From: Aram Sargsyan <aram@isc.org>
Date: Wed, 28 Sep 2022 09:01:19 +0000 (+0000)
Subject: Test dynamic update forwarding when using a TLS-enabled primary
X-Git-Tag: v9.19.6~24^2~2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ae4296729cd6e1f5027617351faf970b5d1b438d;p=thirdparty%2Fbind9.git

Test dynamic update forwarding when using a TLS-enabled primary

Add several test cases in the 'upforwd' system test to make sure
that different scenarios of Dynamic DNS update forwarding are
tested, in particular when both the original and forwarded requests
are over Do53, or DoT, or they use different transports.
---

diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2
index eab7a2cf066..04a001f8137 100644
--- a/bin/tests/system/upforwd/knowngood.after2
+++ b/bin/tests/system/upforwd/knowngood.after2
@@ -4,8 +4,8 @@ example.		3600	IN	NS	ns3.example.
 ns1.example.		3600	IN	A	10.53.0.1
 ns2.example.		3600	IN	A	10.53.0.2
 ns3.example.		3600	IN	A	10.53.0.3
-unsigned.example.	600	IN	TXT	"Foo"
-unsigned.example.	600	IN	A	10.10.10.1
 updated.example.	600	IN	TXT	"Foo"
 updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
 example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200
diff --git a/bin/tests/system/upforwd/knowngood.after3 b/bin/tests/system/upforwd/knowngood.after3
new file mode 100644
index 00000000000..18407f09e6c
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.after3
@@ -0,0 +1,13 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+unsigned.example.	600	IN	TXT	"Foo"
+unsigned.example.	600	IN	A	10.10.10.1
+updated.example.	600	IN	TXT	"Foo"
+updated.example.	600	IN	A	10.10.10.1
+updated-dot.example.	600	IN	TXT	"Foo"
+updated-dot.example.	600	IN	A	10.10.10.1
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 4 3600 1200 604800 7200
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 83ba6040c47..dad7b2ffbfe 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -21,8 +21,10 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
 	notify yes;
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named.conf.in
index 75eed2ed932..abb6770c099 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@@ -16,8 +16,10 @@ options {
 	notify-source 10.53.0.3;
 	transfer-source 10.53.0.3;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.3; };
+	listen-on tls ephemeral { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
@@ -37,7 +39,7 @@ zone "example" {
 	type secondary;
 	file "example.bk";
 	allow-update-forwarding { any; };
-	primaries { 10.53.0.1; };
+	primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
 };
 
 zone "example2" {
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 6d53af1c610..33227c363d9 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -78,7 +78,7 @@ digcomp knowngood.before dig.out.ns2 || ret=1
 digcomp knowngood.before dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "updating zone (signed) ($n)"
+echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
 server 10.53.0.3 ${PORT}
@@ -119,9 +119,51 @@ digcomp knowngood.after1 dig.out.ns2 || ret=1
 digcomp knowngood.after1 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
-echo_i "checking 'forwarding update for zone' is logged ($n)"
+echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
 ret=0
-grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+server 10.53.0.3 ${TLSPORT}
+update add updated-dot.example. 600 A 10.10.10.1
+update add updated-dot.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after2 dig.out.ns1 || ret=1
+digcomp knowngood.after2 dig.out.ns2 || ret=1
+digcomp knowngood.after2 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking 'forwarding update for zone' is logged twice ($n)"
+ret=0
+cnt=$(grep -F "forwarding update for zone 'example/IN'" ns3/named.run | wc -l || ret=1)
+test "${cnt}" -eq 2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`
 
@@ -171,9 +213,9 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after2 dig.out.ns1 || ret=1
-digcomp knowngood.after2 dig.out.ns2 || ret=1
-digcomp knowngood.after2 dig.out.ns3 || ret=1
+digcomp knowngood.after3 dig.out.ns1 || ret=1
+digcomp knowngood.after3 dig.out.ns2 || ret=1
+digcomp knowngood.after3 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 
 if $FEATURETEST --enable-dnstap
@@ -222,7 +264,7 @@ fi
 
 if test -f keyname
 then
-	echo_i "checking update forwarding to with sig0 ($n)"
+	echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
@@ -248,6 +290,33 @@ EOF
 		status=`expr $status + $ret`
 		n=`expr $n + 1`
 	fi
+
+	echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+	ret=0
+	keyname=`cat keyname`
+	$NSUPDATE -k $keyname.private -S -O -- - <<EOF
+	server 10.53.0.3 ${TLSPORT}
+	zone example2
+	update add unsigned-dot.example2. 600 A 10.10.10.1
+	update add unsigned-dot.example2. 600 TXT Foo
+	send
+EOF
+	$DIG -p ${PORT} unsigned-dot.example2 A @10.53.0.1 > dig.out.ns1.test$n
+	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+
+	if $FEATURETEST --enable-dnstap
+	then
+		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+		ret=0
+		capture_dnstap
+		uq_equals_ur || ret=1
+		if [ $ret != 0 ] ; then echo_i "failed"; fi
+		status=`expr $status + $ret`
+		n=`expr $n + 1`
+	fi
 fi
 
 echo_i "exit status: $status"