From: Mark Andrews Date: Thu, 6 Oct 2022 06:31:40 +0000 (+1100) Subject: Test named's check-svcb behaviour with UPDATE X-Git-Tag: v9.19.7~26^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1244a2ffb989620cbeeb7f1c2e9724e8c4fc1dc3;p=thirdparty%2Fbind9.git Test named's check-svcb behaviour with UPDATE Checks that malformed _dns SVCB records are rejected unless check-svcb is set to no, in which case they are accepted. Both missing ALPN and missing DOHPATH are checked for. --- diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 1746ec14742..fae185c6901 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -45,6 +45,7 @@ rm -f ns3/delegation.test.db rm -f ns3/dnskey.test.db rm -f ns3/dsset-* rm -f ns3/example.db +rm -f ns3/relaxed.db rm -f ns3/multisigner.test.db rm -f ns3/many.test.bk rm -f ns3/nsec3param.test.db diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index f87048a9b45..223ad4d1e1d 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -32,6 +32,13 @@ zone "example" { file "example.db"; }; +zone "relaxed" { + type primary; + allow-update { any; }; + check-svcb no; + file "relaxed.db"; +}; + zone "nsec3param.test" { type primary; allow-update { any; }; diff --git a/bin/tests/system/nsupdate/ns3/relaxed.db.in b/bin/tests/system/nsupdate/ns3/relaxed.db.in new file mode 100644 index 00000000000..a136322f784 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/relaxed.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +relaxed. 10 IN SOA relaxed. hostmaster.relaxed. 1 3600 900 2419200 3600 +relaxed. 10 IN NS relaxed. +relaxed. 10 IN A 10.53.0.3 +relaxed. 10 IN NSEC3PARAM 1 1 0 - diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 50056dc4bf9..b7d7b38107b 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -51,6 +51,7 @@ sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db cp -f ns3/example.db.in ns3/example.db +cp -f ns3/relaxed.db.in ns3/relaxed.db cp -f ns3/too-big.test.db.in ns3/too-big.test.db # update_test.pl has its own zone file because it diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index fa3839de3e4..f6be0f23ff1 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1556,6 +1556,66 @@ grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1 grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +n=$((n + 1)) +ret=0 +echo_i "check that named rejects '_dns' SVCB with missing ALPN ($n)" +nextpart ns3/named.run > /dev/null +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone example +check-svcb no +update add _dns.ns.example 0 in SVCB 1 ns.example dohpath=/{?dns} +send +END +grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 +msg="update failed: _dns.ns.example/SVCB: no ALPN (REFUSED)" +nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that named accepts '_dns' SVCB with missing ALPN (check-svcb no) ($n)" +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone relaxed +check-svcb no +update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed dohpath=/{?dns} +send +END +$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n +grep '1 ns.relaxed. key7="/{?dns}"' dig.out.ns3.test$n || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that named rejects '_dns' SVCB with missing DOHPATH ($n)" +nextpart ns3/named.run > /dev/null +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone example +check-svcb no +update add _dns.ns.example 0 in SVCB 1 ns.example alpn=h2 +send +END +grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 +msg="update failed: _dns.ns.example/SVCB: no DOHPATH (REFUSED)" +nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that named accepts '_dns' SVCB with missing DOHPATH (check-svcb no) ($n)" +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone relaxed +check-svcb no +update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed alpn=h2 +send +END +$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n +grep '1 ns.relaxed. alpn="h2"' dig.out.ns3.test$n || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + if ! $FEATURETEST --gssapi ; then echo_i "SKIPPED: GSSAPI tests" else