listen-on tls none http local { 10.53.0.2; }; // unencrypted DoH
listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; };
listen-on-v6 { none; };
- recursion no;
+ recursion yes;
+ allow-recursion { any; };
+ allow-query-cache { any; };
+ allow-recursion-on { 10.53.0.2; }; # allow-query-cache-on inherits;
notify no;
ixfr-from-differences yes;
check-integrity no;
file "../../_common/root.hint";
};
+tls tls-example-primary-wrong-ca {
+ remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
+ ca-file "not-a-file.pem";
+};
+
+zone "test.example.com" {
+ type forward;
+ forward only;
+ forwarders port @TLSPORT@ { 10.53.0.2 tls tls-example-primary-wrong-ca; };
+};
+
tls tls-example-primary {
remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
ca-file "../CA/CA.pem";
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
+# see GL #4572
+n=$((n + 1))
+echo_i "testing that zone forwarding fails when using a wrong TLS configuration on the server without aborting it (a condition for bug #4572, failure expected) ($n)"
+ret=0
+dig_with_opts test.example.com. -b 10.53.0.10 @10.53.0.2 >dig.out.test$n || ret=1
+grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
