Extend the 'doth' system test with another XoT-enabled secondary

This commit extends the 'doth' system test to include an additional XoT-enabled secondary which uses the supported client-side 'tls' parameters.
2021-11-30 02:05:29 +02:00
parent 69cef39099
commit 746052031a
5 changed files with 147 additions and 9 deletions
--- a/bin/tests/system/doth/clean.sh
+++ b/bin/tests/system/doth/clean.sh
@@ -18,5 +18,5 @@ rm -f ./*/named.memstats
 rm -f ./*/named.run
 rm -f ./*/named.run.prev
 rm -f ./dig.out.*
-rm -f ./*/example.db
+rm -f ./*/example*.db
 rm -rf ./headers.*
--- a/bin/tests/system/doth/ns1/named.conf.in
+++ b/bin/tests/system/doth/ns1/named.conf.in
@@ -19,6 +19,24 @@ http local {
 	endpoints { "/dns-query"; "/alter"; };
 };

+tls tls-forward-secrecy {
+	protocols { TLSv1.2; };
+	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers yes;
+	key-file "../ns2/key.pem";
+	cert-file "../ns2/cert.pem";
+	dhparam-file "../ns2/dhparam3072.pem";
+};
+
+tls tls-pfs-aes256 {
+	protocols { TLSv1.2; };
+	ciphers "AES256:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers yes;
+	key-file "../ns2/key.pem";
+	cert-file "../ns2/cert.pem";
+	dhparam-file "../ns2/dhparam3072.pem";
+};
+
 options {
 	port @PORT@;
 	tls-port @TLSPORT@;
@@ -26,13 +44,15 @@ options {
 	http-port @HTTPPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
-	listen-on tls ephemeral { 10.53.0.1; };             // DoT
-	listen-on-v6 tls ephemeral { fd92:7065:b8e:ffff::1;};
+	listen-on tls tls-forward-secrecy { 10.53.0.1; };             // DoT
+	listen-on-v6 tls tls-forward-secrecy { fd92:7065:b8e:ffff::1;};
 	listen-on tls ephemeral http local { 10.53.0.1; };  // DoH
 	listen-on-v6 tls ephemeral http local { fd92:7065:b8e:ffff::1; };
 	listen-on tls none http local { 10.53.0.1; };       // unencrypted DoH
 	listen-on-v6 tls none http local { fd92:7065:b8e:ffff::1; };
 	listen-on-v6 { none; };
+	listen-on port @EXTRAPORT1@ tls tls-pfs-aes256 { 10.53.0.1; };             // DoT
+	listen-on-v6 port @EXTRAPORT1@ tls tls-pfs-aes256 { fd92:7065:b8e:ffff::1;};
 	recursion no;
 	notify explicit;
 	also-notify { 10.53.0.2 port @PORT@; };
@@ -52,3 +72,9 @@ zone "example" {
 	file "example.db";
 	allow-transfer port @TLSPORT@ transport tls { any; };
 };
+
+zone "example2" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT1@ transport tls { any; };
+};
--- a/bin/tests/system/doth/ns3/named.conf.in
+++ b/bin/tests/system/doth/ns3/named.conf.in
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls local {
+	key-file "../ns2/key.pem";
+	cert-file "../ns2/cert.pem";
+	dhparam-file "../ns2/dhparam3072.pem";
+};
+
+http local {
+	endpoints { "/dns-query"; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	https-port @HTTPSPORT@;
+	http-port @HTTPPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on tls local { 10.53.0.3; };             // DoT
+	listen-on-v6 tls local { fd92:7065:b8e:ffff::3; };
+	listen-on tls local http local { 10.53.0.3; };  // DoH
+	listen-on-v6 tls local http local { fd92:7065:b8e:ffff::3; };
+	listen-on tls none http local { 10.53.0.3; };   // unencrypted DoH
+	listen-on-v6 tls none http local { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	ixfr-from-differences yes;
+	check-integrity no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+tls tls-v1.2-pfs {
+	protocols { TLSv1.2; };
+	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls tls-v1.2-pfs; };
+	file "example.db";
+	allow-transfer { any; };
+};
+
+tls tls-pfs-aes-128 {
+	protocols { TLSv1.2; };
+	// AES128 does not match the setting on the server: AES256
+	ciphers "AES128:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers no;
+};
+
+zone "example2" {
+	type secondary;
+	primaries port @EXTRAPORT1@ { 10.53.0.1 tls tls-pfs-aes-128; };
+	file "example2.db";
+	allow-transfer { any; };
+};
--- a/bin/tests/system/doth/setup.sh
+++ b/bin/tests/system/doth/setup.sh
@@ -26,3 +26,4 @@ done

 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -36,8 +36,12 @@ dig_with_opts() {
 }

 wait_for_tls_xfer() (
-	dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
-	grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
+	srv_number="$1"
+	shift
+	zone_name="$1"
+	shift
+	dig_with_tls_opts -b 10.53.0.3 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1
+	grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1
 	return 0
 )

@@ -54,11 +58,11 @@ if test $ret != 0 ; then echo_i "failed"; fi
 status=$((status+ret))

 n=$((n+1))
-echo_i "testing incoming XoT functionality (from secondary) ($n)"
+echo_i "testing incoming XoT functionality (from the first secondary) ($n)"
 ret=0
-if retry_quiet 10 wait_for_tls_xfer; then
-	grep "^;" "dig.out.ns2.test$n" | cat_i
-	digcomp example.axfr.good "dig.out.ns2.test$n" || ret=1
+if retry_quiet 10 wait_for_tls_xfer 2 example; then
+	grep "^;" "dig.out.ns2.example.test$n" | cat_i
+	digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1
 else
 	echo_i "timed out waiting for zone transfer"
 	ret=1
@@ -66,6 +70,31 @@ fi
 if test $ret != 0 ; then echo_i "failed"; fi
 status=$((status+ret))

+n=$((n+1))
+echo_i "testing incoming XoT functionality (from the second secondary) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer 3 example; then
+	grep "^;" "dig.out.ns3.example.test$n" | cat_i
+	digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1
+else
+	echo_i "timed out waiting for zone transfer"
+	ret=1
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer 3 example2; then
+	grep "^;" "dig.out.ns3.example2.test$n" | cat_i
+	test -f "ns3/example2.db" && ret=1
+else
+	echo_i "timed out waiting for zone transfer"
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
 n=$((n + 1))
 echo_i "checking DoT query (ephemeral key) ($n)"
 ret=0