add basic DoH system tests

- rename dot to doth, as it now covers both dot and doh.
- merge xot into doth as it's closely related.
- added long-lived key and cert files (expiring 2121).
- add tests with https-get, https-post, http-plain, alternate
  endpoints, and both static and ephemeral TLS configuration.
- incidentally fixed a memory leak in dig that occurred if +https
  was specified more than once.

bin/tests/system/Makefile.am

@@ -95,6 +95,7 @@ TESTS +=			\
 	dlz			\
 	dlzexternal		\
 	dns64			\
+	doth			\
 	dscp			\
 	dsdigest		\
 	dyndb			\
@@ -153,7 +154,6 @@ TESTS +=			\
 	views			\
 	wildcard		\
 	xferquota		\
-	xot			\
 	zonechecks
 
 # The "stress" test is not run by default since it creates enough
@@ -176,7 +176,6 @@ TESTS +=		\
 	nsupdate	\
 	resolver	\
 	statistics	\
-	dot		\
 	upforwd		\
 	zero
 

bin/tests/system/conf.sh.common

@@ -668,7 +668,7 @@ copy_setports() {
     atsign="@"
     sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
         -e "s/${atsign}TLSPORT${atsign}/${TLSPORT}/g" \
-		-e "s/${atsign}HTTPPORT${atsign}/${HTTPSPORT}/g" \
+		-e "s/${atsign}HTTPPORT${atsign}/${HTTPPORT}/g" \
         -e "s/${atsign}HTTPSPORT${atsign}/${HTTPSPORT}/g" \
         -e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
         -e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \

bin/tests/system/dot/clean.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f */named.memstats
-rm -f */named.run
-rm -f */named.conf
-rm -f */named.stats*
-rm -f dig.out*
-rm -f rndc.out*
-rm -f ns*/named.lock
-rm -f ns*/managed-keys.bind*

bin/tests/system/dot/ns1/named.conf.in

@@ -1,28 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	port @PORT@;
-	tls-port @TLSPORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
-	listen-on-v6 { none; };
-	listen-on tls ephemeral { 10.53.0.1; };
-	recursion no;
-	notify no;
-	statistics-file "named.stats";
-};
-
-zone "." {
-	type primary;
-	file "root.db";
-	allow-transfer { any; };
-};

bin/tests/system/dot/setup.sh

@@ -1,16 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-$SHELL clean.sh
-
-copy_setports ns1/named.conf.in ns1/named.conf

bin/tests/system/dot/tests.sh

@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck source=../conf.sh
-. ../conf.sh
-
-dig_dot_with_opts() {
-	"${DIG}" -p "${TLSPORT}" +tls "$@"
-}
-
-status=0
-n=0
-
-n=$((n + 1))
-echo_i "checking DoT query response ($n)"
-ret=0
-dig_dot_with_opts @10.53.0.1 . SOA > dig.out.test$n
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "checking DoT XFR ($n)"
-ret=0
-dig_dot_with_opts +comment @10.53.0.1 . AXFR > dig.out.test$n
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1

bin/tests/system/doth/clean.sh

@@ -18,4 +18,4 @@ rm -f ./*/named.memstats
 rm -f ./*/named.run
 rm -f ./*/named.run.prev
 rm -f ./dig.out.*
-rm -f ./*/*.db
+rm -f ./*/example.db

bin/tests/system/doth/ns1/named.conf.in

@@ -15,13 +15,21 @@ controls {
 	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+http local {
+	endpoints { "/dns-query"; "/alter"; };
+};
+
 options {
 	port @PORT@;
 	tls-port @TLSPORT@;
+	https-port @HTTPSPORT@;
+	http-port @HTTPPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };             // DoT
+	listen-on tls ephemeral http local { 10.53.0.1; };  // DoH
+	listen-on tls none http local { 10.53.0.1; };       // unencrypted DoH
 	listen-on-v6 { none; };
-	listen-on tls ephemeral { 10.53.0.1; };
 	recursion no;
 	notify explicit;
 	also-notify { 10.53.0.2 port @PORT@; };
@@ -30,8 +38,9 @@ options {
 };
 
 zone "." {
-	type hint;
-	file "../../common/root.hint";
+	type primary;
+	file "root.db";
+	allow-transfer { any; };
 };
 
 zone "example" {

bin/tests/system/doth/ns2/cert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHTCCAcOgAwIBAgIUATq1E48Hj7vAQBwn8H/1oQvqvJ0wCgYIKoZIzj0EAwIw
+YzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxSZWR3b29kIENp
+dHkxDDAKBgNVBAoMA0lTQzEOMAwGA1UECwwFQklORDkxEjAQBgNVBAMMCWxvY2Fs
+aG9zdDAgFw0yMTAyMTIwMzIxMzFaGA8yMTIxMDExOTAzMjEzMVowYzELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxSZWR3b29kIENpdHkxDDAKBgNV
+BAoMA0lTQzEOMAwGA1UECwwFQklORDkxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABC1uCviud7QFTJ8DfdrLwjkBolYHJJR9c9HP
+bshvKDXahhRU9+HCbWBNLlqFR6aMs8wyE32cXHLZ70XaILkH88SjUzBRMB0GA1Ud
+DgQWBBRPpE9aC2MO0TAlCp18vR9vqe4R2TAfBgNVHSMEGDAWgBRPpE9aC2MO0TAl
+Cp18vR9vqe4R2TAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIE3L
+zx4iRVqjnOACc+/G0Shru+AIk/MEglfrvP5wxZaVAiEArcmut+hYb+cG0UW5ct/U
+Q183Kk25XYJkTj39GSBiiiA=
+-----END CERTIFICATE-----

bin/tests/system/doth/ns2/key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFBLYPWvhrGBMyfi04oC53LOl00LZRZbVOVnC0K30XOCoAoGCCqGSM49
+AwEHoUQDQgAELW4K+K53tAVMnwN92svCOQGiVgcklH1z0c9uyG8oNdqGFFT34cJt
+YE0uWoVHpoyzzDITfZxcctnvRdoguQfzxA==
+-----END EC PRIVATE KEY-----

bin/tests/system/doth/ns2/named.conf.in

@@ -15,17 +15,29 @@ controls {
 	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+tls local {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+http local {
+	endpoints { "/dns-query"; };
+};
+
 options {
 	query-source address 10.53.0.2;
 	notify-source 10.53.0.2;
 	transfer-source 10.53.0.2;
 	port @PORT@;
 	tls-port @TLSPORT@;
+	https-port @HTTPSPORT@;
+	http-port @HTTPPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
-	listen-on tls ephemeral { 10.53.0.2; };
+	listen-on tls local { 10.53.0.2; };             // DoT
+	listen-on tls local http local { 10.53.0.2; };  // DoH
+	listen-on tls none http local { 10.53.0.2; };   // unencrypted DoH
 	listen-on-v6 { none; };
-	listen-on tls ephemeral { 10.53.0.2; };
 	recursion no;
 	notify no;
 	ixfr-from-differences yes;

bin/tests/system/doth/tests.sh

@@ -0,0 +1,186 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+dig_with_tls_opts() {
+	"$DIG" +tls +noadd +nosea +nostat +noquest +nocmd -p "${TLSPORT}" "$@"
+}
+
+dig_with_https_opts() {
+	"$DIG" +https +noadd +nosea +nostat +noquest +nocmd -p "${HTTPSPORT}" "$@"
+}
+
+dig_with_http_opts() {
+	"$DIG" +http-plain +noadd +nosea +nostat +noquest +nocmd -p "${HTTPPORT}" "$@"
+}
+
+wait_for_tls_xfer() (
+	dig_with_tls_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
+	grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
+	return 0
+)
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "testing XoT server functionality (using dig) ($n)"
+ret=0
+dig_with_tls_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
+grep "^;" dig.out.ns1.test$n | cat_i
+digcomp dig1.good dig.out.ns1.test$n || ret=1
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing incoming XoT functionality (from secondary) ($n)"
+ret=0
+if retry_quiet 10 wait_for_tls_xfer; then
+	grep "^;" "dig.out.ns2.test$n" | cat_i
+	digcomp dig1.good "dig.out.ns2.test$n" || ret=1
+else
+	echo_i "timed out waiting for zone transfer"
+	ret=1
+fi
+if test $ret != 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n + 1))
+echo_i "checking DoT query (ephemeral key) ($n)"
+ret=0
+dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoT query (static key) ($n)"
+ret=0
+dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoT XFR ($n)"
+ret=0
+dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST) ($n)"
+ret=0
+dig_with_https_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, static key) ($n)"
+ret=0
+dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH XFR (POST) (failure expected) ($n)"
+ret=0
+dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET) ($n)"
+ret=0
+dig_with_https_opts +https-get @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, static key) ($n)"
+ret=0
+dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, nonstandard endpoint) ($n)"
+ret=0
+dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)"
+ret=0
+dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n
+grep "communications error" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking DoH XFR (GET) (failure expected) ($n)"
+ret=0
+dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query (POST) ($n)"
+ret=0
+dig_with_http_opts @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH query (GET) ($n)"
+ret=0
+dig_with_http_opts +http-plain-get @10.53.0.1 . SOA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking unencrypted DoH XFR (failure expected) ($n)"
+ret=0
+dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/xot/tests.sh

@@ -1,50 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-dig_with_opts() {
-	"$DIG" +tls +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${TLSPORT}" "$@"
-}
-
-wait_for_xfer() (
-	dig_with_opts -b 10.53.0.3 @10.53.0.2 example. AXFR > "dig.out.ns2.test$n" || return 1
-	grep "^;" "dig.out.ns2.test$n" > /dev/null && return 1
-	return 0
-)
-
-status=0
-n=0
-
-n=$((n+1))
-echo_i "testing XoT server functionality (using dig) ($n)"
-ret=0
-dig_with_opts example. -b 10.53.0.3 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1
-grep "^;" dig.out.ns1.test$n | cat_i
-digcomp dig1.good dig.out.ns1.test$n || ret=1
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
-
-n=$((n+1))
-echo_i "testing basic incoming XoT functionality (from secondary) ($n)"
-ret=0
-if retry_quiet 10 wait_for_xfer; then
-	grep "^;" "dig.out.ns2.test$n" | cat_i
-	digcomp dig1.good "dig.out.ns2.test$n" || ret=1
-else
-	echo_i "timed out waiting for zone transfer"
-	ret=1
-fi
-if test $ret != 0 ; then echo_i "failed"; fi
-status=$((status+ret))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1

util/copyrights

@@ -368,9 +368,12 @@
 ./bin/tests/system/dnstap/setup.sh		SH	2018,2019,2020,2021
 ./bin/tests/system/dnstap/tests.sh		SH	2015,2016,2017,2018,2019,2020,2021
 ./bin/tests/system/dnstap/ydump.py		PYTHON	2016,2017,2018,2019,2020,2021
-./bin/tests/system/dot/clean.sh			SH	2020,2021
-./bin/tests/system/dot/setup.sh			SH	2020,2021
-./bin/tests/system/dot/tests.sh			SH	2020,2021
+./bin/tests/system/doth/clean.sh		SH	2020,2021
+./bin/tests/system/doth/dig1.good		X	2021
+./bin/tests/system/doth/ns2/cert.pem		X	2021
+./bin/tests/system/doth/ns2/key.pem		X	2021
+./bin/tests/system/doth/setup.sh		SH	2021
+./bin/tests/system/doth/tests.sh		SH	2021
 ./bin/tests/system/dscp/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/tests/system/dscp/ns1/named.args		X	2013,2014,2018,2019,2020,2021
 ./bin/tests/system/dscp/ns2/named.args		X	2013,2014,2018,2019,2020,2021
@@ -987,10 +990,6 @@
 ./bin/tests/system/xferquota/setup.pl		PERL	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
 ./bin/tests/system/xferquota/setup.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
 ./bin/tests/system/xferquota/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
-./bin/tests/system/xot/clean.sh			SH	2021
-./bin/tests/system/xot/dig1.good		X	2021
-./bin/tests/system/xot/setup.sh			SH	2021
-./bin/tests/system/xot/tests.sh			SH	2021
 ./bin/tests/system/zero/ans5/ans.pl		PERL	2016,2018,2019,2020,2021
 ./bin/tests/system/zero/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/tests/system/zero/setup.sh		SH	2013,2014,2016,2018,2019,2020,2021