diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh index b98a5b18fc..40a348aa0b 100644 --- a/bin/tests/system/catz/clean.sh +++ b/bin/tests/system/catz/clean.sh @@ -13,21 +13,24 @@ rm -f dig.out.* rm -f ns*/*.jnl -rm -f ns*/*.nzf rm -f ns*/*.mkeys +rm -f ns*/*.nzd ns*/*.nzd-lock +rm -f ns*/*.nzf +rm -f ns*/managed-keys.bind* +rm -f ns*/named.conf rm -f ns*/named.lock rm -f ns*/named.memstats -rm -f ns*/named.conf rm -f ns*/named.run rm -f ns*/named.run.prev rm -f ns1/*dom*example.db +rm -f ns1/tls1.example.db rm -f ns2/__catz__*db rm -f ns2/catalog-bad*.db rm -f ns2/named.conf.tmp rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db -rm -f nsupdate.out.* +rm -f ns4/__catz__*db rm -f ns[123]/catalog[1234].example.db -rm -rf ns2/zonedir -rm -f ns*/*.nzd ns*/*.nzd-lock -rm -f ns*/managed-keys.bind* +rm -f ns[14]/catalog-tls.example.db +rm -f nsupdate.out.* rm -f wait_for_message.* +rm -rf ns2/zonedir diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 57f445d9d3..2d1696b0a0 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -22,10 +22,12 @@ options { notify-source 10.53.0.1; transfer-source 10.53.0.1; port @PORT@; + tls-port @TLSPORT@; allow-new-zones yes; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on port @EXTRAPORT1@ { 10.53.0.1; }; + listen-on tls ephemeral { 10.53.0.1; }; listen-on-v6 { none; }; notify no; notify-delay 0; @@ -105,6 +107,16 @@ view "default" { also-notify { 10.53.0.2; }; notify explicit; }; + + # A catalog zone that requires TLS to be used + zone "catalog-tls.example" { + type primary; + file "catalog-tls.example.db"; + allow-transfer transport tls { key tsig_key; }; + allow-update { any; }; + also-notify { 10.53.0.4; }; + notify explicit; + }; }; view "ch" ch { diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in new file mode 100644 index 0000000000..2256836584 --- /dev/null +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + tls-port @TLSPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + + catalog-zones { + zone "catalog-tls.example" + min-update-interval 1s + default-primaries { 10.53.0.1 key tsig_key tls ephemeral; }; + }; +}; + +zone "catalog-tls.example" { + type secondary; + file "catalog-tls.example.db"; + primaries { 10.53.0.1 key tsig_key tls ephemeral; }; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh index 9f92499228..ce1f931b18 100644 --- a/bin/tests/system/catz/setup.sh +++ b/bin/tests/system/catz/setup.sh @@ -18,10 +18,12 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db cp -f ns3/catalog.example.db.in ns3/catalog2.example.db cp -f ns1/catalog.example.db.in ns1/catalog3.example.db cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db mkdir -p ns2/zonedir diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index f359e3aa53..697ae9badf 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -2515,5 +2515,55 @@ rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +n=$((n+1)) +echo_i "Adding a domain tls1.example. to primary via RNDC ($n)" +ret=0 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db +echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db +echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db +rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that tls1.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain tls1.example. to catalog-tls zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" && +wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that tls1.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1