- rename dot to doth, as it now covers both dot and doh.
- merge xot into doth as it's closely related.
- added long-lived key and cert files (expiring 2121).
- add tests with https-get, https-post, http-plain, alternate
endpoints, and both static and ephemeral TLS configuration.
- incidentally fixed a memory leak in dig that occurred if +https
was specified more than once.
dlz \
dlzexternal \
dns64 \
+ doth \
dscp \
dsdigest \
dyndb \
views \
wildcard \
xferquota \
- xot \
zonechecks
# The "stress" test is not run by default since it creates enough
nsupdate \
resolver \
statistics \
- dot \
upforwd \
zero
atsign="@"
sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
-e "s/${atsign}TLSPORT${atsign}/${TLSPORT}/g" \
- -e "s/${atsign}HTTPPORT${atsign}/${HTTPSPORT}/g" \
+ -e "s/${atsign}HTTPPORT${atsign}/${HTTPPORT}/g" \
-e "s/${atsign}HTTPSPORT${atsign}/${HTTPSPORT}/g" \
-e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
-e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f */named.memstats
-rm -f */named.run
-rm -f */named.conf
-rm -f */named.stats*
-rm -f dig.out*
-rm -f rndc.out*
-rm -f ns*/named.lock
-rm -f ns*/managed-keys.bind*
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- port @PORT@;
- tls-port @TLSPORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- listen-on tls ephemeral { 10.53.0.1; };
- recursion no;
- notify no;
- statistics-file "named.stats";
-};
-
-zone "." {
- type primary;
- file "root.db";
- allow-transfer { any; };
-};
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-$SHELL clean.sh
-
-copy_setports ns1/named.conf.in ns1/named.conf
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck source=../conf.sh
-. ../conf.sh
-
-dig_dot_with_opts() {
- "${DIG}" -p "${TLSPORT}" +tls "$@"
-}
-
-status=0
-n=0
-
-n=$((n + 1))
-echo_i "checking DoT query response ($n)"
-ret=0
-dig_dot_with_opts @10.53.0.1 . SOA > dig.out.test$n
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "checking DoT XFR ($n)"
-ret=0
-dig_dot_with_opts +comment @10.53.0.1 . AXFR > dig.out.test$n
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
rm -f ./*/named.run
rm -f ./*/named.run.prev
rm -f ./dig.out.*
-rm -f ./*/*.db
+rm -f ./*/example.db
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+http local {
+ endpoints { "/dns-query"; "/alter"; };
+};
+
options {
port @PORT@;
tls-port @TLSPORT@;
+ https-port @HTTPSPORT@;
+ http-port @HTTPPORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
+ listen-on tls ephemeral { 10.53.0.1; }; // DoT
+ listen-on tls ephemeral http local { 10.53.0.1; }; // DoH
+ listen-on tls none http local { 10.53.0.1; }; // unencrypted DoH
listen-on-v6 { none; };
- listen-on tls ephemeral { 10.53.0.1; };
recursion no;
notify explicit;
also-notify { 10.53.0.2 port @PORT@; };
};
zone "." {
- type hint;
- file "../../common/root.hint";
+ type primary;
+ file "root.db";
+ allow-transfer { any; };
};
zone "example" {
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICHTCCAcOgAwIBAgIUATq1E48Hj7vAQBwn8H/1oQvqvJ0wCgYIKoZIzj0EAwIw
+YzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxSZWR3b29kIENp
+dHkxDDAKBgNVBAoMA0lTQzEOMAwGA1UECwwFQklORDkxEjAQBgNVBAMMCWxvY2Fs
+aG9zdDAgFw0yMTAyMTIwMzIxMzFaGA8yMTIxMDExOTAzMjEzMVowYzELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxSZWR3b29kIENpdHkxDDAKBgNV
+BAoMA0lTQzEOMAwGA1UECwwFQklORDkxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABC1uCviud7QFTJ8DfdrLwjkBolYHJJR9c9HP
+bshvKDXahhRU9+HCbWBNLlqFR6aMs8wyE32cXHLZ70XaILkH88SjUzBRMB0GA1Ud
+DgQWBBRPpE9aC2MO0TAlCp18vR9vqe4R2TAfBgNVHSMEGDAWgBRPpE9aC2MO0TAl
+Cp18vR9vqe4R2TAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIE3L
+zx4iRVqjnOACc+/G0Shru+AIk/MEglfrvP5wxZaVAiEArcmut+hYb+cG0UW5ct/U
+Q183Kk25XYJkTj39GSBiiiA=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFBLYPWvhrGBMyfi04oC53LOl00LZRZbVOVnC0K30XOCoAoGCCqGSM49
+AwEHoUQDQgAELW4K+K53tAVMnwN92svCOQGiVgcklH1z0c9uyG8oNdqGFFT34cJt
+YE0uWoVHpoyzzDITfZxcctnvRdoguQfzxA==
+-----END EC PRIVATE KEY-----
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+tls local {
+ key-file "key.pem";
+ cert-file "cert.pem";
+};
+
+http local {
+ endpoints { "/dns-query"; };
+};
+
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
tls-port @TLSPORT@;
+ https-port @HTTPSPORT@;
+ http-port @HTTPPORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
- listen-on tls ephemeral { 10.53.0.2; };
+ listen-on tls local { 10.53.0.2; }; // DoT
+ listen-on tls local http local { 10.53.0.2; }; // DoH
+ listen-on tls none http local { 10.53.0.2; }; // unencrypted DoH
listen-on-v6 { none; };
- listen-on tls ephemeral { 10.53.0.2; };
recursion no;
notify no;
ixfr-from-differences yes;
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+dig_with_tls_opts() {
+ "$DIG" +tls +noadd +nosea +nostat +noquest +nocmd -p "${TLSPORT}" "$@"
+}
+
+dig_with_https_opts() {
+ "$DIG" +https +noadd +nosea +nostat +noquest +nocmd -p "${HTTPSPORT}" "$@"
+}
+
+dig_with_http_opts() {
+ "$DIG" +http-plain +noadd +nosea +nostat +noquest +nocmd -p "${HTTPPORT}" "$@"
+}
+
+wait_for_tls_xfer() (
+ dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
+ grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
+ return 0
+)
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "testing XoT server functionality (using dig) ($n)"
+ret=0
+dig_with_tls_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
+grep "^;" dig.out.ns1.test$n | cat_i
+digcomp dig1.good dig.out.ns1.test$n || ret=1
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing incoming XoT functionality (from secondary) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer; then
+ grep "^;" "dig.out.ns2.test$n" | cat_i
+ digcomp dig1.good "dig.out.ns2.test$n" || ret=1
+else
+ echo_i "timed out waiting for zone transfer"
+ ret=1
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n + 1))
+echo_i "checking DoT query (ephemeral key) ($n)"
+ret=0
+dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoT query (static key) ($n)"
+ret=0
+dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoT XFR ($n)"
+ret=0
+dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST) ($n)"
+ret=0
+dig_with_https_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, static key) ($n)"
+ret=0
+dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH XFR (POST) (failure expected) ($n)"
+ret=0
+dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET) ($n)"
+ret=0
+dig_with_https_opts +https-get @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, static key) ($n)"
+ret=0
+dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH XFR (GET) (failure expected) ($n)"
+ret=0
+dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query (POST) ($n)"
+ret=0
+dig_with_http_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query (GET) ($n)"
+ret=0
+dig_with_http_opts +http-plain-get @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH XFR (failure expected) ($n)"
+ret=0
+dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-dig_with_opts() {
- "$DIG" +tls +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${TLSPORT}" "$@"
-}
-
-wait_for_xfer() (
- dig_with_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
- grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
- return 0
-)
-
-status=0
-n=0
-
-n=$((n+1))
-echo_i "testing XoT server functionality (using dig) ($n)"
-ret=0
-dig_with_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
-grep "^;" dig.out.ns1.test$n | cat_i
-digcomp dig1.good dig.out.ns1.test$n || ret=1
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
-
-n=$((n+1))
-echo_i "testing basic incoming XoT functionality (from secondary) ($n)"
-ret=0
-if retry_quiet 10 wait_for_xfer; then
- grep "^;" "dig.out.ns2.test$n" | cat_i
- digcomp dig1.good "dig.out.ns2.test$n" || ret=1
-else
- echo_i "timed out waiting for zone transfer"
- ret=1
-fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
./bin/tests/system/dnstap/setup.sh SH 2018,2019,2020,2021
./bin/tests/system/dnstap/tests.sh SH 2015,2016,2017,2018,2019,2020,2021
./bin/tests/system/dnstap/ydump.py PYTHON 2016,2017,2018,2019,2020,2021
-./bin/tests/system/dot/clean.sh SH 2020,2021
-./bin/tests/system/dot/setup.sh SH 2020,2021
-./bin/tests/system/dot/tests.sh SH 2020,2021
+./bin/tests/system/doth/clean.sh SH 2020,2021
+./bin/tests/system/doth/dig1.good X 2021
+./bin/tests/system/doth/ns2/cert.pem X 2021
+./bin/tests/system/doth/ns2/key.pem X 2021
+./bin/tests/system/doth/setup.sh SH 2021
+./bin/tests/system/doth/tests.sh SH 2021
./bin/tests/system/dscp/clean.sh SH 2013,2014,2015,2016,2018,2019,2020,2021
./bin/tests/system/dscp/ns1/named.args X 2013,2014,2018,2019,2020,2021
./bin/tests/system/dscp/ns2/named.args X 2013,2014,2018,2019,2020,2021
./bin/tests/system/xferquota/setup.pl PERL 2000,2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
./bin/tests/system/xferquota/setup.sh SH 2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
./bin/tests/system/xferquota/tests.sh SH 2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
-./bin/tests/system/xot/clean.sh SH 2021
-./bin/tests/system/xot/dig1.good X 2021
-./bin/tests/system/xot/setup.sh SH 2021
-./bin/tests/system/xot/tests.sh SH 2021
./bin/tests/system/zero/ans5/ans.pl PERL 2016,2018,2019,2020,2021
./bin/tests/system/zero/clean.sh SH 2013,2014,2015,2016,2018,2019,2020,2021
./bin/tests/system/zero/setup.sh SH 2013,2014,2016,2018,2019,2020,2021
projects / thirdparty / bind9.git / commitdiff
