-zone:
+	name: "example.com"
+	zonefile: "unbound-example.com.zone"
+	for-upstream: yes
+	for-downstream: yes
+	primary-tsig: "127.0.0.1@@NSD_PORT@" test.key
+	allow-notify-tsig: "127.0.0.2@@NSD_PORT@" test.key
diff --git a/testdata/auth_tsig.tdir/example.com.zone b/testdata/auth_tsig.tdir/example.com.zone
new file mode 100644
index 000000000..18b5b407e
--- /dev/null
+++ b/testdata/auth_tsig.tdir/example.com.zone
@@ -0,0 +1,4 @@
+example.com.		240	IN	SOA	ns.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2024082400 28800 7200 604800 240
+example.com. NS ns.example.com.
+ns.example.com. IN A 192.0.2.1
+www.example.com. A 1.2.3.4