--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./gnutls-cli.*
+rm -f ./sslyze.log.*
+rm -f ./*/example*.db
+rm -rf ./headers.*
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls tls-perfect-forward-secrecy {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+ session-tickets no;
+};
+
+tls tls-pfs-aes256 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384";
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+ session-tickets no;
+};
+
+tls tls-pfs-aes128 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_128_GCM_SHA256";
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+ session-tickets no;
+};
+
+tls tls-pfs-chacha20 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_CHACHA20_POLY1305_SHA256";
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+ session-tickets no;
+};
+
+options {
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on-v6 { none; };
+ listen-on { 10.53.0.1; };
+ listen-on tls tls-perfect-forward-secrecy { 10.53.0.1; };
+ listen-on port @EXTRAPORT1@ tls tls-pfs-aes128 { 10.53.0.1; };
+ listen-on port @EXTRAPORT2@ tls tls-pfs-aes256 { 10.53.0.1; };
+ listen-on port @EXTRAPORT3@ tls tls-pfs-chacha20 { 10.53.0.1; };
+ recursion no;
+ notify explicit;
+ also-notify { 10.53.0.2 port @PORT@; };
+ statistics-file "named.stats";
+ dnssec-validation yes;
+ tcp-initial-timeout 1200;
+ transfers-in 100;
+ transfers-out 100;
+};
+
+zone "." {
+ type primary;
+ file "root.db";
+ allow-transfer port @TLSPORT@ transport tls { any; };
+};
+
+zone "example" {
+ type primary;
+ file "example.db";
+ allow-transfer port @TLSPORT@ transport tls { any; };
+};
+
+zone "example-aes-128" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT1@ transport tls { any; };
+};
+
+zone "example-aes-256" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT2@ transport tls { any; };
+};
+
+zone "example-chacha-20" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT3@ transport tls { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on tls local { 10.53.0.2; }; // DoT
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ prefer-server-ciphers no;
+};
+
+zone "example" {
+ type secondary;
+ primaries { 10.53.0.1 tls tls-v1.3; };
+ file "example.db";
+ allow-transfer { any; };
+};
+
+tls tls-v1.3-aes-128 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_128_GCM_SHA256";
+ prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+ type secondary;
+ primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+ file "example-aes-128.db";
+ allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+ type secondary;
+ primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+ file "example-aes-256.db";
+ allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+ type secondary;
+ primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-aes-128; };
+ file "example-chacha-20.db";
+ allow-transfer { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on tls local { 10.53.0.3; }; // DoT
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ prefer-server-ciphers no;
+};
+
+zone "example" {
+ type secondary;
+ primaries { 10.53.0.1 tls tls-v1.3; };
+ file "example.db";
+ allow-transfer { any; };
+};
+
+tls tls-v1.3-aes-256 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384";
+ prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+ type secondary;
+ primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+ file "example-aes-128.db";
+ allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+ type secondary;
+ primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+ file "example-aes-256.db";
+ allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+ type secondary;
+ primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-aes-256; };
+ file "example-chacha-20.db";
+ allow-transfer { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+};
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on tls local { 10.53.0.4; }; // DoT
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+tls tls-v1.3 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ prefer-server-ciphers no;
+};
+
+zone "example" {
+ type secondary;
+ primaries { 10.53.0.1 tls tls-v1.3; };
+ file "example.db";
+ allow-transfer { any; };
+};
+
+tls tls-v1.3-chacha20 {
+ protocols { TLSv1.3; };
+ cipher-suites "TLS_CHACHA20_POLY1305_SHA256";
+ prefer-server-ciphers no;
+};
+
+zone "example-aes-128" {
+ type secondary;
+ primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+ file "example-aes-128.db";
+ allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+ type secondary;
+ primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+ file "example-aes-256.db";
+ allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+ type secondary;
+ primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.3-chacha20; };
+ file "example-chacha-20.db";
+ allow-transfer { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+ key-file "../self-signed-key.pem";
+ cert-file "../self-signed-cert.pem";
+};
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on tls local { 10.53.0.5; }; // DoT
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+tls tls-v1.2 {
+ protocols { TLSv1.2; };
+ prefer-server-ciphers no;
+};
+
+zone "example" {
+ type secondary;
+ primaries { 10.53.0.1 tls tls-v1.2; };
+ file "example.db";
+ allow-transfer { any; };
+};
+
+zone "example-aes-128" {
+ type secondary;
+ primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-v1.2; };
+ file "example-aes-128.db";
+ allow-transfer { any; };
+};
+
+zone "example-aes-256" {
+ type secondary;
+ primaries port @EXTRAPORT2@ { 10.53.0.1 tls tls-v1.2; };
+ file "example-aes-256.db";
+ allow-transfer { any; };
+};
+
+zone "example-chacha-20" {
+ type secondary;
+ primaries port @EXTRAPORT3@ { 10.53.0.1 tls tls-v1.2; };
+ file "example-chacha-20.db";
+ allow-transfer { any; };
+};
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$FEATURETEST --have-openssl-cipher-suites || {
+ echo_i "SSL_CTX_set_ciphersuites() is required for the test."
+ exit 255
+}
+
+exit 0
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICpDCCAkmgAwIBAgIUCgppsffsoMFrEULJBNaABqUJGl8wCgYIKoZIzj0EAwIw
+gaYxCzAJBgNVBAYTAlVBMRwwGgYDVQQIDBNLaGFya2l2cydrYSBvYmxhc3QnMRAw
+DgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5ldCBTeXN0ZW1zIENvbnNv
+cnRpdW0xHzAdBgNVBAsMFkJJTkQ5IERldmVsb3BtZW50IFRlYW0xIDAeBgNVBAMM
+F3NlbGYtc2lnbmVkLmV4YW1wbGUuY29tMB4XDTIzMTIwMTE1NTU0OVoXDTQzMTEz
+MDE1NTU0OVowgaYxCzAJBgNVBAYTAlVBMRwwGgYDVQQIDBNLaGFya2l2cydrYSBv
+Ymxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5ldCBTeXN0
+ZW1zIENvbnNvcnRpdW0xHzAdBgNVBAsMFkJJTkQ5IERldmVsb3BtZW50IFRlYW0x
+IDAeBgNVBAMMF3NlbGYtc2lnbmVkLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEAvOwTFQkxZ5buinXL2II3F2Bkq7BfycqugoRJohm6avxEqKF
+pByu6gWQxgWFFelXAz2FRhT4SK+E1o/b9X2EGKNTMFEwHQYDVR0OBBYEFPcvo8eC
+k8kDoF2Lmpua+qMJdV5eMB8GA1UdIwQYMBaAFPcvo8eCk8kDoF2Lmpua+qMJdV5e
+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJh6QFBC8JnHTEjD
+GLevzFzjbxSNjMj0xgrX4eK+9JjCAiEAqFkj9wGs7U1cZrZI0Mnje9itHgQrMl1u
+olvLJ/W2LBc=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIME55eKuHtLyCHYCvJcIU1o8FdATceC7rQWwEyIhnzINoAoGCCqGSM49
+AwEHoUQDQgAEAvOwTFQkxZ5buinXL2II3F2Bkq7BfycqugoRJohm6avxEqKFpByu
+6gWQxgWFFelXAz2FRhT4SK+E1o/b9X2EGA==
+-----END EC PRIVATE KEY-----
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+testing="testing zone transfer over TLS (XoT): "
+
+common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
+
+status=0
+n=0
+
+dig_with_tls_opts() {
+ # shellcheck disable=SC2086
+ "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
+}
+
+wait_for_tls_xfer() (
+ srv_number="$1"
+ shift
+ zone_name="$1"
+ shift
+ # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
+ dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
+ grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
+ return 0
+)
+
+tls_xfer_expect_success() {
+ test_message="$1"
+ shift
+ n=$((n + 1))
+ echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
+ ret=0
+ retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+}
+
+tls_xfer_expect_failure() {
+ test_message="$1"
+ shift
+ n=$((n + 1))
+ echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
+ ret=0
+ retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+}
+
+tls_xfer_expect_success "$testing" 2 example
+tls_xfer_expect_success "$testing" 3 example
+tls_xfer_expect_success "$testing" 4 example
+
+tls_xfer_expect_success "$testing" 2 example-aes-128
+tls_xfer_expect_success "$testing" 3 example-aes-256
+tls_xfer_expect_success "$testing" 4 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 2 example-aes-256
+tls_xfer_expect_failure "$testing" 2 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 3 example-aes-128
+tls_xfer_expect_failure "$testing" 3 example-chacha-20
+
+tls_xfer_expect_failure "$testing" 4 example-aes-128
+tls_xfer_expect_failure "$testing" 4 example-aes-256
+
+# NS5 tries to download the zone over TLSv1.2
+tls_xfer_expect_failure "$testing" 5 example
+tls_xfer_expect_failure "$testing" 5 example-aes-128
+tls_xfer_expect_failure "$testing" 5 example-aes-256
+tls_xfer_expect_failure "$testing" 5 example-chacha-20
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_cipher_suites(run_tests_sh):
+ run_tests_sh()
fprintf(stderr, "\t--have-geoip2\n");
fprintf(stderr, "\t--have-json-c\n");
fprintf(stderr, "\t--have-libxml2\n");
+ fprintf(stderr, "\t--have-openssl-cipher-suites\n");
fprintf(stderr, "\t--ipv6only=no\n");
fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--rsasha1\n");
#endif /* ifdef HAVE_LIBXML2 */
}
+ if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ return (0);
+#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
+ return (1);
+#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
+ }
+
if (strcmp(argv[1], "--tsan") == 0) {
#if defined(__has_feature)
#if __has_feature(thread_sanitizer)
projects / thirdparty / bind9.git / commitdiff
