Merge namecoin/ncdns#174: Add DNSSEC-Trigger functional tests

faf1695b7c Add DNSSEC-Trigger functional tests (Jeremy Rand)
f877ec7657 Move unbound.conf.d examples to separate files (Jeremy Rand)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: aaf6983bf7f81b0abc3d76080739e1548846d728133d2cc523da0d83067aa0a87ed537eb374829d426c1446b5e884e27dfcc1167366a55c4bae4bea3a3a4fe7b

.cirrus.yml

@@ -180,15 +180,21 @@ task:
     populate_script: mkdir -p /tmp/bitcoind
   install_script:
     - apt-get update
+    - apt-get install -y dnssec-trigger
+    # Namecoin Core
     - BITCOIND_URL=$(curl https://www.namecoin.org/download/ | grep x86_64-linux-gnu.tar.gz | grep -v 0.13.99 | grep --only-matching https://.*.tar.gz)
     - BITCOIND_FILENAME=$(echo $BITCOIND_URL | grep -E --only-matching 'namecoin-nc.*.tar.gz')
     - BITCOIND_PATH=/tmp/bitcoind/$BITCOIND_FILENAME
     - tar -xaf $BITCOIND_PATH || (rm -f /tmp/bitcoind/* && curl --output $BITCOIND_PATH $BITCOIND_URL && tar -xaf $BITCOIND_PATH)
     - cp -a namecoin-*/* /usr/
+    # ncdns
     - NCDNS_URL=https://api.cirrus-ci.com/v1/artifact/build/$CIRRUS_BUILD_ID/Cross-Compile%20Go%20$GO_VERSION/binaries/dist/ncdns--linux_amd64.tar.gz
     - curl -o ncdns.tar.gz $NCDNS_URL
     - tar -xaf ncdns.tar.gz
     - cp -a ncdns--*/* /usr/
+    # Configure DNSSEC-Trigger
+    - cp _doc/unbound.conf.d/ncdns.conf _doc/unbound.conf.d/ncdns-insecure.conf /etc/unbound/unbound.conf.d
+    - systemctl restart unbound
   bitcoind_service_background_script:
     - testdata/run_bitcoind.sh
   ncdns_service_background_script:

README.md

@@ -28,19 +28,11 @@ Using ncdns with a recursive resolver
 -------------------------------------
 Of course the daemon can also be used simply as an authoritative nameserver for
 bit. directly. One way to do this is to run a recursive resolver (such as
-Unbound) and configure it to serve the zone as a 'stub zone'. Here is an example
+Unbound) and configure it to serve the zone as a 'stub zone'. An example
-unbound configuration:
+Unbound configuration is in `_doc/unbound.conf.d/ncdns.conf`.
 
-    server:
+If you don't want to use DNSSEC, an additional Unbound configuration is in
-      do-not-query-localhost: no
+`_doc/unbound.conf.d/ncdns-insecure.conf`.
-    stub-zone:
-      name: bit.
-      stub-addr: 127.0.0.1@1153
-
-If you don't want to use DNSSEC, also add:
-
-    server:
-      domain-insecure: bit.
 
 If you do want to use DNSSEC, see the instructions below.
 

_doc/unbound.conf.d/ncdns-insecure.conf

@@ -0,0 +1,2 @@
+server:
+  domain-insecure: bit.

_doc/unbound.conf.d/ncdns.conf

@@ -0,0 +1,7 @@
+server:
+  do-not-query-localhost: no
+stub-zone:
+  name: bit.
+  stub-addr: 127.0.0.1@5391
+  stub-prime: no
+  stub-first: no

testdata/regtest.sh

@@ -74,3 +74,16 @@ echo "$dig_output"
 echo "Checking response correctness"
 tlsa_hex="$(echo 'MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADvxHcjwDYMNfUSTtSIn3VbBC1sOzh/1Fv5T0UzEuLWIE=' | base64 --decode | xxd -u -ps -c 500)"
 echo "$dig_output" | sed 's/ //g' | grep "$tlsa_hex"
+
+echo "Query testls.bit IPv4 Recursive via dig"
+dig_output=$(dig -p 53 @127.0.0.1 A testls.bit)
+echo "$dig_output"
+echo "Checking response correctness"
+echo "$dig_output" | grep "107.152.38.155"
+
+echo "Query testls.bit TLS Recursive via dig"
+dig_output=$(dig -p 53 @127.0.0.1 TLSA "*.testls.bit")
+echo "$dig_output"
+echo "Checking response correctness"
+tlsa_hex="$(echo 'MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADvxHcjwDYMNfUSTtSIn3VbBC1sOzh/1Fv5T0UzEuLWIE=' | base64 --decode | xxd -u -ps -c 500)"
+echo "$dig_output" | sed 's/ //g' | grep "$tlsa_hex"