Test named's check-svcb behaviour with UPDATE

Checks that malformed _dns SVCB records are rejected unless
check-svcb is set to no, in which case they are accepted. Both
missing ALPN and missing DOHPATH are checked for.

diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 1746ec147420b58234ab7ac34b111f81b1f16ee1..fae185c6901bd4fce9406dcf1741c5905d6e6628 100644 (file)
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -45,6 +45,7 @@ rm -f ns3/delegation.test.db
 rm -f ns3/dnskey.test.db
 rm -f ns3/dsset-*
 rm -f ns3/example.db
+rm -f ns3/relaxed.db
 rm -f ns3/multisigner.test.db
 rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db

diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in
index f87048a9b456a15eaa75707c3d5c1d0a70581347..223ad4d1e1defaa609484bc88cfeef68aeb027bd 100644 (file)
--- a/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -32,6 +32,13 @@ zone "example" {
        file "example.db";
 };
 
+zone "relaxed" {
+       type primary;
+       allow-update { any; };
+       check-svcb no;
+       file "relaxed.db";
+};
+
 zone "nsec3param.test" {
        type primary;
        allow-update { any; };

diff --git a/bin/tests/system/nsupdate/ns3/relaxed.db.in b/bin/tests/system/nsupdate/ns3/relaxed.db.in
new file mode 100644 (file)
index 0000000..a136322
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/relaxed.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+relaxed. 10 IN SOA relaxed. hostmaster.relaxed. 1 3600 900 2419200 3600
+relaxed. 10 IN NS relaxed.
+relaxed. 10 IN A 10.53.0.3
+relaxed. 10 IN NSEC3PARAM 1 1 0 -

diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 50056dc4bf9cd4fab306eecd707ebac1881fdca4..b7d7b38107bea30b4c9736038cb6667feb50e9b9 100644 (file)
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -51,6 +51,7 @@ sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
 sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db
 sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
 cp -f ns3/example.db.in ns3/example.db
+cp -f ns3/relaxed.db.in ns3/relaxed.db
 cp -f ns3/too-big.test.db.in ns3/too-big.test.db
 
 # update_test.pl has its own zone file because it

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index fa3839de3e4785fb0a7740fb87379f5259c3bcb0..f6be0f23ff10d135e038cd3e0778746fa7236a24 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1556,6 +1556,66 @@ grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1
 grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=$((n + 1))
+ret=0
+echo_i "check that named rejects '_dns' SVCB with missing ALPN ($n)"
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+check-svcb no
+update add _dns.ns.example 0 in SVCB 1 ns.example dohpath=/{?dns}
+send
+END
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+msg="update failed: _dns.ns.example/SVCB: no ALPN (REFUSED)"
+nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named accepts '_dns' SVCB with missing ALPN (check-svcb no) ($n)"
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone relaxed
+check-svcb no
+update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed dohpath=/{?dns}
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n
+grep '1 ns.relaxed. key7="/{?dns}"' dig.out.ns3.test$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named rejects '_dns' SVCB with missing DOHPATH ($n)"
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+check-svcb no
+update add _dns.ns.example 0 in SVCB 1 ns.example alpn=h2
+send
+END
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+msg="update failed: _dns.ns.example/SVCB: no DOHPATH (REFUSED)"
+nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named accepts '_dns' SVCB with missing DOHPATH (check-svcb no) ($n)"
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone relaxed
+check-svcb no
+update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed alpn=h2
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n
+grep '1 ns.relaxed. alpn="h2"' dig.out.ns3.test$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 if ! $FEATURETEST --gssapi ; then
   echo_i "SKIPPED: GSSAPI tests"
 else