From: Artem Boldariev Date: Thu, 12 Aug 2021 09:42:13 +0000 (+0300) Subject: Extend the doth system test with IPv6 support [GL #2861] X-Git-Tag: v9.17.18~13^2~2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=33fa1d5fb481dccfa60e81902fb170669635994d;p=thirdparty%2Fbind9.git Extend the doth system test with IPv6 support [GL #2861] This commit ensures that DoH (and DoT) functionality works well via IPv6 as well. The changes were made because it turned out that dig could not make DoH queries against an IPv6 IP address. These tests ensure that such a bug will not remain unnoticed. The commit also increases the servers' startup timeout to 25 seconds because the initial timeout of 14 seconds was too short to generate (!) eight 4096 bit ephemeral RSA certificates on a heavily loaded CI runner in some pipeline runs. --- diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 0addde0c323..a78e30c40f9 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -27,8 +27,11 @@ options { pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on tls ephemeral { 10.53.0.1; }; // DoT + listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;}; listen-on tls ephemeral http local { 10.53.0.1; }; // DoH + listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; }; listen-on tls none http local { 10.53.0.1; }; // unencrypted DoH + listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; }; listen-on-v6 { none; }; recursion no; notify explicit; diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 3cdc952270c..0a77cf99520 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -35,8 +35,11 @@ options { pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on tls local { 10.53.0.2; }; // DoT + listen-on-v6 tls local { fd92:7065:b8e:ffff::2; }; listen-on tls local http local { 10.53.0.2; }; // DoH + listen-on-v6 tls local http local { fd92:7065:b8e:ffff::2; }; listen-on tls none http local { 10.53.0.2; }; // unencrypted DoH + listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; }; listen-on-v6 { none; }; recursion no; notify no; diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index fd31cea1ee3..39ed8571f52 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -63,6 +63,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoT query via IPv6 (ephemeral key) ($n)" +ret=0 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoT query (static key) ($n)" ret=0 @@ -71,6 +79,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoT query via IPv6 (static key) ($n)" +ret=0 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoT XFR ($n)" ret=0 @@ -87,6 +103,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST) ($n)" +ret=0 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (POST, static key) ($n)" ret=0 @@ -95,6 +119,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, static key) ($n)" +ret=0 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (POST, nonstandard endpoint) ($n)" ret=0 @@ -103,6 +135,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)" +ret=0 +dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)" ret=0 @@ -111,6 +151,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)" +ret=0 +dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "communications error" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH XFR (POST) (failure expected) ($n)" ret=0 @@ -127,6 +175,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET) ($n)" +ret=0 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (GET, static key) ($n)" ret=0 @@ -135,6 +191,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, static key) ($n)" +ret=0 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (GET, nonstandard endpoint) ($n)" ret=0 @@ -143,6 +207,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)" +ret=0 +dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)" ret=0 @@ -151,6 +223,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)" +ret=0 +dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "communications error" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH XFR (GET) (failure expected) ($n)" ret=0 @@ -167,6 +247,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)" +ret=0 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking unencrypted DoH query (GET) ($n)" ret=0 @@ -175,6 +263,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)" +ret=0 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking unencrypted DoH XFR (failure expected) ($n)" ret=0 @@ -192,6 +288,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)" +ret=0 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking DoH query for a large answer (GET) ($n)" ret=0 @@ -201,6 +306,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)" +ret=0 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" ret=0 @@ -211,7 +325,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) -echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" +echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)" +ret=0 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking unencrypted DoH query for a large answer (GET) ($n)" ret=0 dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 @@ -219,6 +342,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)" +ret=0 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + test_opcodes() { EXPECT_STATUS="$1" shift @@ -232,6 +364,14 @@ test_opcodes() { if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" + ret=0 + dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" ret=0 @@ -240,6 +380,14 @@ test_opcodes() { if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" ret=0 @@ -247,6 +395,14 @@ test_opcodes() { grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" + ret=0 + dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n + grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done } diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index ea82e615006..5e146cbeea6 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -202,12 +202,12 @@ sub start_server { my $child = `$command`; chomp($child); - # wait up to 14 seconds for the server to start and to write the + # wait up to 25 seconds for the server to start and to write the # pid file otherwise kill this server and any others that have # already been started my $tries = 0; while (!-s $pid_file) { - if (++$tries > 140) { + if (++$tries > 250) { print "I:$test:Couldn't start server $command (pid=$child)\n"; print "I:$test:failed\n"; kill "ABRT", $child if ("$child" ne "");