Extend the 'doth' system test to test extended allow-transfer option

This commit extends the 'doth' system test to verify that the new extended 'allow-transfer' option syntax featuring 'port' and 'transport' parameters is supported and works as expected. That is, it restricts the primary server to allow zone transfers only via XoT. Additionally to that, it extends the 'checkonf' test with more configuration file examples featuring the new syntax.
2025-08-31 06:25:31 +00:00 · 2021-11-22 15:31:15 +02:00
parent 0ee6f66cbd
commit 3cd2ffc01f
8 changed files with 152 additions and 2 deletions
--- a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 99999 { any; };
+};
--- a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport blah { any; };
+};
--- a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport udp { any; };
+};
--- a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport http { any; };
+};
--- a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport http-plain { any; };
+};
--- a/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf
+++ b/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport tls { any; };
+};
+
+zone "example2" {
+	type primary;
+	file "example2.db";
+	allow-transfer port 44344 transport tcp { any; };
+};
+
+zone "example3" {
+	type primary;
+	file "example3.db";
+	allow-transfer transport tls { any; };
+};
+
+zone "example4" {
+	type primary;
+	file "example4.db";
+	allow-transfer transport tcp { any; };
+};
+
+
+zone "example5" {
+	type primary;
+	file "example5.db";
+	allow-transfer port 53 { any; };
+};
+
+zone "example6" {
+	type primary;
+	file "example6.db";
+	allow-transfer { any; };
+};
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -44,11 +44,11 @@ options {
 zone "." {
 	type primary;
 	file "root.db";
-	allow-transfer { any; };
+	allow-transfer port @TLSPORT@ transport tls { any; };
 };

 zone "example" {
 	type primary;
 	file "example.db";
-	allow-transfer { any; };
+	allow-transfer port @TLSPORT@ transport tls { any; };
 };
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -30,6 +30,11 @@ dig_with_http_opts() {
 	"$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@"
 }

+dig_with_opts() {
+	# shellcheck disable=SC2086
+	"$DIG" $common_dig_options -p "${PORT}" "$@"
+}
+
 wait_for_tls_xfer() (
 	dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
 	grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
@@ -101,6 +106,24 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+# zone transfers are allowed only via TLS
+n=$((n+1))
+echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)"
+ret=0
+dig_with_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
+grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# querying zones is still allowed via UDP/TCP
+n=$((n + 1))
+echo_i "checking Do53 query ($n)"
+ret=0
+dig_with_opts @10.53.0.1 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 # In this test we are trying to establish a DoT connection over the
 # DoH port. That is intentional, as dig should fail right after
 # handshake has happened and before sending any queries, as XFRs, per