mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-05 00:55:24 +00:00
23fb615963
Ensure the zone transfers have completed (successfully or not) before running the test cases, because they assume zone transfers have been done.
94 lines
2.8 KiB
Python
94 lines
2.8 KiB
Python
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
import re
|
|
|
|
import pytest
|
|
|
|
pytest.importorskip("dns", minversion="2.5.0")
|
|
|
|
import dns.message
|
|
|
|
import isctest
|
|
import isctest.mark
|
|
|
|
|
|
pytestmark = pytest.mark.extra_artifacts(
|
|
[
|
|
"ns*/example*.db",
|
|
]
|
|
)
|
|
|
|
|
|
@pytest.fixture(scope="module")
|
|
def transfers_complete(servers):
|
|
for zone in ["example", "example-aes-128", "example-aes-256", "example-chacha-20"]:
|
|
pattern = re.compile(
|
|
f"transfer of '{zone}/IN' from 10.53.0.1#[0-9]+: Transfer completed"
|
|
)
|
|
for ns in ["ns2", "ns3", "ns4", "ns5"]:
|
|
with servers[ns].watch_log_from_start() as watcher:
|
|
watcher.wait_for_line(pattern)
|
|
|
|
|
|
@pytest.mark.requires_zones_loaded("ns1", "ns2", "ns3", "ns4", "ns5")
|
|
@pytest.mark.parametrize(
|
|
"qname,ns,rcode",
|
|
[
|
|
("example.", 2, dns.rcode.NOERROR),
|
|
("example.", 3, dns.rcode.NOERROR),
|
|
("example.", 4, dns.rcode.NOERROR),
|
|
("example-aes-128.", 2, dns.rcode.NOERROR),
|
|
("example-aes-256.", 3, dns.rcode.NOERROR),
|
|
pytest.param(
|
|
"example-chacha-20.",
|
|
4,
|
|
dns.rcode.NOERROR,
|
|
marks=isctest.mark.without_fips,
|
|
),
|
|
("example-aes-256", 2, dns.rcode.SERVFAIL),
|
|
pytest.param(
|
|
"example-chacha-20",
|
|
2,
|
|
dns.rcode.SERVFAIL,
|
|
marks=isctest.mark.without_fips,
|
|
),
|
|
("example-aes-128", 3, dns.rcode.SERVFAIL),
|
|
pytest.param(
|
|
"example-chacha-20",
|
|
3,
|
|
dns.rcode.SERVFAIL,
|
|
marks=isctest.mark.without_fips,
|
|
),
|
|
("example-aes-128", 4, dns.rcode.SERVFAIL),
|
|
("example-aes-256", 4, dns.rcode.SERVFAIL),
|
|
# NS5 tries to download the zone over TLSv1.2
|
|
("example", 5, dns.rcode.SERVFAIL),
|
|
("example-aes-128", 5, dns.rcode.SERVFAIL),
|
|
("example-aes-256", 5, dns.rcode.SERVFAIL),
|
|
pytest.param(
|
|
"example-chacha-20",
|
|
5,
|
|
dns.rcode.SERVFAIL,
|
|
marks=isctest.mark.without_fips,
|
|
),
|
|
],
|
|
)
|
|
# pylint: disable=redefined-outer-name,unused-argument
|
|
def test_cipher_suites_tls_xfer(qname, ns, rcode, transfers_complete):
|
|
msg = dns.message.make_query(qname, "AXFR")
|
|
ans = isctest.query.tls(msg, f"10.53.0.{ns}")
|
|
assert ans.rcode() == rcode
|
|
if rcode == dns.rcode.NOERROR:
|
|
assert ans.answer != []
|
|
elif rcode == dns.rcode.SERVFAIL:
|
|
assert ans.answer == []
|