2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00

Add new upforwd system test

Add a new upforwd system test that checks if update forwarding still
works if the first primary is badly configured.

We cannot reuse the 'example.' zone for this test because that
checks if update forwarding works for DoT. What transport is used
in the new test is of no relevance.

Update the system test to use different known good file names for
the different zones that are being tested.
This commit is contained in:
Matthijs Mekking
2022-10-26 09:51:21 +02:00
parent 549b153d2b
commit 72530d2f9c
8 changed files with 191 additions and 31 deletions

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
8Q==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,10 @@
example3. 3600 IN SOA n1.example3. hostmaster.ns1.example3. 2 3600 1200 604800 7200
example3. 3600 IN NS ns2.example3.
example3. 3600 IN NS ns3.example3.
ns1.example3. 3600 IN A 10.53.0.1
ns2.example3. 3600 IN A 10.53.0.2
ns3.example3. 3600 IN A 10.53.0.3
updated.example3. 600 IN TXT "Foo"
updated.example3. 600 IN A 10.10.10.1
example3. 3600 IN SOA n1.example3. hostmaster.ns1.example3. 2 3600 1200 604800 7200

View File

@@ -0,0 +1,8 @@
example3. 3600 IN SOA n1.example3. hostmaster.ns1.example3. 1 3600 1200 604800 7200
example3. 3600 IN NS ns2.example3.
example3. 3600 IN NS ns3.example3.
ns1.example3. 3600 IN A 10.53.0.1
ns2.example3. 3600 IN A 10.53.0.2
ns3.example3. 3600 IN A 10.53.0.3
example3. 3600 IN SOA n1.example3. hostmaster.ns1.example3. 1 3600 1200 604800 7200

View File

@@ -0,0 +1,18 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ 3600 SOA n1.example3. hostmaster.ns1.example3. (
1 3600 1200 604800 7200 )
NS ns2.example3.
NS ns3.example3.
ns1 A 10.53.0.1
ns2 A 10.53.0.2
ns3 A 10.53.0.3

View File

@@ -41,3 +41,9 @@ zone "example2" {
file "example2.db";
allow-update { key sig0.example2.; };
};
zone "example3" {
type primary;
file "example3.db";
allow-update { key update.example.; 10.53.0.3; };
};

View File

@@ -34,3 +34,9 @@ zone "example2" {
file "example2.bk";
primaries { 10.53.0.1; };
};
zone "example3" {
type secondary;
file "example3.bk";
primaries { 10.53.0.1; };
};

View File

@@ -35,11 +35,16 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
tls tls-example-primary {
remote-hostname "srv01.crt01.example.com"; // enable Strict TLS
ca-file "../CA/CA.pem";
};
zone "example" {
type secondary;
file "example.bk";
allow-update-forwarding { any; };
primaries { 10.53.0.1 port @TLSPORT@ tls ephemeral; };
primaries { 10.53.0.1 tls ephemeral; };
};
zone "example2" {
@@ -49,6 +54,16 @@ zone "example2" {
primaries { 10.53.0.1; };
};
zone "example3" {
type secondary;
file "example3.bk";
allow-update-forwarding { any; };
primaries {
10.53.0.1 tls tls-example-primary; // bad
10.53.0.1; // good
};
};
zone "noprimary" {
type secondary;
file "noprimary1.db";

View File

@@ -39,12 +39,12 @@ echo_i "waiting for servers to be ready for testing ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1
grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1
$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1
grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1
$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1
grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1
$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1.$n || ret=1
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2.$n || ret=1
grep "status: NOERROR" dig.out.ns2.$n > /dev/null || ret=1
$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3.$n || ret=1
grep "status: NOERROR" dig.out.ns3.$n > /dev/null || ret=1
test $ret = 0 && break
sleep 1
done
@@ -54,28 +54,28 @@ n=`expr $n + 1`
echo_i "fetching primary copy of zone before update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.1 axfr > dig.out.ns1 || ret=1
@10.53.0.1 axfr > dig.out.ns1.example.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 1 copy of zone before update ($n)"
$DIG $DIGOPTS example.\
@10.53.0.2 axfr > dig.out.ns2 || ret=1
@10.53.0.2 axfr > dig.out.ns2.example.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 2 copy of zone before update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.3 axfr > dig.out.ns3 || ret=1
@10.53.0.3 axfr > dig.out.ns3.example.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "comparing pre-update copies to known good data ($n)"
ret=0
digcomp knowngood.before dig.out.ns1 || ret=1
digcomp knowngood.before dig.out.ns2 || ret=1
digcomp knowngood.before dig.out.ns3 || ret=1
digcomp knowngood.before dig.out.ns1.example.before || ret=1
digcomp knowngood.before dig.out.ns2.example.before || ret=1
digcomp knowngood.before dig.out.ns3.example.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
@@ -95,28 +95,28 @@ sleep 15
echo_i "fetching primary copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.1 axfr > dig.out.ns1 || ret=1
@10.53.0.1 axfr > dig.out.ns1.example.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 1 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.2 axfr > dig.out.ns2 || ret=1
@10.53.0.2 axfr > dig.out.ns2.example.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "fetching secondary 2 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.3 axfr > dig.out.ns3 || ret=1
@10.53.0.3 axfr > dig.out.ns3.example.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "comparing post-update copies to known good data ($n)"
ret=0
digcomp knowngood.after1 dig.out.ns1 || ret=1
digcomp knowngood.after1 dig.out.ns2 || ret=1
digcomp knowngood.after1 dig.out.ns3 || ret=1
digcomp knowngood.after1 dig.out.ns1.example.after1 || ret=1
digcomp knowngood.after1 dig.out.ns2.example.after1 || ret=1
digcomp knowngood.after1 dig.out.ns3.example.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
@@ -136,28 +136,28 @@ sleep 15
echo_i "fetching primary copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.1 axfr > dig.out.ns1 || ret=1
@10.53.0.1 axfr > dig.out.ns1.example.after2 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 1 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.2 axfr > dig.out.ns2 || ret=1
@10.53.0.2 axfr > dig.out.ns2.example.after2 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "fetching secondary 2 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.3 axfr > dig.out.ns3 || ret=1
@10.53.0.3 axfr > dig.out.ns3.example.after2 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "comparing post-update copies to known good data ($n)"
ret=0
digcomp knowngood.after2 dig.out.ns1 || ret=1
digcomp knowngood.after2 dig.out.ns2 || ret=1
digcomp knowngood.after2 dig.out.ns3 || ret=1
digcomp knowngood.after2 dig.out.ns1.example.after2 || ret=1
digcomp knowngood.after2 dig.out.ns2.example.after2 || ret=1
digcomp knowngood.after2 dig.out.ns3.example.after2 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "checking 'forwarding update for zone' is logged twice ($n)"
@@ -195,27 +195,95 @@ sleep 15
echo_i "fetching primary copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.1 axfr > dig.out.ns1 || ret=1
@10.53.0.1 axfr > dig.out.ns1.example.after3 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "fetching secondary 1 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.2 axfr > dig.out.ns2 || ret=1
@10.53.0.2 axfr > dig.out.ns2.example.after3 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 2 copy of zone after update ($n)"
ret=0
$DIG $DIGOPTS example.\
@10.53.0.3 axfr > dig.out.ns3 || ret=1
@10.53.0.3 axfr > dig.out.ns3.example.after3 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "comparing post-update copies to known good data ($n)"
ret=0
digcomp knowngood.after3 dig.out.ns1 || ret=1
digcomp knowngood.after3 dig.out.ns2 || ret=1
digcomp knowngood.after3 dig.out.ns3 || ret=1
digcomp knowngood.after3 dig.out.ns1.example.after3 || ret=1
digcomp knowngood.after3 dig.out.ns2.example.after3 || ret=1
digcomp knowngood.after3 dig.out.ns3.example.after3 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "fetching primary copy of zone before update, first primary fails ($n)"
ret=0
$DIG $DIGOPTS example3.\
@10.53.0.1 axfr > dig.out.ns1.example3.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 1 copy of zone before update, first primary fails ($n)"
$DIG $DIGOPTS example3.\
@10.53.0.2 axfr > dig.out.ns2.example3.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 2 copy of zone before update, first primary fails ($n)"
ret=0
$DIG $DIGOPTS example3.\
@10.53.0.3 axfr > dig.out.ns3.example3.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "comparing pre-update copies to known good data, first primary fails ($n)"
ret=0
digcomp knowngood.before.example3 dig.out.ns1.example3.before || ret=1
digcomp knowngood.before.example3 dig.out.ns2.example3.before || ret=1
digcomp knowngood.before.example3 dig.out.ns3.example3.before || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
ret=0
$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
server 10.53.0.3 ${PORT}
update add updated.example3. 600 A 10.10.10.1
update add updated.example3. 600 TXT Foo
send
EOF
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "sleeping 15 seconds for server to incorporate changes"
sleep 15
echo_i "fetching primary copy of zone after update, first primary fails ($n)"
ret=0
$DIG $DIGOPTS example3.\
@10.53.0.1 axfr > dig.out.ns1.example3.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "fetching secondary 1 copy of zone after update, first primary fails ($n)"
ret=0
$DIG $DIGOPTS example3.\
@10.53.0.2 axfr > dig.out.ns2.example3.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "fetching secondary 2 copy of zone after update, first primary fails ($n)"
ret=0
$DIG $DIGOPTS example3.\
@10.53.0.3 axfr > dig.out.ns3.example3.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
n=`expr $n + 1`
echo_i "comparing post-update copies to known good data, first primary fails ($n)"
ret=0
digcomp knowngood.after1.example3 dig.out.ns1.example3.after1 || ret=1
digcomp knowngood.after1.example3 dig.out.ns2.example3.after1 || ret=1
digcomp knowngood.after1.example3 dig.out.ns3.example3.after1 || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
if $FEATURETEST --enable-dnstap