listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; }; // DoT
listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT
listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH
+ listen-on port @EXTRAPORT7@ tls tls-forward-secrecy { 10.53.0.1; }; // DoT
recursion no;
notify explicit;
also-notify { 10.53.0.2 port @PORT@; };
file "example.db";
allow-transfer port @EXTRAPORT5@ transport tls { any; };
};
+
+zone "example12" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example13" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example14" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
+
+zone "example15" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT7@ transport tls { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# We need a separate instance for the "rndc reconfig" test in order to
+# ensure that it does not use ephemeral keys (these are costly to
+# generate) and creates a minimal amount of TLS contexts, reducing the
+# time needed for startup/reconfiguration. Long
+# startup/reconfiguration was known to cause timeout issues in the CI
+# system, where many tests run in parallel.
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ https-port @HTTPSPORT@;
+ http-port @HTTPPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ ixfr-from-differences yes;
+ check-integrity no;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+# Let's reuse the same entry multiple times to see if transfers will succeed
+
+tls tls-v1.2 {
+ protocols { TLSv1.2; };
+ prefer-server-ciphers yes;
+};
+
+zone "example12" {
+ type secondary;
+ primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+ file "example12.db";
+ allow-transfer { any; };
+};
+
+zone "example13" {
+ type secondary;
+ primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+ file "example13.db";
+ allow-transfer { any; };
+};
+
+zone "example14" {
+ type secondary;
+ primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+ file "example14.db";
+ allow-transfer { any; };
+};
+
+zone "example15" {
+ type secondary;
+ primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; };
+ file "example15.db";
+ allow-transfer { any; };
+};
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
status=$((status + ret))
fi
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example12\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example12 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example13\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example13 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example14\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example14 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking Do53 query to NS5 for zone \"example15\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)"
+ret=0
+dig_with_opts +comm @10.53.0.5 example15 SOA >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
