Add new upforwd system test

Add a new upforwd system test that checks if update forwarding still works if the first primary is badly configured. We cannot reuse the 'example.' zone for this test because that checks if update forwarding works for DoT. What transport is used in the new test is of no relevance. Update the system test to use different known good file names for the different zones that are being tested.
2025-08-31 14:35:26 +00:00 · 2022-10-26 09:51:21 +02:00
parent 549b153d2b
commit 72530d2f9c
8 changed files with 191 additions and 31 deletions
--- a/bin/tests/system/upforwd/CA/CA.pem
+++ b/bin/tests/system/upforwd/CA/CA.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
+A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
+aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
+NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
+cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
+dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
+b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
+Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
+B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
+ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
+3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
+wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
+eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
+z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
+ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
+VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
+SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
+AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
+TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
+TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
+CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
+qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
+70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
+wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
+rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
+8Q==
+-----END CERTIFICATE-----
--- a/bin/tests/system/upforwd/knowngood.after1.example3
+++ b/bin/tests/system/upforwd/knowngood.after1.example3
@@ -0,0 +1,10 @@
+example3.		3600	IN	SOA	n1.example3. hostmaster.ns1.example3. 2 3600 1200 604800 7200
+example3.		3600	IN	NS	ns2.example3.
+example3.		3600	IN	NS	ns3.example3.
+ns1.example3.		3600	IN	A	10.53.0.1
+ns2.example3.		3600	IN	A	10.53.0.2
+ns3.example3.		3600	IN	A	10.53.0.3
+updated.example3.	600	IN	TXT	"Foo"
+updated.example3.	600	IN	A	10.10.10.1
+example3.		3600	IN	SOA	n1.example3. hostmaster.ns1.example3. 2 3600 1200 604800 7200
+
--- a/bin/tests/system/upforwd/knowngood.before.example3
+++ b/bin/tests/system/upforwd/knowngood.before.example3
@@ -0,0 +1,8 @@
+example3.		3600	IN	SOA	n1.example3. hostmaster.ns1.example3. 1 3600 1200 604800 7200
+example3.		3600	IN	NS	ns2.example3.
+example3.		3600	IN	NS	ns3.example3.
+ns1.example3.		3600	IN	A	10.53.0.1
+ns2.example3.		3600	IN	A	10.53.0.2
+ns3.example3.		3600	IN	A	10.53.0.3
+example3.		3600	IN	SOA	n1.example3. hostmaster.ns1.example3. 1 3600 1200 604800 7200
+
--- a/bin/tests/system/upforwd/ns1/example3.db
+++ b/bin/tests/system/upforwd/ns1/example3.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	n1.example3. hostmaster.ns1.example3. (
+			1 3600 1200 604800 7200 )
+		NS	ns2.example3.
+		NS	ns3.example3.
+ns1		A	10.53.0.1
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -41,3 +41,9 @@ zone "example2" {
 	file "example2.db";
 	allow-update { key sig0.example2.; };
 };
+
+zone "example3" {
+	type primary;
+	file "example3.db";
+	allow-update { key update.example.; 10.53.0.3; };
+};
--- a/bin/tests/system/upforwd/ns2/named.conf.in
+++ b/bin/tests/system/upforwd/ns2/named.conf.in
@@ -34,3 +34,9 @@ zone "example2" {
 	file "example2.bk";
 	primaries { 10.53.0.1; };
 };
+
+zone "example3" {
+	type secondary;
+	file "example3.bk";
+	primaries { 10.53.0.1; };
+};
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@@ -35,11 +35,16 @@ controls {
        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };

+tls tls-example-primary {
+	remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
+	ca-file "../CA/CA.pem";
+};
+
 zone "example" {
 	type secondary;
 	file "example.bk";
 	allow-update-forwarding { any; };
-	primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
+	primaries { 10.53.0.1 tls ephemeral; };
 };

 zone "example2" {
@@ -49,6 +54,16 @@ zone "example2" {
 	primaries { 10.53.0.1; };
 };

+zone "example3" {
+	type secondary;
+	file "example3.bk";
+	allow-update-forwarding { any; };
+	primaries {
+		10.53.0.1 tls tls-example-primary; // bad
+		10.53.0.1; // good
+	};
+};
+
 zone "noprimary" {
 	type secondary;
 	file "noprimary1.db";
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -39,12 +39,12 @@ echo_i "waiting for servers to be ready for testing ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
 do
 	ret=0
-	$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1
-	grep "status: NOERROR" dig.out.ns1 > /dev/null ||  ret=1
-	$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1
-	grep "status: NOERROR" dig.out.ns2 > /dev/null ||  ret=1
-	$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1
-	grep "status: NOERROR" dig.out.ns3 > /dev/null ||  ret=1
+	$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1.$n || ret=1
+	grep "status: NOERROR" dig.out.ns1.$n > /dev/null ||  ret=1
+	$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2.$n || ret=1
+	grep "status: NOERROR" dig.out.ns2.$n > /dev/null ||  ret=1
+	$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3.$n || ret=1
+	grep "status: NOERROR" dig.out.ns3.$n > /dev/null ||  ret=1
 	test $ret = 0 && break
 	sleep 1
 done
@@ -54,28 +54,28 @@ n=`expr $n + 1`
 echo_i "fetching primary copy of zone before update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+	@10.53.0.1 axfr > dig.out.ns1.example.before || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "fetching secondary 1 copy of zone before update ($n)"
 $DIG $DIGOPTS example.\
-	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+	@10.53.0.2 axfr > dig.out.ns2.example.before || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "fetching secondary 2 copy of zone before update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+	@10.53.0.3 axfr > dig.out.ns3.example.before || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "comparing pre-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.before dig.out.ns1 || ret=1
-digcomp knowngood.before dig.out.ns2 || ret=1
-digcomp knowngood.before dig.out.ns3 || ret=1
+digcomp knowngood.before dig.out.ns1.example.before || ret=1
+digcomp knowngood.before dig.out.ns2.example.before || ret=1
+digcomp knowngood.before dig.out.ns3.example.before || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
@@ -95,28 +95,28 @@ sleep 15
 echo_i "fetching primary copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+	@10.53.0.1 axfr > dig.out.ns1.example.after1 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "fetching secondary 1 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+	@10.53.0.2 axfr > dig.out.ns2.example.after1 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "fetching secondary 2 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+	@10.53.0.3 axfr > dig.out.ns3.example.after1 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after1 dig.out.ns1 || ret=1
-digcomp knowngood.after1 dig.out.ns2 || ret=1
-digcomp knowngood.after1 dig.out.ns3 || ret=1
+digcomp knowngood.after1 dig.out.ns1.example.after1 || ret=1
+digcomp knowngood.after1 dig.out.ns2.example.after1 || ret=1
+digcomp knowngood.after1 dig.out.ns3.example.after1 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
@@ -136,28 +136,28 @@ sleep 15
 echo_i "fetching primary copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+	@10.53.0.1 axfr > dig.out.ns1.example.after2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "fetching secondary 1 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+	@10.53.0.2 axfr > dig.out.ns2.example.after2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "fetching secondary 2 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+	@10.53.0.3 axfr > dig.out.ns3.example.after2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after2 dig.out.ns1 || ret=1
-digcomp knowngood.after2 dig.out.ns2 || ret=1
-digcomp knowngood.after2 dig.out.ns3 || ret=1
+digcomp knowngood.after2 dig.out.ns1.example.after2 || ret=1
+digcomp knowngood.after2 dig.out.ns2.example.after2 || ret=1
+digcomp knowngood.after2 dig.out.ns3.example.after2 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "checking 'forwarding update for zone' is logged twice ($n)"
@@ -195,27 +195,95 @@ sleep 15
 echo_i "fetching primary copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+	@10.53.0.1 axfr > dig.out.ns1.example.after3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "fetching secondary 1 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+	@10.53.0.2 axfr > dig.out.ns2.example.after3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`

 echo_i "fetching secondary 2 copy of zone after update ($n)"
 ret=0
 $DIG $DIGOPTS example.\
-	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+	@10.53.0.3 axfr > dig.out.ns3.example.after3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "comparing post-update copies to known good data ($n)"
 ret=0
-digcomp knowngood.after3 dig.out.ns1 || ret=1
-digcomp knowngood.after3 dig.out.ns2 || ret=1
-digcomp knowngood.after3 dig.out.ns3 || ret=1
+digcomp knowngood.after3 dig.out.ns1.example.after3 || ret=1
+digcomp knowngood.after3 dig.out.ns2.example.after3 || ret=1
+digcomp knowngood.after3 dig.out.ns3.example.after3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching primary copy of zone before update, first primary fails ($n)"
+ret=0
+$DIG $DIGOPTS example3.\
+	@10.53.0.1 axfr > dig.out.ns1.example3.before || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone before update, first primary fails ($n)"
+$DIG $DIGOPTS example3.\
+	@10.53.0.2 axfr > dig.out.ns2.example3.before || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 2 copy of zone before update, first primary fails ($n)"
+ret=0
+$DIG $DIGOPTS example3.\
+	@10.53.0.3 axfr > dig.out.ns3.example3.before || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing pre-update copies to known good data, first primary fails ($n)"
+ret=0
+digcomp knowngood.before.example3 dig.out.ns1.example3.before || ret=1
+digcomp knowngood.before.example3 dig.out.ns2.example3.before || ret=1
+digcomp knowngood.before.example3 dig.out.ns3.example3.before || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
+ret=0
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
+server 10.53.0.3 ${PORT}
+update add updated.example3. 600 A 10.10.10.1
+update add updated.example3. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update, first primary fails ($n)"
+ret=0
+$DIG $DIGOPTS example3.\
+	@10.53.0.1 axfr > dig.out.ns1.example3.after1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update, first primary fails ($n)"
+ret=0
+$DIG $DIGOPTS example3.\
+	@10.53.0.2 axfr > dig.out.ns2.example3.after1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update, first primary fails ($n)"
+ret=0
+$DIG $DIGOPTS example3.\
+	@10.53.0.3 axfr > dig.out.ns3.example3.after1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data, first primary fails ($n)"
+ret=0
+digcomp knowngood.after1.example3 dig.out.ns1.example3.after1 || ret=1
+digcomp knowngood.after1.example3 dig.out.ns2.example3.after1 || ret=1
+digcomp knowngood.after1.example3 dig.out.ns3.example3.after1 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 if $FEATURETEST --enable-dnstap