From: Matthijs Mekking Date: Tue, 30 Sep 2025 09:34:13 +0000 (+0200) Subject: Convert "in"-style templates to jinja X-Git-Tag: v9.21.16~38^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a404dd806c6a54403f2431947297ea30582bc07;p=thirdparty%2Fbind9.git Convert "in"-style templates to jinja Change the named.conf templating to make use of jinja template rendering. The ns2 server is trivial. The ns3 server configuration structure has changed: The common configuration is moved out of named-fips.conf. The main named.conf file is in named.conf.j2. It always includes the common part, named-common.conf.j2, and the FIPS part, named-fips.conf.j2. The named-fips.conf.j2 and named-rsasha1.conf.j2 templates are rendered differently depending on the reconfiged status. Mainly the dnssec-policy for zones are different after reconfiguration, but there are some other changes to, for example some zones change their inline-signing setting. Some zones only exist prior or after the configuration. Finally, this is a bit hackish: If RSASHA1 is supported, named.conf includes "named-rsasha1.conf", otherwise it includes the deliberately empty "named-rsasha0.conf". --- diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.j2 similarity index 100% rename from bin/tests/system/nsec3/ns2/named.conf.in rename to bin/tests/system/nsec3/ns2/named.conf.j2 diff --git a/bin/tests/system/nsec3/ns3/named-common.conf.j2 b/bin/tests/system/nsec3/ns3/named-common.conf.j2 new file mode 100644 index 00000000000..5dc8a7a552d --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named-common.conf.j2 @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 0 optout yes salt-length 8; +}; + diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 similarity index 64% rename from bin/tests/system/nsec3/ns3/named-fips.conf.in rename to bin/tests/system/nsec3/ns3/named-fips.conf.j2 index 4ed7cc04272..50294575982 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 @@ -11,52 +11,18 @@ * information regarding copyright ownership. */ -// NS3 - -dnssec-policy "nsec" { - // no need to change configuration: if no 'nsec3param' is set, - // NSEC will be used; -}; - -dnssec-policy "nsec3" { - nsec3param; -}; - -dnssec-policy "optout" { - nsec3param optout yes; -}; - -dnssec-policy "nsec3-other" { - nsec3param iterations 0 optout yes salt-length 8; -}; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - dnssec-validation no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; +{% set reconfiged = reconfiged | default(False) %} +{% set nsec_to_nsec3 = "nsec" if not reconfiged else "nsec3" %} +{% set nsec3_to_nsec = "nsec3" if not reconfiged else "nsec" %} +{% set nsec3_change = "nsec3" if not reconfiged else "nsec3-other" %} +{% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %} +{% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %} /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; - dnssec-policy "nsec"; + dnssec-policy "@nsec_to_nsec3@"; }; /* These zones use the default NSEC3 settings. */ @@ -84,14 +50,14 @@ zone "nsec3-other.kasp" { zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_change@"; }; zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; inline-signing no; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_change@"; allow-update { any; }; }; @@ -99,24 +65,27 @@ zone "nsec3-dynamic-change.kasp" { zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_to_optout@"; }; /* The zone will be reconfigured to disable opt-out. */ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; - dnssec-policy "optout"; + dnssec-policy "@nsec3_from_optout@"; }; /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_to_nsec@"; }; -/* The zone fails to load, this should not prevent shutdown. */ +/* + * The zone fails to load, this should not prevent shutdown. + * The zone is fixed after a reconfig. + */ zone "nsec3-fails-to-load.kasp" { type primary; file "nsec3-fails-to-load.kasp.db"; @@ -128,28 +97,56 @@ zone "nsec3-fails-to-load.kasp" { zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; - inline-signing no; dnssec-policy "nsec3"; +{% if not reconfiged %} allow-update { any; }; + inline-signing no; +{% endif %} }; zone "nsec3-inline-to-dynamic.kasp" { - type primary; - file "nsec3-inline-to-dynamic.kasp.db"; - dnssec-policy "nsec3"; + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + dnssec-policy "nsec3"; +{% if reconfiged %} + allow-update { any; }; + inline-signing no; +{% endif %} + }; -/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +{% if not reconfiged %} + +/* + * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. + */ zone "nsec3-dynamic-update-inline.kasp" { - type primary; - file "nsec3-dynamic-update-inline.kasp.db"; - allow-update { any; }; - dnssec-policy "nsec"; + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + allow-update { any; }; + dnssec-policy "nsec"; }; +/* + * This zone will have an empty nonterminal node added and a node deleted. + */ zone "nsec3-xfr-inline.kasp" { type secondary; file "nsec3-xfr-inline.kasp.db"; dnssec-policy "nsec"; primaries { 10.53.0.2; }; }; + +{% else %} + +/* + * This zone will have an empty nonterminal node added and a node deleted. + */ +zone "nsec3-ent.kasp" { + type primary; + file "nsec3-ent.kasp.db"; + dnssec-policy "nsec3"; + inline-signing yes; +}; + +{% endif %} diff --git a/bin/tests/system/nsec3/ns3/named1.conf.in b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 similarity index 83% rename from bin/tests/system/nsec3/ns3/named1.conf.in rename to bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 index 9b1235e36f6..c2cbf485ce3 100644 --- a/bin/tests/system/nsec3/ns3/named1.conf.in +++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 @@ -11,9 +11,9 @@ * information regarding copyright ownership. */ -// NS3 - -include "named-fips.conf"; +{% set reconfiged = reconfiged | default(False) %} +{% set rsasha1_to_nsec3 = "rsasha1" if not reconfiged else "nsec3" %} +{% set nsec3_to_rsasha1 = "nsec3" if not reconfiged else "rsasha1" %} dnssec-policy "rsasha1" { keys { @@ -29,7 +29,7 @@ dnssec-policy "rsasha1" { zone "rsasha1-to-nsec3.kasp" { type primary; file "rsasha1-to-nsec3.kasp.db"; - dnssec-policy "rsasha1"; + dnssec-policy "@rsasha1_to_nsec3@"; }; /* @@ -40,7 +40,7 @@ zone "rsasha1-to-nsec3.kasp" { zone "rsasha1-to-nsec3-wait.kasp" { type primary; file "rsasha1-to-nsec3-wait.kasp.db"; - dnssec-policy "rsasha1"; + dnssec-policy "@rsasha1_to_nsec3@"; }; /* @@ -51,7 +51,7 @@ zone "rsasha1-to-nsec3-wait.kasp" { zone "nsec3-to-rsasha1.kasp" { type primary; file "nsec3-to-rsasha1.kasp.db"; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_to_rsasha1@"; }; /* @@ -63,5 +63,5 @@ zone "nsec3-to-rsasha1.kasp" { zone "nsec3-to-rsasha1-ds.kasp" { type primary; file "nsec3-to-rsasha1-ds.kasp.db"; - dnssec-policy "nsec3"; + dnssec-policy "@nsec3_to_rsasha1@"; }; diff --git a/bin/tests/system/nsec3/ns3/named.conf.j2 b/bin/tests/system/nsec3/ns3/named.conf.j2 new file mode 100644 index 00000000000..7dd06ad83cc --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named.conf.j2 @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "named-common.conf"; +include "named-fips.conf"; + +{% if RSASHA1_SUPPORTED == "1" %} +include "named-rsasha1.conf"; +{% endif %} diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in deleted file mode 100644 index 2c9a2b7e201..00000000000 --- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS3 - -dnssec-policy "nsec" { - // no need to change configuration: if no 'nsec3param' is set, - // NSEC will be used; -}; - -dnssec-policy "nsec3" { - nsec3param; -}; - -dnssec-policy "optout" { - nsec3param optout yes; -}; - -dnssec-policy "nsec3-other" { - nsec3param iterations 0 optout yes salt-length 8; -}; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - dnssec-validation no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ -zone "nsec-to-nsec3.kasp" { - type primary; - file "nsec-to-nsec3.kasp.db"; - //dnssec-policy "nsec"; - dnssec-policy "nsec3"; -}; - -/* These zones use the default NSEC3 settings. */ -zone "nsec3.kasp" { - type primary; - file "nsec3.kasp.db"; - dnssec-policy "nsec3"; -}; - -zone "nsec3-dynamic.kasp" { - type primary; - file "nsec3-dynamic.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* This zone uses non-default NSEC3 settings. */ -zone "nsec3-other.kasp" { - type primary; - file "nsec3-other.kasp.db"; - dnssec-policy "nsec3-other"; -}; - -/* These zone will be reconfigured to use other NSEC3 settings. */ -zone "nsec3-change.kasp" { - type primary; - file "nsec3-change.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "nsec3-other"; -}; - -zone "nsec3-dynamic-change.kasp" { - type primary; - file "nsec3-dynamic-change.kasp.db"; - //dnssec-policy "nsec3"; - inline-signing no; - dnssec-policy "nsec3-other"; - allow-update { any; }; -}; - -/* The zone will be reconfigured to use opt-out. */ -zone "nsec3-to-optout.kasp" { - type primary; - file "nsec3-to-optout.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "optout"; -}; - -/* The zone will be reconfigured to disable opt-out. */ -zone "nsec3-from-optout.kasp" { - type primary; - file "nsec3-from-optout.kasp.db"; - //dnssec-policy "optout"; - dnssec-policy "nsec3"; -}; - -/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ -zone "nsec3-to-nsec.kasp" { - type primary; - file "nsec3-to-nsec.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "nsec"; -}; - -/* The zone fails to load, but is fixed after a reload. */ -zone "nsec3-fails-to-load.kasp" { - type primary; - file "nsec3-fails-to-load.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* These zones switch from dynamic to inline-signing or vice versa. */ -zone "nsec3-dynamic-to-inline.kasp" { - type primary; - file "nsec3-dynamic-to-inline.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -zone "nsec3-inline-to-dynamic.kasp" { - type primary; - file "nsec3-inline-to-dynamic.kasp.db"; - inline-signing no; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* - * This zone will have an empty nonterminal node added and a node deleted. - */ -zone "nsec3-ent.kasp" { - type primary; - file "nsec3-ent.kasp.db"; - dnssec-policy "nsec3"; - inline-signing yes; -}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in deleted file mode 100644 index a883940f313..00000000000 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS3 - -include "named-fips.conf"; - -dnssec-policy "rsasha1" { - keys { - csk lifetime unlimited algorithm rsasha1; - }; -}; - -/* - * This zone starts with NSEC, but will be reconfigured to use NSEC3. - * This should work despite the incompatible RSAHSHA1 algorithm, - * because the DS is still in hidden state. - */ -zone "rsasha1-to-nsec3.kasp" { - type primary; - file "rsasha1-to-nsec3.kasp.db"; - //dnssec-policy "rsasha1"; - dnssec-policy "nsec3"; -}; - -/* - * This zone starts with NSEC, but will be reconfigured to use NSEC3. - * This should block because RSASHA1 is not compatible with NSEC3, - * and the DS is published. - */ -zone "rsasha1-to-nsec3-wait.kasp" { - type primary; - file "rsasha1-to-nsec3-wait.kasp.db"; - //dnssec-policy "rsasha1"; - dnssec-policy "nsec3"; -}; - -/* - * This zone starts with NSEC3, but will be reconfigured to use NSEC with an - * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 - * algorithm, because the DS is still in hidden state. - */ -zone "nsec3-to-rsasha1.kasp" { - type primary; - file "nsec3-to-rsasha1.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "rsasha1"; -}; - -/* - * This zone starts with NSEC3, but will be reconfigured to use NSEC with an - * NSEC only algorithm. This should also be fine because we are allowed - * to change to NSEC with any algorithm, then we can also publish the new - * DNSKEY and signatures of the RSASHA1 algorithm. - */ -zone "nsec3-to-rsasha1-ds.kasp" { - type primary; - file "nsec3-to-rsasha1-ds.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "rsasha1"; -}; diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index 56c3ac2eef3..1ddb23c55ab 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -16,19 +16,11 @@ set -e -copy_setports ns2/named.conf.in ns2/named.conf ( cd ns2 $SHELL setup.sh ) -if [ $RSASHA1_SUPPORTED = 0 ]; then - copy_setports ns3/named-fips.conf.in ns3/named.conf -else - copy_setports ns3/named-fips.conf.in ns3/named-fips.conf - # includes named-fips.conf - cp ns3/named1.conf.in ns3/named.conf -fi ( cd ns3 $SHELL setup.sh diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py index 42fbce461a6..7f8b3e2fb9f 100644 --- a/bin/tests/system/nsec3/tests_nsec3_initial.py +++ b/bin/tests/system/nsec3/tests_nsec3_initial.py @@ -40,7 +40,10 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/*.jnl", "ns*/*.signed", "ns*/keygen.out.*", + "ns3/named-common.conf", "ns3/named-fips.conf", + "ns3/named-rsasha0.conf", + "ns3/named-rsasha1.conf", ] )