. ../conf.sh
-$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
+# Drop unusual RR sets dnspython can't handle. For more information
+# see https://github.com/rthalley/dnspython/issues/1034#issuecomment-1896541899.
+$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 \
+ | sed \
+ -e '/AMTRELAY.*\# 2 0004/d' \
+ -e '/GPOS.*"" "" ""/d' \
+ -e '/URI.*30 40 ""/d' >ns1/example.db
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck disable=SC1091
-. ../conf.sh
-
-testing="testing zone transfer over TLS (XoT): "
-
-common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
-
-status=0
-n=0
-
-dig_with_tls_opts() {
- # shellcheck disable=SC2086
- "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
-}
-
-wait_for_tls_xfer() (
- srv_number="$1"
- shift
- zone_name="$1"
- shift
- # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
- dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
- grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
- return 0
-)
-
-tls_xfer_expect_success() {
- test_message="$1"
- shift
- n=$((n + 1))
- echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
- ret=0
- retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status + ret))
-}
-
-tls_xfer_expect_failure() {
- test_message="$1"
- shift
- n=$((n + 1))
- echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
- ret=0
- retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status + ret))
-}
-
-tls_xfer_expect_success "$testing" 2 example
-tls_xfer_expect_success "$testing" 3 example
-tls_xfer_expect_success "$testing" 4 example
-
-tls_xfer_expect_success "$testing" 2 example-aes-128
-tls_xfer_expect_success "$testing" 3 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
- tls_xfer_expect_success "$testing" 4 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 2 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
- tls_xfer_expect_failure "$testing" 2 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 3 example-aes-128
-if ! $FEATURETEST --have-fips-mode; then
- tls_xfer_expect_failure "$testing" 3 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 4 example-aes-128
-tls_xfer_expect_failure "$testing" 4 example-aes-256
-
-# NS5 tries to download the zone over TLSv1.2
-tls_xfer_expect_failure "$testing" 5 example
-tls_xfer_expect_failure "$testing" 5 example-aes-128
-tls_xfer_expect_failure "$testing" 5 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
- tls_xfer_expect_failure "$testing" 5 example-chacha-20
-fi
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.5.0")
+
+import dns.message
+
+import isctest
+import isctest.mark
+
+
+pytestmark = pytest.mark.extra_artifacts(
+ [
+ "ns*/example*.db",
+ ]
+)
+
+
+@pytest.mark.requires_zones_loaded("ns1", "ns2", "ns3", "ns4", "ns5")
+@pytest.mark.parametrize(
+ "qname,ns,rcode",
+ [
+ ("example.", 2, dns.rcode.NOERROR),
+ ("example.", 3, dns.rcode.NOERROR),
+ ("example.", 4, dns.rcode.NOERROR),
+ ("example-aes-128.", 2, dns.rcode.NOERROR),
+ ("example-aes-256.", 3, dns.rcode.NOERROR),
+ pytest.param(
+ "example-chacha-20.",
+ 4,
+ dns.rcode.NOERROR,
+ marks=isctest.mark.without_fips,
+ ),
+ ("example-aes-256", 2, dns.rcode.SERVFAIL),
+ pytest.param(
+ "example-chacha-20",
+ 2,
+ dns.rcode.SERVFAIL,
+ marks=isctest.mark.without_fips,
+ ),
+ ("example-aes-128", 3, dns.rcode.SERVFAIL),
+ pytest.param(
+ "example-chacha-20",
+ 3,
+ dns.rcode.SERVFAIL,
+ marks=isctest.mark.without_fips,
+ ),
+ ("example-aes-128", 4, dns.rcode.SERVFAIL),
+ ("example-aes-256", 4, dns.rcode.SERVFAIL),
+ # NS5 tries to download the zone over TLSv1.2
+ ("example", 5, dns.rcode.SERVFAIL),
+ ("example-aes-128", 5, dns.rcode.SERVFAIL),
+ ("example-aes-256", 5, dns.rcode.SERVFAIL),
+ pytest.param(
+ "example-chacha-20",
+ 5,
+ dns.rcode.SERVFAIL,
+ marks=isctest.mark.without_fips,
+ ),
+ ],
+)
+def test_cipher_suites_tls_xfer(qname, ns, rcode):
+ msg = dns.message.make_query(qname, "AXFR")
+ ans = isctest.query.tls(msg, f"10.53.0.{ns}")
+ assert ans.rcode() == rcode
+ if rcode == dns.rcode.NOERROR:
+ assert ans.answer != []
+ elif rcode == dns.rcode.SERVFAIL:
+ assert ans.answer == []
+++ /dev/null
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import pytest
-
-pytestmark = pytest.mark.extra_artifacts(
- [
- "dig.out.*",
- "ns*/example*.db",
- ]
-)
-
-
-def test_cipher_suites(run_tests_sh):
- run_tests_sh()
projects / thirdparty / bind9.git / commitdiff
