Test named's check-svcb behaviour with UPDATE

Checks that malformed _dns SVCB records are rejected unless check-svcb is set to no, in which case they are accepted. Both missing ALPN and missing DOHPATH are checked for.
2025-08-30 22:15:20 +00:00 · 2022-10-06 17:31:40 +11:00
parent c040e82c82
commit 1244a2ffb9
5 changed files with 84 additions and 0 deletions
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -45,6 +45,7 @@ rm -f ns3/delegation.test.db
 rm -f ns3/dnskey.test.db
 rm -f ns3/dsset-*
 rm -f ns3/example.db
+rm -f ns3/relaxed.db
 rm -f ns3/multisigner.test.db
 rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db
--- a/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -32,6 +32,13 @@ zone "example" {
 	file "example.db";
 };

+zone "relaxed" {
+	type primary;
+	allow-update { any; };
+	check-svcb no;
+	file "relaxed.db";
+};
+
 zone "nsec3param.test" {
 	type primary;
 	allow-update { any; };
--- a/bin/tests/system/nsupdate/ns3/relaxed.db.in
+++ b/bin/tests/system/nsupdate/ns3/relaxed.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+relaxed. 10 IN SOA relaxed. hostmaster.relaxed. 1 3600 900 2419200 3600
+relaxed. 10 IN NS relaxed.
+relaxed. 10 IN A 10.53.0.3
+relaxed. 10 IN NSEC3PARAM 1 1 0 -
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -51,6 +51,7 @@ sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
 sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db
 sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
 cp -f ns3/example.db.in ns3/example.db
+cp -f ns3/relaxed.db.in ns3/relaxed.db
 cp -f ns3/too-big.test.db.in ns3/too-big.test.db

 # update_test.pl has its own zone file because it
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1556,6 +1556,66 @@ grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1
 grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }

+n=$((n + 1))
+ret=0
+echo_i "check that named rejects '_dns' SVCB with missing ALPN ($n)"
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+check-svcb no
+update add _dns.ns.example 0 in SVCB 1 ns.example dohpath=/{?dns}
+send
+END
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+msg="update failed: _dns.ns.example/SVCB: no ALPN (REFUSED)"
+nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named accepts '_dns' SVCB with missing ALPN (check-svcb no) ($n)"
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone relaxed
+check-svcb no
+update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed dohpath=/{?dns}
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n
+grep '1 ns.relaxed. key7="/{?dns}"' dig.out.ns3.test$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named rejects '_dns' SVCB with missing DOHPATH ($n)"
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+check-svcb no
+update add _dns.ns.example 0 in SVCB 1 ns.example alpn=h2
+send
+END
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+msg="update failed: _dns.ns.example/SVCB: no DOHPATH (REFUSED)"
+nextpart ns3/named.run | grep "$msg" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that named accepts '_dns' SVCB with missing DOHPATH (check-svcb no) ($n)"
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone relaxed
+check-svcb no
+update add _dns.ns.relaxed 0 in SVCB 1 ns.relaxed alpn=h2
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n
+grep '1 ns.relaxed. alpn="h2"' dig.out.ns3.test$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 if ! $FEATURETEST --gssapi ; then
  echo_i "SKIPPED: GSSAPI tests"
 else