#
# Clean up after forward tests.
#
-rm -f ./dig.out.*
rm -f ./*/named.conf
rm -f ./*/named.memstats
rm -f ./*/named.run ./*/named.run.prev ./*/ans.run
rm -f ./*/named_dump.db
rm -f ./ans*/query.log
-rm -f ./ns*/named.lock
+rm -f ./dig.out.*
rm -f ./ns*/managed-keys.bind*
-rm -f ./ns1/root.db ./ns1/root.db.signed
+rm -f ./ns*/named.lock
rm -f ./ns*/trusted.conf
rm -f ./ns1/K* ./ns1/dsset-*
+rm -f ./ns1/root.db ./ns1/root.db.signed
+rm -f ns2/named-tls.conf
+rm -f ns2/options-tls.conf
+rm -f ns4/named-tls.conf
+rm -f ns4/options-tls.conf
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls tls-forward-secrecy {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../CA/certs/srv02.crt01.example.nil.key";
+ cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+ dhparam-file "../dhparam3072.pem";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../CA/certs/srv02.crt01.example.nil.key";
+ cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+ dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
+ cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
+ dhparam-file "../dhparam3072.pem";
+};
* information regarding copyright ownership.
*/
-tls tls-forward-secrecy {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
- key-file "../CA/certs/srv02.crt01.example.nil.key";
- cert-file "../CA/certs/srv02.crt01.example.nil.pem";
- dhparam-file "../dhparam3072.pem";
-};
-
-tls tls-forward-secrecy-mutual-tls {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
- key-file "../CA/certs/srv02.crt01.example.nil.key";
- cert-file "../CA/certs/srv02.crt01.example.nil.pem";
- dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-tls tls-expired {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
- key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
- cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
- dhparam-file "../dhparam3072.pem";
-};
+include "named-tls.conf";
options {
query-source address 10.53.0.2;
transfer-source 10.53.0.2;
transfer-source-v6 fd92:7065:b8e:ffff::2;
port @PORT@;
- tls-port @TLSPORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
- listen-on tls ephemeral { 10.53.0.2; };
- listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
- listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
- listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };
+ include "options-tls.conf";
listen-on-v6 { fd92:7065:b8e:ffff::2; };
recursion no;
dnssec-validation no;
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+ tls-port @TLSPORT@;
+ listen-on tls ephemeral { 10.53.0.2; };
+ listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+ listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
+ listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls tls-forward-secrecy {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+tls tls-forward-secrecy-remote-hostname {
+ protocols { TLSv1.2; };
+ ca-file "../CA/CA.pem";
+ remote-hostname "srv02.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-bad-remote-hostname {
+ protocols { TLSv1.2; };
+ ca-file "../CA/CA.pem";
+ remote-hostname "srv02-bad.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ key-file "../CA/certs/srv04.crt01.example.nil.key";
+ cert-file "../CA/certs/srv04.crt01.example.nil.pem";
+ dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+ protocols { TLSv1.2; };
+ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+ prefer-server-ciphers yes;
+ dhparam-file "../dhparam3072.pem";
+ ca-file "../CA/CA.pem";
+};
+
+zone "example1." {
+ type forward;
+ forward first;
+ forwarders { 10.53.0.2 tls ephemeral; };
+};
+
+zone "example3." {
+ type forward;
+ forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+};
+
+zone "example4." {
+ type forward;
+ forward only;
+ forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
+};
+
+zone "example8." {
+ type forward;
+ forward only;
+ forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
+};
+
+zone "example9." {
+ type forward;
+ forward only;
+ forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
+};
+
+zone "1.0.10.in-addr.arpa" {
+ type forward;
+ forward only;
+ forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
+};
* information regarding copyright ownership.
*/
+include "named-tls.conf";
+
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
- tls-port @TLSPORT@;
+ include "options-tls.conf";
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
file "root.db";
};
-tls tls-forward-secrecy {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-tls tls-forward-secrecy-remote-hostname {
- protocols { TLSv1.2; };
- ca-file "../CA/CA.pem";
- remote-hostname "srv02.crt01.example.nil";
-};
-
-tls tls-forward-secrecy-bad-remote-hostname {
- protocols { TLSv1.2; };
- ca-file "../CA/CA.pem";
- remote-hostname "srv02-bad.crt01.example.nil";
-};
-
-tls tls-forward-secrecy-mutual-tls {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- key-file "../CA/certs/srv04.crt01.example.nil.key";
- cert-file "../CA/certs/srv04.crt01.example.nil.pem";
- dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-tls tls-expired {
- protocols { TLSv1.2; };
- ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
- prefer-server-ciphers yes;
- dhparam-file "../dhparam3072.pem";
- ca-file "../CA/CA.pem";
-};
-
-zone "example1." {
- type forward;
- forward first;
- forwarders { 10.53.0.2 tls ephemeral; };
-};
-
-zone "example3." {
- type forward;
- forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
-};
-
-zone "example4." {
- type forward;
- forward only;
- forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
-};
-
zone "example5." {
type forward;
forward only;
forwarders { 10.53.0.2; };
};
-zone "example8." {
- type forward;
- forward only;
- forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
-};
-
-zone "example9." {
- type forward;
- forward only;
- forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
-};
-
-zone "1.0.10.in-addr.arpa" {
- type forward;
- forward only;
- forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
-};
-
zone "grafted" {
type forward;
forward only;
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+ tls-port @TLSPORT@;
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
+
+if $FEATURETEST --have-fips-dh
+then
+ copy_setports ns2/named-tls.conf.in ns2/named-tls.conf
+ copy_setports ns2/options-tls.conf.in ns2/options-tls.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+else
+ cp /dev/null ns2/named-tls.conf
+ cp /dev/null ns2/options-tls.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+fi
+
copy_setports ns3/named1.conf.in ns3/named.conf
-copy_setports ns4/named.conf.in ns4/named.conf
+
+if $FEATURETEST --have-fips-dh
+then
+ copy_setports ns4/named-tls.conf.in ns4/named-tls.conf
+ copy_setports ns4/options-tls.conf.in ns4/options-tls.conf
+ copy_setports ns4/named.conf.in ns4/named.conf
+else
+ cp /dev/null ns4/named-tls.conf
+ cp /dev/null ns4/options-tls.conf
+ copy_setports ns4/named.conf.in ns4/named.conf
+fi
+
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
n=$((n+1))
echo_i "checking that DoT expired certificate does not work ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
-wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ nextpart ns4/named.run >/dev/null
+ dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
+ dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
+ digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+ wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipped."
+fi
n=$((n+1))
echo_i "checking that a forward zone works (DoT insecure) ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ nextpart ns4/named.run >/dev/null
+ dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
+ dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
+ digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+ wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipped."
+fi
n=$((n+1))
echo_i "checking that forwarding doesn't spontaneously happen ($n)"
n=$((n+1))
echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ nextpart ns4/named.run >/dev/null
+ dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
+ dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
+ digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+ wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipped."
+fi
+
n=$((n+1))
echo_i "checking that DoT remote-hostname works ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ nextpart ns4/named.run >/dev/null
+ dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
+ dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
+ digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
+ wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipped."
+fi
n=$((n+1))
echo_i "checking that DoT bad remote-hostname does not work ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
-wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ nextpart ns4/named.run >/dev/null
+ dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
+ dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
+ digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+ wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipped."
+fi
n=$((n+1))
echo_i "checking that a forward only doesn't recurse ($n)"
n=$((n+1))
echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)"
-ret=0
-# retry loop in case the server restart above causes transient failure
-retry_quiet 10 check_override || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+ ret=0
+ # retry loop in case the server restart above causes transient failure
+ retry_quiet 10 check_override || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_t "skipped."
+fi
n=$((n+1))
echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"
projects / thirdparty / bind9.git / commitdiff
