From: Artem Boldariev Date: Tue, 30 Nov 2021 00:05:29 +0000 (+0200) Subject: Extend the 'doth' system test with another XoT-enabled secondary X-Git-Tag: v9.17.21~10^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=746052031a605a3deb09ff7ddedf05330be0acc9;p=thirdparty%2Fbind9.git Extend the 'doth' system test with another XoT-enabled secondary This commit extends the 'doth' system test to include an additional XoT-enabled secondary which uses the supported client-side 'tls' parameters. --- diff --git a/bin/tests/system/doth/clean.sh b/bin/tests/system/doth/clean.sh index bd6739e94e1..6a51a71dccc 100644 --- a/bin/tests/system/doth/clean.sh +++ b/bin/tests/system/doth/clean.sh @@ -18,5 +18,5 @@ rm -f ./*/named.memstats rm -f ./*/named.run rm -f ./*/named.run.prev rm -f ./dig.out.* -rm -f ./*/example.db +rm -f ./*/example*.db rm -rf ./headers.* diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 0cb6b41dddd..7ed99c66a6c 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -19,6 +19,24 @@ http local { endpoints { "/dns-query"; "/alter"; }; }; +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../ns2/key.pem"; + cert-file "../ns2/cert.pem"; + dhparam-file "../ns2/dhparam3072.pem"; +}; + +tls tls-pfs-aes256 { + protocols { TLSv1.2; }; + ciphers "AES256:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../ns2/key.pem"; + cert-file "../ns2/cert.pem"; + dhparam-file "../ns2/dhparam3072.pem"; +}; + options { port @PORT@; tls-port @TLSPORT@; @@ -26,13 +44,15 @@ options { http-port @HTTPPORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; - listen-on tls ephemeral { 10.53.0.1; }; // DoT - listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;}; + listen-on tls tls-forward-secrecy { 10.53.0.1; }; // DoT + listen-on-v6 tls tls-forward-secrecy { fd92:7065:b8e:ffff::1;}; listen-on tls ephemeral http local { 10.53.0.1; }; // DoH listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; }; listen-on tls none http local { 10.53.0.1; }; // unencrypted DoH listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; }; listen-on-v6 { none; }; + listen-on port @EXTRAPORT1@ tls tls-pfs-aes256 { 10.53.0.1; }; // DoT + listen-on-v6 port @EXTRAPORT1@ tls tls-pfs-aes256 { fd92:7065:b8e:ffff::1;}; recursion no; notify explicit; also-notify { 10.53.0.2 port @PORT@; }; @@ -52,3 +72,9 @@ zone "example" { file "example.db"; allow-transfer port @TLSPORT@ transport tls { any; }; }; + +zone "example2" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT1@ transport tls { any; }; +}; diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in new file mode 100644 index 00000000000..0b7cbbe1e8e --- /dev/null +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -0,0 +1,82 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +tls local { + key-file "../ns2/key.pem"; + cert-file "../ns2/cert.pem"; + dhparam-file "../ns2/dhparam3072.pem"; +}; + +http local { + endpoints { "/dns-query"; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on tls local { 10.53.0.3; }; // DoT + listen-on-v6 tls local { fd92:7065:b8e:ffff::3; }; + listen-on tls local http local { 10.53.0.3; }; // DoH + listen-on-v6 tls local http local { fd92:7065:b8e:ffff::3; }; + listen-on tls none http local { 10.53.0.3; }; // unencrypted DoH + listen-on-v6 tls none http local { fd92:7065:b8e:ffff::3; }; + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +tls tls-v1.2-pfs { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.1 tls tls-v1.2-pfs; }; + file "example.db"; + allow-transfer { any; }; +}; + +tls tls-pfs-aes-128 { + protocols { TLSv1.2; }; + // AES128 does not match the setting on the server: AES256 + ciphers "AES128:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers no; +}; + +zone "example2" { + type secondary; + primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-pfs-aes-128; }; + file "example2.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index d178cd48f95..dcbdb21a0d1 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -26,3 +26,4 @@ done copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index 166f0410f10..d3680209f86 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -36,8 +36,12 @@ dig_with_opts() { } wait_for_tls_xfer() ( - dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1 - grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1 + srv_number="$1" + shift + zone_name="$1" + shift + dig_with_tls_opts -b 10.53.0.3 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 return 0 ) @@ -54,11 +58,11 @@ if test $ret != 0 ; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "testing incoming XoT functionality (from secondary) ($n)" +echo_i "testing incoming XoT functionality (from the first secondary) ($n)" ret=0 -if retry_quiet 10 wait_for_tls_xfer; then - grep "^;" "dig.out.ns2.test$n" | cat_i - digcomp example.axfr.good "dig.out.ns2.test$n" || ret=1 +if retry_quiet 10 wait_for_tls_xfer 2 example; then + grep "^;" "dig.out.ns2.example.test$n" | cat_i + digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 else echo_i "timed out waiting for zone transfer" ret=1 @@ -66,6 +70,31 @@ fi if test $ret != 0 ; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the second secondary) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 3 example; then + grep "^;" "dig.out.ns3.example.test$n" | cat_i + digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 +else + echo_i "timed out waiting for zone transfer" + ret=1 +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)" +ret=0 +if retry_quiet 10 wait_for_tls_xfer 3 example2; then + grep "^;" "dig.out.ns3.example2.test$n" | cat_i + test -f "ns3/example2.db" && ret=1 +else + echo_i "timed out waiting for zone transfer" +fi +if test $ret != 0 ; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0