rm -f dig.out.*
rm -f ns*/*.jnl
-rm -f ns*/*.nzf
rm -f ns*/*.mkeys
+rm -f ns*/*.nzd ns*/*.nzd-lock
+rm -f ns*/*.nzf
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
rm -f ns*/named.lock
rm -f ns*/named.memstats
-rm -f ns*/named.conf
rm -f ns*/named.run
rm -f ns*/named.run.prev
rm -f ns1/*dom*example.db
+rm -f ns1/tls1.example.db
rm -f ns2/__catz__*db
rm -f ns2/catalog-bad*.db
rm -f ns2/named.conf.tmp
rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db
-rm -f nsupdate.out.*
+rm -f ns4/__catz__*db
rm -f ns[123]/catalog[1234].example.db
-rm -rf ns2/zonedir
-rm -f ns*/*.nzd ns*/*.nzd-lock
-rm -f ns*/managed-keys.bind*
+rm -f ns[14]/catalog-tls.example.db
+rm -f nsupdate.out.*
rm -f wait_for_message.*
+rm -rf ns2/zonedir
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
+ tls-port @TLSPORT@;
allow-new-zones yes;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+ listen-on tls ephemeral { 10.53.0.1; };
listen-on-v6 { none; };
notify no;
notify-delay 0;
also-notify { 10.53.0.2; };
notify explicit;
};
+
+ # A catalog zone that requires TLS to be used
+ zone "catalog-tls.example" {
+ type primary;
+ file "catalog-tls.example.db";
+ allow-transfer transport tls { key tsig_key; };
+ allow-update { any; };
+ also-notify { 10.53.0.4; };
+ notify explicit;
+ };
};
view "ch" ch {
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { fd92:7065:b8e:ffff::4; };
+ notify no;
+ notify-delay 0;
+ recursion no;
+ serial-query-rate 100;
+
+ catalog-zones {
+ zone "catalog-tls.example"
+ min-update-interval 1s
+ default-primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+ };
+};
+
+zone "catalog-tls.example" {
+ type secondary;
+ file "catalog-tls.example.db";
+ primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+};
+
+key tsig_key. {
+ secret "LSAnCU+Z";
+ algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+ secret "LaAnCU+Z";
+ algorithm @DEFAULT_HMAC@;
+};
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named1.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
cp -f ns3/catalog.example.db.in ns3/catalog2.example.db
cp -f ns1/catalog.example.db.in ns1/catalog3.example.db
cp -f ns1/catalog.example.db.in ns1/catalog4.example.db
+cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db
mkdir -p ns2/zonedir
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
+##########################################################################
+n=$((n+1))
+echo_i "Adding a domain tls1.example. to primary via RNDC ($n)"
+ret=0
+# enough initial content for IXFR response when TXT record is added below
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db
+echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db
+echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db
+rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain tls1.example. to catalog-tls zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+ server 10.53.0.1 ${PORT}
+ update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example.
+ send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" &&
+wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
