Test dynamic update forwarding when using a TLS-enabled primary

Add several test cases in the 'upforwd' system test to make sure
that different scenarios of Dynamic DNS update forwarding are
tested, in particular when both the original and forwarded requests
are over Do53, or DoT, or they use different transports.

diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2
index eab7a2cf0667e1e43348aa1429adfead32e29a1a..04a001f81372ba4b54e8d37721a8933cb36b35c9 100644 (file)
--- a/bin/tests/system/upforwd/knowngood.after2
+++ b/bin/tests/system/upforwd/knowngood.after2
@@ -4,8 +4,8 @@ example.                3600    IN      NS      ns3.example.
 ns1.example.           3600    IN      A       10.53.0.1
 ns2.example.           3600    IN      A       10.53.0.2
 ns3.example.           3600    IN      A       10.53.0.3
-unsigned.example.      600     IN      TXT     "Foo"
-unsigned.example.      600     IN      A       10.10.10.1
 updated.example.       600     IN      TXT     "Foo"
 updated.example.       600     IN      A       10.10.10.1
+updated-dot.example.   600     IN      TXT     "Foo"
+updated-dot.example.   600     IN      A       10.10.10.1
 example.               3600    IN      SOA     n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200

diff --git a/bin/tests/system/upforwd/knowngood.after3 b/bin/tests/system/upforwd/knowngood.after3
new file mode 100644 (file)
index 0000000..18407f0
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.after3
@@ -0,0 +1,13 @@
+example.               3600    IN      SOA     n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
+example.               3600    IN      NS      ns2.example.
+example.               3600    IN      NS      ns3.example.
+ns1.example.           3600    IN      A       10.53.0.1
+ns2.example.           3600    IN      A       10.53.0.2
+ns3.example.           3600    IN      A       10.53.0.3
+unsigned.example.      600     IN      TXT     "Foo"
+unsigned.example.      600     IN      A       10.10.10.1
+updated.example.       600     IN      TXT     "Foo"
+updated.example.       600     IN      A       10.10.10.1
+updated-dot.example.   600     IN      TXT     "Foo"
+updated-dot.example.   600     IN      A       10.10.10.1
+example.               3600    IN      SOA     n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200

diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 83ba6040c474b226d16681725bf387e177430b13..dad7b2ffbfe6b951f1c0c9c53bbc14c9ccfaa69d 100644 (file)
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -21,8 +21,10 @@ options {
        notify-source 10.53.0.1;
        transfer-source 10.53.0.1;
        port @PORT@;
+       tls-port @TLSPORT@;
        pid-file "named.pid";
        listen-on { 10.53.0.1; };
+       listen-on tls ephemeral { 10.53.0.1; };
        listen-on-v6 { none; };
        recursion yes;
        notify yes;

diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named.conf.in
index 75eed2ed9328df84ea5263b1c6fbb0bfcb21fe61..abb6770c099176a5f905c4e5608bc37cc0f2a602 100644 (file)
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@@ -16,8 +16,10 @@ options {
        notify-source 10.53.0.3;
        transfer-source 10.53.0.3;
        port @PORT@;
+       tls-port @TLSPORT@;
        pid-file "named.pid";
        listen-on { 10.53.0.3; };
+       listen-on tls ephemeral { 10.53.0.3; };
        listen-on-v6 { none; };
        recursion no;
        notify yes;
@@ -37,7 +39,7 @@ zone "example" {
        type secondary;
        file "example.bk";
        allow-update-forwarding { any; };
-       primaries { 10.53.0.1; };
+       primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
 };
 
 zone "example2" {

diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 6d53af1c61094b12486261f56aa0867752500d63..33227c363d986b4576544834be4ceeacb59f56d0 100644 (file)
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -78,7 +78,7 @@ digcomp knowngood.before dig.out.ns2 || ret=1
 digcomp knowngood.before dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "updating zone (signed) ($n)"
+echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
 server 10.53.0.3 ${PORT}
@@ -119,9 +119,51 @@ digcomp knowngood.after1 dig.out.ns2 || ret=1
 digcomp knowngood.after1 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "checking 'forwarding update for zone' is logged ($n)"
+echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
 ret=0
-grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+server 10.53.0.3 ${TLSPORT}
+update add updated-dot.example. 600 A 10.10.10.1
+update add updated-dot.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+       @10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+       @10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+       @10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after2 dig.out.ns1 || ret=1
+digcomp knowngood.after2 dig.out.ns2 || ret=1
+digcomp knowngood.after2 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking 'forwarding update for zone' is logged twice ($n)"
+ret=0
+cnt=$(grep -F "forwarding update for zone 'example/IN'" ns3/named.run | wc -l || ret=1)
+test "${cnt}" -eq 2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`
 
@@ -171,9 +213,9 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after2 dig.out.ns1 || ret=1
-digcomp knowngood.after2 dig.out.ns2 || ret=1
-digcomp knowngood.after2 dig.out.ns3 || ret=1
+digcomp knowngood.after3 dig.out.ns1 || ret=1
+digcomp knowngood.after3 dig.out.ns2 || ret=1
+digcomp knowngood.after3 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 if $FEATURETEST --enable-dnstap
@@ -222,7 +264,7 @@ fi
 
 if test -f keyname
 then
-       echo_i "checking update forwarding to with sig0 ($n)"
+       echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
        ret=0
        keyname=`cat keyname`
        $NSUPDATE -k $keyname.private -- - <<EOF
@@ -248,6 +290,33 @@ EOF
                status=`expr $status + $ret`
                n=`expr $n + 1`
        fi
+
+       echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+       ret=0
+       keyname=`cat keyname`
+       $NSUPDATE -k $keyname.private -S -O -- - <<EOF
+       server 10.53.0.3 ${TLSPORT}
+       zone example2
+       update add unsigned-dot.example2. 600 A 10.10.10.1
+       update add unsigned-dot.example2. 600 TXT Foo
+       send
+EOF
+       $DIG -p ${PORT} unsigned-dot.example2 A @10.53.0.1 > dig.out.ns1.test$n
+       grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+       if [ $ret != 0 ] ; then echo_i "failed"; fi
+       status=`expr $status + $ret`
+       n=`expr $n + 1`
+
+       if $FEATURETEST --enable-dnstap
+       then
+               echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+               ret=0
+               capture_dnstap
+               uq_equals_ur || ret=1
+               if [ $ret != 0 ] ; then echo_i "failed"; fi
+               status=`expr $status + $ret`
+               n=`expr $n + 1`
+       fi
 fi
 
 echo_i "exit status: $status"