Add catalog zone that requires TLS for all transfers

Both the catalog zone (catalog-tls.example) the zone managed using
the catalog zone (tls1.example) require TLS and a TSIG for zone
transfers.

bin/tests/system/catz/clean.sh

@@ -13,21 +13,24 @@
 
 rm -f dig.out.*
 rm -f ns*/*.jnl
-rm -f ns*/*.nzf
 rm -f ns*/*.mkeys
+rm -f ns*/*.nzd ns*/*.nzd-lock
+rm -f ns*/*.nzf
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
 rm -f ns*/named.lock
 rm -f ns*/named.memstats
-rm -f ns*/named.conf
 rm -f ns*/named.run
 rm -f ns*/named.run.prev
 rm -f ns1/*dom*example.db
+rm -f ns1/tls1.example.db
 rm -f ns2/__catz__*db
 rm -f ns2/catalog-bad*.db
 rm -f ns2/named.conf.tmp
 rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db
-rm -f nsupdate.out.*
+rm -f ns4/__catz__*db
 rm -f ns[123]/catalog[1234].example.db
-rm -rf ns2/zonedir
-rm -f ns*/*.nzd ns*/*.nzd-lock
-rm -f ns*/managed-keys.bind*
+rm -f ns[14]/catalog-tls.example.db
+rm -f nsupdate.out.*
 rm -f wait_for_message.*
+rm -rf ns2/zonedir

bin/tests/system/catz/ns1/named.conf.in

@@ -22,10 +22,12 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	allow-new-zones yes;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	notify no;
 	notify-delay 0;
@@ -105,6 +107,16 @@ view "default" {
 		also-notify { 10.53.0.2; };
 		notify explicit;
 	};
+
+	# A catalog zone that requires TLS to be used
+	zone "catalog-tls.example" {
+		type primary;
+		file "catalog-tls.example.db";
+		allow-transfer transport tls { key tsig_key; };
+		allow-update { any; };
+		also-notify { 10.53.0.4; };
+		notify explicit;
+	};
 };
 
 view "ch" ch {

bin/tests/system/catz/ns4/named.conf.in

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	notify no;
+	notify-delay 0;
+	recursion no;
+	serial-query-rate 100;
+
+	catalog-zones {
+		zone "catalog-tls.example"
+			min-update-interval 1s
+			default-primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+	};
+};
+
+zone "catalog-tls.example" {
+	type secondary;
+	file "catalog-tls.example.db";
+	primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+	secret "LaAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};

bin/tests/system/catz/setup.sh

@@ -18,10 +18,12 @@ $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
 
 cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
 cp -f ns3/catalog.example.db.in ns3/catalog2.example.db
 cp -f ns1/catalog.example.db.in ns1/catalog3.example.db
 cp -f ns1/catalog.example.db.in ns1/catalog4.example.db
+cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db
 
 mkdir -p ns2/zonedir

bin/tests/system/catz/tests.sh

@@ -2515,5 +2515,55 @@ rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+##########################################################################
+n=$((n+1))
+echo_i "Adding a domain tls1.example. to primary via RNDC ($n)"
+ret=0
+# enough initial content for IXFR response when TXT record is added below
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db
+echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db
+echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db
+rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain tls1.example. to catalog-tls zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" &&
+wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1