From 2c1c7ec639a41f47273cb21a66d865d2e46fbaf1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 22 Nov 2023 12:56:52 +1100 Subject: [PATCH 1/3] Stop sending queries to the internet's root servers Disable automatic dnssec validation. (cherry picked from commit 15a433cb9d9104733dc8def35ce65427784fea66) --- bin/tests/system/serve-stale/ns6/named.conf.in | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/tests/system/serve-stale/ns6/named.conf.in b/bin/tests/system/serve-stale/ns6/named.conf.in index 15f5dd6c73..ddc5afe5a8 100644 --- a/bin/tests/system/serve-stale/ns6/named.conf.in +++ b/bin/tests/system/serve-stale/ns6/named.conf.in @@ -28,6 +28,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.6; }; listen-on-v6 { none; }; + dnssec-validation no; recursion no; }; From ec3a47fc685682baa0e69ce20ce8624f81716425 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 27 Nov 2023 17:22:55 +0100 Subject: [PATCH 2/3] Turn off dnssec validation in inline test DNSSEC validation isn't required by the inline test and would send queries to root name servers. (cherry picked from commit 66d6394057b6b9fed32c8b2891f80cae79c39e5c) --- bin/tests/system/inline/ns5/named.conf.post | 1 + bin/tests/system/inline/ns5/named.conf.pre | 1 + bin/tests/system/inline/ns7/named.conf.in | 1 + 3 files changed, 3 insertions(+) diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index 169c2bb81a..c4a107ede2 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -27,6 +27,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.5; }; listen-on-v6 { none; }; + dnssec-validation no; recursion no; notify yes; notify-delay 0; diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre index 2018289634..a3ea6f2a8f 100644 --- a/bin/tests/system/inline/ns5/named.conf.pre +++ b/bin/tests/system/inline/ns5/named.conf.pre @@ -27,6 +27,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.5; }; listen-on-v6 { none; }; + dnssec-validation no; recursion no; notify yes; notify-delay 0; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 4e99dabea5..00fed785a4 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -41,6 +41,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.7; }; listen-on-v6 { none; }; + dnssec-validation no; recursion no; notify no; try-tcp-refresh no; From d2c5a11ae8509803c9517c3af38c52c726f7496e Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 8 Jan 2024 18:13:47 +0100 Subject: [PATCH 3/3] Turn off dnssec-validation in nsec&tsig system tests This is a followup for !8063, which backported !7999. The configuration file layout for these files have changed (main branch has named-fips.conf), which is probably why these bits were missed during a backport. --- bin/tests/system/nsec3/ns3/named.conf.in | 1 + bin/tests/system/nsec3/ns3/named2.conf.in | 1 + bin/tests/system/tsig/ns1/named.conf.in | 1 + 3 files changed, 3 insertions(+) diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index de097744ba..022e9421bc 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -46,6 +46,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-validation no; }; key rndc_key { diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 084bba3f0b..4e6d644a3d 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -46,6 +46,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-validation no; }; key rndc_key { diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in index de16ccf493..120cd9062f 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -20,6 +20,7 @@ options { listen-on { 10.53.0.1; }; listen-on-v6 { none; }; recursion yes; + dnssec-validation no; notify no; };