Extend the doth system test with IPv6 support [GL #2861]

This commit ensures that DoH (and DoT) functionality works well via
IPv6 as well.

The changes were made because it turned out that dig could not make
DoH queries against an IPv6 IP address. These tests ensure that such a
bug will not remain unnoticed.

The commit also increases the servers' startup timeout to 25 seconds
because the initial timeout of 14 seconds was too short to generate
(!) eight 4096 bit ephemeral RSA certificates on a heavily loaded CI
runner in some pipeline runs.

diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in
index 0addde0c3231444c2a2539d77ab60fda96539fb2..a78e30c40f93ad34905f33424ff1f6a85c8c279c 100644 (file)
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -27,8 +27,11 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.1; };
        listen-on tls ephemeral { 10.53.0.1; };             // DoT
+       listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;};
        listen-on tls ephemeral http local { 10.53.0.1; };  // DoH
+       listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; };
        listen-on tls none http local { 10.53.0.1; };       // unencrypted DoH
+       listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; };
        listen-on-v6 { none; };
        recursion no;
        notify explicit;

diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in
index 3cdc952270c4901f8bb9b7903b8eda64c1469829..0a77cf99520c695494ffe3e2ec694fc65bf33bcd 100644 (file)
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@@ -35,8 +35,11 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.2; };
        listen-on tls local { 10.53.0.2; };             // DoT
+       listen-on-v6 tls local { fd92:7065:b8e:ffff::2; };
        listen-on tls local http local { 10.53.0.2; };  // DoH
+       listen-on-v6 tls local http local { fd92:7065:b8e:ffff::2; };
        listen-on tls none http local { 10.53.0.2; };   // unencrypted DoH
+       listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; };
        listen-on-v6 { none; };
        recursion no;
        notify no;

diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh
index fd31cea1ee3b65f2aaecd76c44e3223562cf687a..39ed8571f52489d6242fff6a824af6d8c6c6cb33 100644 (file)
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -63,6 +63,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoT query via IPv6 (ephemeral key) ($n)"
+ret=0
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoT query (static key) ($n)"
 ret=0
@@ -71,6 +79,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoT query via IPv6 (static key) ($n)"
+ret=0
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoT XFR ($n)"
 ret=0
@@ -87,6 +103,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, static key) ($n)"
 ret=0
@@ -95,6 +119,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, static key) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, nonstandard endpoint) ($n)"
 ret=0
@@ -103,6 +135,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)"
 ret=0
@@ -111,6 +151,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH XFR (POST) (failure expected) ($n)"
 ret=0
@@ -127,6 +175,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, static key) ($n)"
 ret=0
@@ -135,6 +191,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, static key) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, nonstandard endpoint) ($n)"
 ret=0
@@ -143,6 +207,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)"
 ret=0
@@ -151,6 +223,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH XFR (GET) (failure expected) ($n)"
 ret=0
@@ -167,6 +247,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)"
+ret=0
+dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH query (GET) ($n)"
 ret=0
@@ -175,6 +263,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)"
+ret=0
+dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH XFR (failure expected) ($n)"
 ret=0
@@ -192,6 +288,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query for a large answer (GET) ($n)"
 ret=0
@@ -201,6 +306,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH query for a large answer (POST) ($n)"
 ret=0
@@ -211,7 +325,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
 n=$((n + 1))
-echo_i "checking unencrypted DoH query for a large answer (POST) ($n)"
+echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)"
+ret=0
+dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query for a large answer (GET) ($n)"
 ret=0
 dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n
 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
@@ -219,6 +342,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)"
+ret=0
+dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 test_opcodes() {
        EXPECT_STATUS="$1"
        shift
@@ -232,6 +364,14 @@ test_opcodes() {
                if [ $ret != 0 ]; then echo_i "failed"; fi
                status=$((status + ret))
 
+               n=$((n + 1))
+               echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)"
+               ret=0
+               dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+               grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+               if [ $ret != 0 ]; then echo_i "failed"; fi
+               status=$((status + ret))
+
                n=$((n + 1))
                echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)"
                ret=0
@@ -240,6 +380,14 @@ test_opcodes() {
                if [ $ret != 0 ]; then echo_i "failed"; fi
                status=$((status + ret))
 
+               n=$((n + 1))
+               echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)"
+               ret=0
+               dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+               grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+               if [ $ret != 0 ]; then echo_i "failed"; fi
+               status=$((status + ret))
+
                n=$((n + 1))
                echo_i "checking unexpected opcode query over DoT for opcode $op ($n)"
                ret=0
@@ -247,6 +395,14 @@ test_opcodes() {
                grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
                if [ $ret != 0 ]; then echo_i "failed"; fi
                status=$((status + ret))
+
+               n=$((n + 1))
+               echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)"
+               ret=0
+               dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+               grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+               if [ $ret != 0 ]; then echo_i "failed"; fi
+               status=$((status + ret))
        done
 }
 

diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index ea82e615006a7a27f09c15662863dae9b2ae8657..5e146cbeea6f4cee56a86a8bb9f61b6363679286 100755 (executable)
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -202,12 +202,12 @@ sub start_server {
        my $child = `$command`;
        chomp($child);
 
-       # wait up to 14 seconds for the server to start and to write the
+       # wait up to 25 seconds for the server to start and to write the
        # pid file otherwise kill this server and any others that have
        # already been started
        my $tries = 0;
        while (!-s $pid_file) {
-               if (++$tries > 140) {
+               if (++$tries > 250) {
                        print "I:$test:Couldn't start server $command (pid=$child)\n";
                        print "I:$test:failed\n";
                        kill "ABRT", $child if ("$child" ne "");