dnstap io, test TLS with peername and TLS authentication.

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.conf b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.conf
new file mode 100644 (file)
index 0000000..55f844a
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.conf
@@ -0,0 +1,44 @@
+server:
+       verbosity: 4
+       num-threads: 1
+       outgoing-range: 16
+       interface: 127.0.0.1
+       port: @PORT@
+       use-syslog: no
+       directory: ""
+       pidfile: "unbound.pid"
+       chroot: ""
+       username: ""
+       do-not-query-localhost: no
+       local-zone: "example.net." redirect
+       local-data: "example.net. IN A 10.20.30.41"
+remote-control:
+       control-enable: yes
+       control-interface: 127.0.0.1
+       # control-interface: ::1
+       control-port: @CONTROL_PORT@
+       server-key-file: "unbound_server.key"
+       server-cert-file: "unbound_server.pem"
+       control-key-file: "unbound_control.key"
+       control-cert-file: "unbound_control.pem"
+forward-zone:
+       name: "."
+       forward-addr: "127.0.0.1@@TOPORT@"
+dnstap:
+       dnstap-enable: yes 
+       dnstap-socket-path: "dnstap.socket"
+       dnstap-ip: "127.0.0.1@@TAPPORT@"
+       dnstap-tls: yes
+       dnstap-tls-server-name: "unbound"
+       dnstap-tls-cert-bundle: "unbound_server.pem"
+       dnstap-send-identity: yes
+       dnstap-send-version: yes
+       #dnstap-identity
+       #dnstap-version
+       dnstap-log-resolver-query-messages: yes
+       dnstap-log-resolver-response-messages: yes
+       dnstap-log-client-query-messages: yes
+       dnstap-log-client-response-messages: yes
+       dnstap-log-forwarder-query-messages: yes
+       dnstap-log-forwarder-response-messages: yes
+

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc
new file mode 100644 (file)
index 0000000..d011d5e
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc
@@ -0,0 +1,16 @@
+BaseName: dnstap_tls_peername
+Version: 1.0
+Description: test dnstap tls and reconnect
+CreationDate: Tue Feb 14 14:00:38 CET 2020
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: dnstap_tls_peername.pre
+Post: dnstap_tls_peername.post
+Test: dnstap_tls_peername.test
+AuxFiles: 
+Passed:
+Failure:

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post
new file mode 100644 (file)
index 0000000..b2c29d0
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post
@@ -0,0 +1,23 @@
+# #-- dnstap_tls_peername.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+PRE="../.."
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $DNSTAP_SOCKET_PID
+kill_pid $FWD_PID
+kill $UNBOUND_PID
+kill $UNBOUND_PID >/dev/null 2>&1
+cat unbound.log
+echo "> tap logfiles"
+cat tap.log
+cat tap.errlog
+echo "> tap2 logfiles"
+if test -f tap2.log; then cat tap2.log; fi
+if test -f tap2.errlog; then cat tap2.errlog; fi
+cat fwd.log
+exit 0

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre
new file mode 100644 (file)
index 0000000..25b838d
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre
@@ -0,0 +1,54 @@
+# #-- dnstap_tls_peername.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+
+PRE="../.."
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 4
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+TAP_PORT=$(($RND_PORT + 3))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT dnstap_tls_peername.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start the dnstap log server
+# the -vvvv flag prints protocol and connection information from the
+# unbound-dnstap-socket server.
+# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
+# stderr is the '-vvvv' server logs and errors.
+# stdout is the one-line packet logs (or with -l, multiline).
+$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log &
+if test $? -ne 0; then
+       echo "could not start unbound-dnstap-socket server"
+       exit 1
+fi
+DNSTAP_SOCKET_PID=$!
+echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
+# wait for the server to go up
+wait_server_up "tap.errlog" "start of service"
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_peername.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test
new file mode 100644 (file)
index 0000000..6082c3a
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test
@@ -0,0 +1,91 @@
+# #-- dnstap_tls_peername.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+# test if the server is up.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+       echo "OK"
+else
+       echo "> cat logfiles"
+       cat tap.log
+       cat tap.errlog
+       cat fwd.log
+       cat unbound.log
+       echo "Not OK"
+       exit 1
+fi
+
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
+else
+       echo "information not in tap.log"
+       echo "failed"
+       echo "> cat logfiles"
+       cat tap.log
+       cat tap.errlog
+       cat fwd.log
+       cat unbound.log
+       echo "Not OK"
+       exit 1
+fi
+
+echo ""
+echo "> test disconnect from the upstream server"
+
+kill_pid $DNSTAP_SOCKET_PID
+dig @127.0.0.1 -p $UNBOUND_PORT down.example.net.
+
+# bring log socket back up
+$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap2.errlog >tap2.log &
+if test $? -ne 0; then
+       echo "could not start (again) unbound-dnstap-socket server"
+       exit 1
+fi
+DNSTAP_SOCKET_PID=$!
+echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
+# wait for the server to go up
+wait_server_up "tap2.errlog" "start of service"
+
+dig @127.0.0.1 -p $UNBOUND_PORT up.example.net.
+sleep 2
+dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net.
+
+for x in down up up2; do
+       if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
+       if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
+       if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi
+       if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 10; fi
+       if grep "$x.example.net" tap2.log; then echo "yes it is in tap2.log";
+       else
+               echo "$x.example.net. information not in tap2.log"
+               echo "failed"
+               echo "> cat logfiles"
+               cat tap.log
+               cat tap.errlog
+               echo "> tap2 logfiles"
+               cat tap2.log
+               cat tap2.errlog
+               cat fwd.log
+               cat unbound.log
+               echo "Not OK"
+               exit 1
+       fi
+done
+
+echo "> OK"
+exit 0

diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.testns b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.testns
new file mode 100644 (file)
index 0000000..0c911ca
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.testns
@@ -0,0 +1,22 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www    IN      A
+SECTION ANSWER
+www    IN      A       10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA SERVFAIL
+ADJUST copy_id
+SECTION QUESTION
+www.example.net.       IN      A
+ENTRY_END
+

diff --git a/testdata/dnstap_tls_peername.tdir/unbound_control.key b/testdata/dnstap_tls_peername.tdir/unbound_control.key
new file mode 100644 (file)
index 0000000..d7c43a0
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----

diff --git a/testdata/dnstap_tls_peername.tdir/unbound_control.pem b/testdata/dnstap_tls_peername.tdir/unbound_control.pem
new file mode 100644 (file)
index 0000000..8f1ba87
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----

diff --git a/testdata/dnstap_tls_peername.tdir/unbound_server.key b/testdata/dnstap_tls_peername.tdir/unbound_server.key
new file mode 100644 (file)
index 0000000..4256c42
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----

diff --git a/testdata/dnstap_tls_peername.tdir/unbound_server.pem b/testdata/dnstap_tls_peername.tdir/unbound_server.pem
new file mode 100644 (file)
index 0000000..aeda3ff
--- /dev/null
+++ b/testdata/dnstap_tls_peername.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----