--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 99999 { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 44344 transport blah { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 44344 transport udp { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 44344 transport http { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 44344 transport http-plain { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+ type primary;
+ file "example1.db";
+ allow-transfer port 44344 transport tls { any; };
+};
+
+zone "example2" {
+ type primary;
+ file "example2.db";
+ allow-transfer port 44344 transport tcp { any; };
+};
+
+zone "example3" {
+ type primary;
+ file "example3.db";
+ allow-transfer transport tls { any; };
+};
+
+zone "example4" {
+ type primary;
+ file "example4.db";
+ allow-transfer transport tcp { any; };
+};
+
+
+zone "example5" {
+ type primary;
+ file "example5.db";
+ allow-transfer port 53 { any; };
+};
+
+zone "example6" {
+ type primary;
+ file "example6.db";
+ allow-transfer { any; };
+};
zone "." {
type primary;
file "root.db";
- allow-transfer { any; };
+ allow-transfer port @TLSPORT@ transport tls { any; };
};
zone "example" {
type primary;
file "example.db";
- allow-transfer { any; };
+ allow-transfer port @TLSPORT@ transport tls { any; };
};
"$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@"
}
+dig_with_opts() {
+ # shellcheck disable=SC2086
+ "$DIG" $common_dig_options -p "${PORT}" "$@"
+}
+
wait_for_tls_xfer() (
dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
+# zone transfers are allowed only via TLS
+n=$((n+1))
+echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)"
+ret=0
+dig_with_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
+grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# querying zones is still allowed via UDP/TCP
+n=$((n + 1))
+echo_i "checking Do53 query ($n)"
+ret=0
+dig_with_opts @10.53.0.1 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
# In this test we are trying to establish a DoT connection over the
# DoH port. That is intentional, as dig should fail right after
# handshake has happened and before sending any queries, as XFRs, per
projects / thirdparty / bind9.git / commitdiff
