[Swan-dev] dnsec and namespaces tests
Antony Antony
antony at phenome.org
Sat Feb 22 18:49:15 UTC 2020
to follow up from IRC. Hopping, for better coordination, instead of stepping
on each other's toes, on DNSSEC test clean ups. My current issue is
difference between two KVM runs, testing.libreswan.org and
swantest.libreswan.fi/s2/. I am not comparing namespace output here. My kvm
run output [1].
the issues raced irc:
cagney>
https://testing.libreswan.org/v3.30-92-g453384a8eb-master/ikev2-55-ipseckey-06/OUTPUT/nic.console.diff
seems to be something wrong with ipseckey
Something is odd. I can run the same test on my KVM setup without any issues.
First I thought testing is not upto date. Then cagney said it is. Now I
don't know why ikev2-55-ipseckey-06 fails. I need to gather more info.
current verbose logs do not tell much.
Also I would like to clarify the follow up comment.
LetoTo> but antony has been rewriting the nsd config to answer on a
LetoTo> different port, so libreswan talks directly to nsd.
The ipseckey* and dnsoe* tests have been running with nsd! Atlest the tests
I know. Now I am working to make it possible to choose between nsd or
unbound. While at it add namespace support.
starting unbound offline with additional root anchors is tricky. Tuomo
mentioned we may need more config.
It was unstable and takes long to startup. I think now it is fixed, LetoTo
commited some changes a while ago. It was still unstable.
My plan is when it is one
swan-prep --dnssec will use nsd on 5353 + unbound port 53
swan-prep --nsd will use only nsd on 53. I know there are strong opinions
against this idea. I would recommend keep those for another thred. My
argument this is the fastest and stable to run dnssec and it just works.
We have been using this.
However short not about dnssec tests and namespaces, I am not yet committing
console output from namespaces as reference outputs. I mean sometimes I do
by accident, then I try go back to use testing.libreswan.org produced output
as reference. There are a few, minor and annoying, differences, between kvm
and namespace outputs. It is a topic of its own:) I feel it is time to start
thread on differences between namespace run and kvm runs.
[1]
https://swantest.libreswan.fi/s2/v3.30-75-gdb6e6e5de0-testrun-master/ikev2-55-ipseckey-06/OUTPUT/
cagney:
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
north #
+ ../bin/xfrmcheck.sh
+north #
In this case,
I forgot to update the output. empty xfrmcheck.sh is good there. I will get
around it soon.
More information about the Swan-dev
mailing list