Extend the doth system test with IPv6 support [GL #2861]

This commit ensures that DoH (and DoT) functionality works well via IPv6 as well. The changes were made because it turned out that dig could not make DoH queries against an IPv6 IP address. These tests ensure that such a bug will not remain unnoticed. The commit also increases the servers' startup timeout to 25 seconds because the initial timeout of 14 seconds was too short to generate (!) eight 4096 bit ephemeral RSA certificates on a heavily loaded CI runner in some pipeline runs.
2021-08-12 12:42:13 +03:00
parent 0403ca1ac2
commit 33fa1d5fb4
4 changed files with 165 additions and 3 deletions
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -27,8 +27,11 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on tls ephemeral { 10.53.0.1; };             // DoT
+	listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;};
 	listen-on tls ephemeral http local { 10.53.0.1; };  // DoH
+	listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; };
 	listen-on tls none http local { 10.53.0.1; };       // unencrypted DoH
+	listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify explicit;
--- a/bin/tests/system/doth/ns2/named.conf.in
+++ b/bin/tests/system/doth/ns2/named.conf.in
@@ -35,8 +35,11 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
 	listen-on tls local { 10.53.0.2; };             // DoT
+	listen-on-v6 tls local { fd92:7065:b8e:ffff::2; };
 	listen-on tls local http local { 10.53.0.2; };  // DoH
+	listen-on-v6 tls local http local { fd92:7065:b8e:ffff::2; };
 	listen-on tls none http local { 10.53.0.2; };   // unencrypted DoH
+	listen-on-v6 tls none http local { fd92:7065:b8e:ffff::2; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -63,6 +63,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoT query via IPv6 (ephemeral key) ($n)"
+ret=0
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoT query (static key) ($n)"
 ret=0
@@ -71,6 +79,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoT query via IPv6 (static key) ($n)"
+ret=0
+dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoT XFR ($n)"
 ret=0
@@ -87,6 +103,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, static key) ($n)"
 ret=0
@@ -95,6 +119,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, static key) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, nonstandard endpoint) ($n)"
 ret=0
@@ -103,6 +135,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)"
 ret=0
@@ -111,6 +151,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH XFR (POST) (failure expected) ($n)"
 ret=0
@@ -127,6 +175,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, static key) ($n)"
 ret=0
@@ -135,6 +191,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, static key) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, nonstandard endpoint) ($n)"
 ret=0
@@ -143,6 +207,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)"
 ret=0
@@ -151,6 +223,14 @@ grep "communications error" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH XFR (GET) (failure expected) ($n)"
 ret=0
@@ -167,6 +247,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)"
+ret=0
+dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH query (GET) ($n)"
 ret=0
@@ -175,6 +263,14 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)"
+ret=0
+dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH XFR (failure expected) ($n)"
 ret=0
@@ -192,6 +288,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)"
+ret=0
+dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query for a large answer (GET) ($n)"
 ret=0
@@ -201,6 +306,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)"
+ret=0
+dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking unencrypted DoH query for a large answer (POST) ($n)"
 ret=0
@@ -211,7 +325,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

 n=$((n + 1))
-echo_i "checking unencrypted DoH query for a large answer (POST) ($n)"
+echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)"
+ret=0
+dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query for a large answer (GET) ($n)"
 ret=0
 dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n
 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
@@ -219,6 +342,15 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)"
+ret=0
+dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 test_opcodes() {
 	EXPECT_STATUS="$1"
 	shift
@@ -232,6 +364,14 @@ test_opcodes() {
 		if [ $ret != 0 ]; then echo_i "failed"; fi
 		status=$((status + ret))

+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)"
+		ret=0
+		dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
+
 		n=$((n + 1))
 		echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)"
 		ret=0
@@ -240,6 +380,14 @@ test_opcodes() {
 		if [ $ret != 0 ]; then echo_i "failed"; fi
 		status=$((status + ret))

+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)"
+		ret=0
+		dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
+
 		n=$((n + 1))
 		echo_i "checking unexpected opcode query over DoT for opcode $op ($n)"
 		ret=0
@@ -247,6 +395,14 @@ test_opcodes() {
 		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
 		if [ $ret != 0 ]; then echo_i "failed"; fi
 		status=$((status + ret))
+
+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)"
+		ret=0
+		dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
 	done
 }

--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -202,12 +202,12 @@ sub start_server {
 	my $child = `$command`;
 	chomp($child);

-	# wait up to 14 seconds for the server to start and to write the
+	# wait up to 25 seconds for the server to start and to write the
 	# pid file otherwise kill this server and any others that have
 	# already been started
 	my $tries = 0;
 	while (!-s $pid_file) {
-		if (++$tries > 140) {
+		if (++$tries > 250) {
 			print "I:$test:Couldn't start server $command (pid=$child)\n";
 			print "I:$test:failed\n";
 			kill "ABRT", $child if ("$child" ne "");