From: Mark Andrews Date: Mon, 9 Nov 2020 05:26:56 +0000 (+1100) Subject: Check that DNSTAP captures forwarded UPDATE responses X-Git-Tag: v9.16.9~6^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23d2d95d28d6eaa281a4603e7f63868fb4b820a5;p=thirdparty%2Fbind9.git Check that DNSTAP captures forwarded UPDATE responses (cherry picked from commit 2b7128fedee526fb0bb79653e3e62b399640713c) --- diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 4a903321070..877504f1a32 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -38,6 +38,7 @@ usage() { fprintf(stderr, "args:\n"); fprintf(stderr, "\t--edns-version\n"); fprintf(stderr, "\t--enable-dnsrps\n"); + fprintf(stderr, "\t--enable-dnstap\n"); fprintf(stderr, "\t--gethostname\n"); fprintf(stderr, "\t--gssapi\n"); fprintf(stderr, "\t--have-dlopen\n"); @@ -74,6 +75,14 @@ main(int argc, char **argv) { #endif /* ifdef USE_DNSRPS */ } + if (strcmp(argv[1], "--enable-dnstap") == 0) { +#ifdef HAVE_DNSTAP + return (0); +#else /* ifdef HAVE_DNSTAP */ + return (1); +#endif /* ifdef HAVE_DNSTAP */ + } + if (strcmp(argv[1], "--gethostname") == 0) { char hostname[MAXHOSTNAMELEN]; int n; diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh index 88452154bfb..2025252556b 100644 --- a/bin/tests/system/upforwd/clean.sh +++ b/bin/tests/system/upforwd/clean.sh @@ -16,12 +16,16 @@ rm -f dig.out.ns1* dig.out.ns2 dig.out.ns1 dig.out.ns3 dig.out.ns1.after rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl ns1/example.db ns2/*.bk ns3/*.bk rm -f ns3/nomaster1.db +rm -f ns3/dnstap.out* +rm -f ns3/dnstap.conf +rm -f dnstap.out* +rm -f dnstapread.out* rm -f */named.memstats rm -f */named.run rm -f */named.conf rm -f */ans.run rm -f Ksig0.example2.* -rm -f keyname +rm -f keyname keyname.err rm -f ns*/named.lock rm -f ns1/example2.db rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named.conf.in index d037e745e85..dcd22b51366 100644 --- a/bin/tests/system/upforwd/ns3/named.conf.in +++ b/bin/tests/system/upforwd/ns3/named.conf.in @@ -19,6 +19,16 @@ options { listen-on-v6 { none; }; recursion no; notify yes; + include "dnstap.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; zone "example" { diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh index 597ea6b4e7b..217e9b42a92 100644 --- a/bin/tests/system/upforwd/setup.sh +++ b/bin/tests/system/upforwd/setup.sh @@ -19,10 +19,23 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +if ../feature-test --enable-dnstap +then + cat <<'EOF' > ns3/dnstap.conf + dnstap-identity "ns3"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out"; + dnstap { all; }; +EOF +else + echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf +fi + + # # SIG(0) required cryptographic support which may not be configured. # -keyname=`$KEYGEN -q -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>/dev/null | $D2U` +keyname=`$KEYGEN -q -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>keyname.err` if test -n "$keyname" then cat ns1/example1.db $keyname.key > ns1/example2.db @@ -30,3 +43,4 @@ then else cat ns1/example1.db > ns1/example2.db fi +cat_i < keyname.err diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index ecd91a6cd9b..fed0779bceb 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -17,9 +17,22 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" status=0 n=1 +capture_dnstap() { + retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n + $RNDCCMD -s 10.53.0.3 dnstap -reopen +} + +uq_equals_ur() { + "$DNSTAPREAD" dnstap.out.$n | + awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n + read UQ UR < dnstapread.out$n + echo_i "UQ=$UQ UR=$UR" + test $UQ -eq $UR || return 1 +} echo_i "waiting for servers to be ready for testing ($n)" for i in 1 2 3 4 5 6 7 8 9 10 @@ -111,6 +124,17 @@ grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret= if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi n=`expr $n + 1` +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + echo_i "updating zone (unsigned) ($n)" ret=0 $NSUPDATE -- - <