From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 13 Feb 2024 15:17:19 +0000 (+0200)
Subject: Add a system test for #4572
X-Git-Tag: v9.19.22~28^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=17632ad22a5b642e72c0ef56b93f17660d9a3a0d;p=thirdparty%2Fbind9.git

Add a system test for #4572

This commit adds a test which exactly reproduces the situation give by
the bug reporter.
---

diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in
index 6a323db68e9..62a68580112 100644
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -108,6 +108,12 @@ zone "." {
 	allow-transfer port @TLSPORT@ transport tls { any; };
 };
 
+zone "test.example.com" {
+	type primary;
+	file "example.db";
+	allow-transfer transport tls { any; };
+};
+
 zone "example" {
 	type primary;
 	file "example.db";
diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in
index 2fa20b193db..96200d0fd38 100644
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@@ -44,7 +44,10 @@ options {
 	listen-on tls none http local { 10.53.0.2; };   // unencrypted DoH
 	listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; };
 	listen-on-v6 { none; };
-	recursion no;
+	recursion yes;
+	allow-recursion { any; };
+	allow-query-cache { any; };
+	allow-recursion-on { 10.53.0.2; }; # allow-query-cache-on inherits;
 	notify no;
 	ixfr-from-differences yes;
 	check-integrity no;
@@ -60,6 +63,17 @@ zone "." {
 	file "../../_common/root.hint";
 };
 
+tls tls-example-primary-wrong-ca {
+	remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
+	ca-file "not-a-file.pem";
+};
+
+zone "test.example.com" {
+	type forward;
+	forward only;
+	forwarders port @TLSPORT@ { 10.53.0.2 tls tls-example-primary-wrong-ca; };
+};
+
 tls tls-example-primary {
 	remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
 	ca-file "../CA/CA.pem";
diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh
index aad23527a24..3559c6757cb 100644
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -916,5 +916,14 @@ grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# see GL #4572
+n=$((n + 1))
+echo_i "testing that zone forwarding fails when using a wrong TLS configuration on the server without aborting it (a condition for bug #4572, failure expected) ($n)"
+ret=0
+dig_with_opts test.example.com. -b 10.53.0.10 @10.53.0.2 >dig.out.test$n || ret=1
+grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1