rm -f ./*/named.run
rm -f ./*/named.run.prev
rm -f ./dig.out.*
-rm -f ./*/example.db
+rm -f ./*/example*.db
rm -rf ./headers.*
endpoints { "/dns-query"; "/alter"; };
};
+tls tls-forward-secrecy {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../ns2/key.pem";
+ cert-file "../ns2/cert.pem";
+ dhparam-file "../ns2/dhparam3072.pem";
+};
+
+tls tls-pfs-aes256 {
+ protocols { TLSv1.2; };
+ ciphers "AES256:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../ns2/key.pem";
+ cert-file "../ns2/cert.pem";
+ dhparam-file "../ns2/dhparam3072.pem";
+};
+
options {
port @PORT@;
tls-port @TLSPORT@;
http-port @HTTPPORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
- listen-on tls ephemeral { 10.53.0.1; }; // DoT
- listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;};
+ listen-on tls tls-forward-secrecy { 10.53.0.1; }; // DoT
+ listen-on-v6 tls tls-forward-secrecy { fd92:7065:b8e:ffff::1;};
listen-on tls ephemeral http local { 10.53.0.1; }; // DoH
listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; };
listen-on tls none http local { 10.53.0.1; }; // unencrypted DoH
listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; };
listen-on-v6 { none; };
+ listen-on port @EXTRAPORT1@ tls tls-pfs-aes256 { 10.53.0.1; }; // DoT
+ listen-on-v6 port @EXTRAPORT1@ tls tls-pfs-aes256 { fd92:7065:b8e:ffff::1;};
recursion no;
notify explicit;
also-notify { 10.53.0.2 port @PORT@; };
file "example.db";
allow-transfer port @TLSPORT@ transport tls { any; };
};
+
+zone "example2" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT1@ transport tls { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+ key-file "../ns2/key.pem";
+ cert-file "../ns2/cert.pem";
+ dhparam-file "../ns2/dhparam3072.pem";
+};
+
+http local {
+ endpoints { "/dns-query"; };
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ https-port @HTTPSPORT@;
+ http-port @HTTPPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on tls local { 10.53.0.3; }; // DoT
+ listen-on-v6 tls local { fd92:7065:b8e:ffff::3; };
+ listen-on tls local http local { 10.53.0.3; }; // DoH
+ listen-on-v6 tls local http local { fd92:7065:b8e:ffff::3; };
+ listen-on tls none http local { 10.53.0.3; }; // unencrypted DoH
+ listen-on-v6 tls none http local { fd92:7065:b8e:ffff::3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+tls tls-v1.2-pfs {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers no;
+};
+
+zone "example" {
+ type secondary;
+ primaries { 10.53.0.1 tls tls-v1.2-pfs; };
+ file "example.db";
+ allow-transfer { any; };
+};
+
+tls tls-pfs-aes-128 {
+ protocols { TLSv1.2; };
+ // AES128 does not match the setting on the server: AES256
+ ciphers "AES128:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers no;
+};
+
+zone "example2" {
+ type secondary;
+ primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-pfs-aes-128; };
+ file "example2.db";
+ allow-transfer { any; };
+};
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
}
wait_for_tls_xfer() (
- dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
- grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
+ srv_number="$1"
+ shift
+ zone_name="$1"
+ shift
+ dig_with_tls_opts -b 10.53.0.3 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1
+ grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1
return 0
)
status=$((status+ret))
n=$((n+1))
-echo_i "testing incoming XoT functionality (from secondary) ($n)"
+echo_i "testing incoming XoT functionality (from the first secondary) ($n)"
ret=0
-if retry_quiet 10 wait_for_tls_xfer; then
- grep "^;" "dig.out.ns2.test$n" | cat_i
- digcomp example.axfr.good "dig.out.ns2.test$n" || ret=1
+if retry_quiet 10 wait_for_tls_xfer 2 example; then
+ grep "^;" "dig.out.ns2.example.test$n" | cat_i
+ digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1
else
echo_i "timed out waiting for zone transfer"
ret=1
if test $ret != 0 ; then echo_i "failed"; fi
status=$((status+ret))
+n=$((n+1))
+echo_i "testing incoming XoT functionality (from the second secondary) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer 3 example; then
+ grep "^;" "dig.out.ns3.example.test$n" | cat_i
+ digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1
+else
+ echo_i "timed out waiting for zone transfer"
+ ret=1
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer 3 example2; then
+ grep "^;" "dig.out.ns3.example2.test$n" | cat_i
+ test -f "ns3/example2.db" && ret=1
+else
+ echo_i "timed out waiting for zone transfer"
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
n=$((n + 1))
echo_i "checking DoT query (ephemeral key) ($n)"
ret=0
projects / thirdparty / bind9.git / commitdiff
