From 0102360e920d1b26fde0120f2ac1d7eb770fa3c4 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Fri, 29 Sep 2023 16:03:08 +0200
Subject: [PATCH] root-zonemd-test, add test for ZONEMD usage from the root
 zone, currently with the unsupported algorithm.

---
 testdata/root_zonemd.tdir/root_zonemd.conf   | 34 +++++++++++++
 testdata/root_zonemd.tdir/root_zonemd.dsc    | 16 ++++++
 testdata/root_zonemd.tdir/root_zonemd.post   | 14 ++++++
 testdata/root_zonemd.tdir/root_zonemd.pre    | 50 +++++++++++++++++++
 testdata/root_zonemd.tdir/root_zonemd.test   | 51 ++++++++++++++++++++
 testdata/root_zonemd.tdir/root_zonemd.testns |  9 ++++
 6 files changed, 174 insertions(+)
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.conf
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.dsc
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.post
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.pre
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.test
 create mode 100644 testdata/root_zonemd.tdir/root_zonemd.testns

diff --git a/testdata/root_zonemd.tdir/root_zonemd.conf b/testdata/root_zonemd.tdir/root_zonemd.conf
new file mode 100644
index 000000000..befb4fbe9
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.conf
@@ -0,0 +1,34 @@
+server:
+	verbosity: 7
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	# for the test, so that DNSSEC verification works.
+	#val-override-date: 20230929090000
+	trust-anchor: ". DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
+
+remote-control:
+	control-enable: yes
+	control-interface: @CONTROL_PATH@/controlpipe.@CONTROL_PID@
+	control-use-cert: no
+
+# for the test, an upstream server in the test setup.
+stub-zone:
+	name: "."
+	stub-addr: 127.0.0.1@@TOPORT@
+
+# hyperlocal root zone
+auth-zone:
+	name: "."
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+	zonefile: "root.zone"
+	zonemd-check: yes
+	zonemd-reject-absence: yes
diff --git a/testdata/root_zonemd.tdir/root_zonemd.dsc b/testdata/root_zonemd.tdir/root_zonemd.dsc
new file mode 100644
index 000000000..8015ac2d1
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.dsc
@@ -0,0 +1,16 @@
+BaseName: root_zonemd
+Version: 1.0
+Description: ZONEMD check for root zone
+CreationDate: Fri 29 Sep 09:00:00 CEST 2023
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: root_zonemd.pre
+Post: root_zonemd.post
+Test: root_zonemd.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/root_zonemd.tdir/root_zonemd.post b/testdata/root_zonemd.tdir/root_zonemd.post
new file mode 100644
index 000000000..a28599faf
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.post
@@ -0,0 +1,14 @@
+# #-- root_zonemd.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID
diff --git a/testdata/root_zonemd.tdir/root_zonemd.pre b/testdata/root_zonemd.tdir/root_zonemd.pre
new file mode 100644
index 000000000..fe369bb20
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.pre
@@ -0,0 +1,50 @@
+# #-- root_zonemd.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+
+# attempt to download the root zone
+from=k.root-servers.net
+dig @$from . AXFR > root.txt
+if test $? -ne 0; then
+	echo "could not fetch root zone"
+	skip_test "could not fetch root zone"
+fi
+grep "	SOA	" root.txt | head -1 > root.soa
+cat root.soa >> root.zone
+grep -v "	SOA	" root.txt >> root.zone
+echo "fetched root.zone"
+ls -l root.zone
+cat root.soa
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT root_zonemd.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+CONTROL_PATH=/tmp
+CONTROL_PID=$$
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@CONTROL_PATH\@?'$CONTROL_PATH'?' -e 's/@CONTROL_PID@/'$CONTROL_PID'/' < root_zonemd.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+echo "CONTROL_PATH=$CONTROL_PATH" >> .tpkg.var.test
+echo "CONTROL_PID=$CONTROL_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/root_zonemd.tdir/root_zonemd.test b/testdata/root_zonemd.tdir/root_zonemd.test
new file mode 100644
index 000000000..da64ab6e9
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.test
@@ -0,0 +1,51 @@
+# #-- root_zonemd.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT . SOA | tee outfile
+echo "> check answer"
+if grep root-servers outfile | grep "nstld.verisign-grs.com"; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> unbound-control status"
+$PRE/unbound-control -c ub.conf status
+if test $? -ne 0; then
+	echo "wrong exit value."
+	exit 1
+else
+	echo "exit value: OK"
+fi
+
+# This is the output when an unsupported algorithm is used.
+if grep "auth zone . ZONEMD unsupported algorithm" unbound.log; then
+	echo "OK"
+else
+	echo "ZONEMD verification not OK"
+	exit 1
+fi
+
+echo "> unbound-control auth_zone_reload ."
+$PRE/unbound-control -c ub.conf auth_zone_reload . 2>&1 | tee outfile
+if test $? -ne 0; then
+	echo "wrong exit value."
+	exit 1
+fi
+# The output of the reload can be checked.
+#echo "> check unbound-control output"
+#if grep "example.com: ZONEMD verification successful" outfile; then
+	#echo "OK"
+#else
+	#echo "Not OK"
+	#exit 1
+#fi
+
+exit 0
diff --git a/testdata/root_zonemd.tdir/root_zonemd.testns b/testdata/root_zonemd.tdir/root_zonemd.testns
new file mode 100644
index 000000000..d538f2215
--- /dev/null
+++ b/testdata/root_zonemd.tdir/root_zonemd.testns
@@ -0,0 +1,9 @@
+# reply to everything
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+ENTRY_END
-- 
2.47.3