Cirrus: Add Unbound tests

.cirrus.yml

@@ -223,6 +223,63 @@ task:
     GOX_TAGS: ""
     GO_VERSION: latest
 
+task:
+  name: Resolve Tests Electrum Unbound
+  container:
+    image: fedora:latest
+    cpu: 1
+    memory: 1G
+  install_script:
+    - curl -o /usr/bin/electrum-nmc https://www.namecoin.org/files/electrum-nmc/electrum-nmc-4.0.0b0/electrum-nmc-nc4.0.0b0-x86_64.AppImage
+    - chmod +x /usr/bin/electrum-nmc
+    # Extract Electrum-NMC AppImage
+    - electrum-nmc --offline version
+    - curl -o ncdns.tar.gz https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/Cross-Compile%20Go%20latest/binaries/dist/ncdns--linux_amd64.tar.gz
+    - tar -xaf ./ncdns.tar.gz
+    - mv ./ncdns-*/bin/* /usr/bin/
+    - dnf install -y bind-dnssec-utils # For dnssec-keygen
+    - dnf install -y bind-utils # For dig
+    - dnf install -y unbound
+    # Set up DNSSEC
+    - mkdir KSK
+    - dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK -K KSK bit
+    - mkdir ZSK
+    - dnssec-keygen -a RSASHA256 -3 -b 2048 -K ZSK bit
+    - mkdir -p /etc/unbound/keys/ /etc/unbound/conf.d/
+    - cp KSK/*.key /etc/unbound/keys/bit.key
+    - cp _doc/unbound/conf.d/ncdns.conf /etc/unbound/conf.d/
+    - cp _doc/unbound/conf.d/ncdns-dnssec-on.conf /etc/unbound/conf.d/
+  electrum_background_script:
+    - electrum-nmc $ELECTRUM_ARGS -v
+  ncdns_background_script:
+    - ncdns -ncdns.namecoinrpcusername user -ncdns.namecoinrpcpassword pass -ncdns.bind :5391 -ncdns.privatekey ./KSK/*.private -ncdns.publickey ./KSK/*.key -ncdns.zoneprivatekey ./ZSK/*.private -ncdns.zonepublickey ./ZSK/*.key -xlog.severity DEBUG
+  unbound_background_script:
+    - unbound
+  resolve_electrum_script:
+    - while ! electrum-nmc $ELECTRUM_ARGS name_show d/namecoin
+    - do
+    - echo Waiting for Electrum-NMC to sync...
+    - sleep 1s
+    - done
+    - electrum-nmc $ELECTRUM_ARGS name_show d/namecoin | grep $NAMECOIN_IP
+  resolve_ncdns_script:
+    - dig -p 5391 @127.0.0.1 namecoin.bit
+    - dig -p 5391 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
+    - dig -p 5391 +tcp @127.0.0.1 namecoin.bit
+    - dig -p 5391 +tcp @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
+  resolve_unbound_script:
+    - dig -p 53 @127.0.0.1 namecoin.bit
+    - dig -p 53 @127.0.0.1 namecoin.bit | grep $NAMECOIN_IP
+  depends_on:
+    - "Cross-Compile Go latest"
+  env:
+    # Workaround FUSE/Docker incompatibility.
+    # See https://github.com/AppImage/AppImageKit/issues/828#issuecomment-730002566
+    APPIMAGE_EXTRACT_AND_RUN: 1
+    NO_CLEANUP: 1
+    NAMECOIN_IP: "91.219.237.223"
+    ELECTRUM_ARGS: "--rpcport 8336 --rpcuser user --rpcpassword pass"
+
 task:
   # GitHub Release Upload
   # TODO: implement this.

README.md

@@ -28,19 +28,9 @@ Using ncdns with a recursive resolver
 -------------------------------------
 Of course the daemon can also be used simply as an authoritative nameserver for
 bit. directly. One way to do this is to run a recursive resolver (such as
-Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example
-unbound configuration:
+Unbound) and configure it to serve the zone as a 'stub zone'. An example Unbound configuration file `ncdns.conf` is in `_doc/unbound`.
 
-    server:
-      do-not-query-localhost: no
-    stub-zone:
-      name: bit.
-      stub-addr: 127.0.0.1@1153
-
-If you don't want to use DNSSEC, also add:
-
-    server:
-      domain-insecure: bit.
+If you don't want to use DNSSEC, also add `ncdns-dnssec-off.conf` to Unbound's configuration.
 
 If you do want to use DNSSEC, see the instructions below.
 
@@ -71,13 +61,7 @@ if you want to use the key as a trust anchor with a recursive resolver such as
 unbound, you should specify `bit`.)
 
 If using Unbound as a recursive resolver, you should add the KSK's public key file
-as a trust anchor to unbound like so:
-
-    server:
-      trust-anchor-file: "/etc/unbound/keys/bit.key"
-
-`bit.key` should be the file containing the KSK DNSKEY (or DS) which ncdns is
-configured to use.
+as a trust anchor to unbound, as in `ncdns-dnssec-on.conf` in `_doc/unbound`.
 
 Building
 --------
@@ -139,7 +123,7 @@ ncdns uses a configuration file which is looked for at `../etc/ncdns.conf`
 this and all options on the command line. An annotated example configuration
 file `ncdns.conf.example` is available in doc.
 
-You will need to setup a `namecoind`, `namecoin-qt` or compatible Namecoin node
+You will need to setup a `namecoind`, `namecoin-qt`, `electrum-nmc`, or compatible Namecoin node
 and enable the JSON-RPC interface. You will then need to provide `ncdns` with
 the address of this interface and any necessary username and password via the
 configuration file.
@@ -147,9 +131,9 @@ configuration file.
 If you only want to resolve .bit names yourself, here is a suggested setup on
 Linux:
 
-  - Install `namecoind` (or `namecoin-qt`) and set it to start automatically
+  - Install `namecoind` (or `namecoin-qt` or `electrum-nmc`) and set it to start automatically
     at boot or login. Set up the JSON-RPC interface and make sure it works
-    by making a test query: `namecoind name_show d/example`.
+    by making a test query: `namecoin-cli name_show d/example` or `electrum-nmc name_show d/example`.
 
   - Write a ncdns configuration file and set ncdns up to start at boot.
     Since Unbound will tie up port 53, set a different port (ideally one >=1024,

_doc/unbound/conf.d/ncdns-dnssec-off.conf

@@ -0,0 +1,4 @@
+# Include this file if ncdns has DNSSEC disabled.
+
+server:
+  domain-insecure: bit.

_doc/unbound/conf.d/ncdns-dnssec-on.conf

@@ -0,0 +1,6 @@
+# Include this file if ncdns has DNSSEC enabled.
+
+server:
+  # bit.key should be the file containing the KSK DNSKEY (or DS) which ncdns is
+  # configured to use.
+  trust-anchor-file: "/etc/unbound/keys/bit.key"

_doc/unbound/conf.d/ncdns.conf

@@ -0,0 +1,7 @@
+# Include this file if ncdns is in use.
+
+server:
+  do-not-query-localhost: no
+stub-zone:
+  name: bit.
+  stub-addr: 127.0.0.1@5391