diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key similarity index 100% rename from bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key rename to bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem similarity index 100% rename from bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem rename to bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem diff --git a/bin/tests/system/notify/ns2/named-tls.conf.in b/bin/tests/system/notify/ns2/named-tls.conf.in index 16fe186f97..e069662d71 100644 --- a/bin/tests/system/notify/ns2/named-tls.conf.in +++ b/bin/tests/system/notify/ns2/named-tls.conf.in @@ -14,25 +14,16 @@ tls tls-forward-secrecy { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.com.key"; + cert-file "../CA/certs/srv02.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -tls tls-forward-secrecy-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv03.crt01.example.com"; -}; - -tls tls-forward-secrecy-bad-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv03-bad.crt01.example.com"; }; tls tls-forward-secrecy-mutual-tls { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; key-file "../CA/certs/srv02.crt01.example.com.key"; cert-file "../CA/certs/srv02.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; @@ -43,48 +34,7 @@ tls tls-expired { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01-expired.example.com.key"; + cert-file "../CA/certs/srv02.crt01-expired.example.com.pem"; dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -zone tls-x1 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 tls ephemeral; }; -}; - -zone tls-x2 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-expired; }; -}; - -zone tls-x3 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; }; -}; - -zone tls-x4 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; }; -}; - -zone tls-x5 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; }; -}; - -zone tls-x6 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT4@ tls tls-expired; }; }; diff --git a/bin/tests/system/notify/ns2/options-tls.conf.in b/bin/tests/system/notify/ns2/options-tls.conf.in index fe3491e6c8..29f4df51a7 100644 --- a/bin/tests/system/notify/ns2/options-tls.conf.in +++ b/bin/tests/system/notify/ns2/options-tls.conf.in @@ -12,3 +12,7 @@ */ tls-port @TLSPORT@; + listen-on tls ephemeral { 10.53.0.2; }; + listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; + listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; }; + listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.2; }; diff --git a/bin/tests/system/notify/ns3/generic.db b/bin/tests/system/notify/ns3/generic.db new file mode 100644 index 0000000000..42a669e0ab --- /dev/null +++ b/bin/tests/system/notify/ns3/generic.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/notify/ns3/named-tls.conf.in b/bin/tests/system/notify/ns3/named-tls.conf.in index 429f3a8b85..3269091c87 100644 --- a/bin/tests/system/notify/ns3/named-tls.conf.in +++ b/bin/tests/system/notify/ns3/named-tls.conf.in @@ -14,16 +14,25 @@ tls tls-forward-secrecy { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - key-file "../CA/certs/srv03.crt01.example.com.key"; - cert-file "../CA/certs/srv03.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-forward-secrecy-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02.crt01.example.com"; +}; + +tls tls-forward-secrecy-bad-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02-bad.crt01.example.com"; }; tls tls-forward-secrecy-mutual-tls { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; key-file "../CA/certs/srv03.crt01.example.com.key"; cert-file "../CA/certs/srv03.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; @@ -34,7 +43,48 @@ tls tls-expired { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; prefer-server-ciphers yes; - key-file "../CA/certs/srv03.crt01-expired.example.com.key"; - cert-file "../CA/certs/srv03.crt01-expired.example.com.pem"; dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +zone tls-x1 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 tls ephemeral; }; +}; + +zone tls-x2 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-expired; }; +}; + +zone tls-x3 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; }; +}; + +zone tls-x4 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; }; +}; + +zone tls-x5 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; }; +}; + +zone tls-x6 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT4@ tls tls-expired; }; }; diff --git a/bin/tests/system/notify/ns3/options-tls.conf.in b/bin/tests/system/notify/ns3/options-tls.conf.in index 23c0658bd5..fe3491e6c8 100644 --- a/bin/tests/system/notify/ns3/options-tls.conf.in +++ b/bin/tests/system/notify/ns3/options-tls.conf.in @@ -12,7 +12,3 @@ */ tls-port @TLSPORT@; - listen-on tls ephemeral { 10.53.0.3; }; - listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.3; }; - listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.3; }; - listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.3; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index 2fbccbd37f..22a50eeb42 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -120,15 +120,15 @@ grep 'refused notify from non-primary: fd92:7065:b8e:ffff::2#[0-9][0-9]*$' ns3/n test_end test_start "checking notify over TLS successful" -grep "zone tls-x1/IN: notify to 10.53.0.3#${TLSPORT} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x2/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x3/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x5/IN: notify to 10.53.0.3#${EXTRAPORT3} successful" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x1/IN: notify to 10.53.0.2#${TLSPORT} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x2/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x3/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x5/IN: notify to 10.53.0.2#${EXTRAPORT3} successful" ns3/named.run >/dev/null || ret=1 test_end test_start "checking notify over TLS failed" -grep "zone tls-x4/IN: notify to 10.53.0.3#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x6/IN: notify to 10.53.0.3#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x4/IN: notify to 10.53.0.2#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x6/IN: notify to 10.53.0.2#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1 test_end test_start "checking example2 loaded"