[Swan-dev] dnsec and namespaces tests

Antony Antony antony at phenome.org
Sat Feb 22 18:49:15 UTC 2020 

to follow up from IRC. Hopping, for better coordination, instead of stepping 
on each other's toes, on DNSSEC test clean ups. My current issue is 
difference between two KVM runs, testing.libreswan.org and 
swantest.libreswan.fi/s2/. I am not comparing namespace output here. My kvm 
run output [1].

the issues raced irc:
cagney>
https://testing.libreswan.org/v3.30-92-g453384a8eb-master/ikev2-55-ipseckey-06/OUTPUT/nic.console.diff
seems to be something wrong with ipseckey

Something is odd. I can run the same test on my KVM setup without any issues.
First I thought testing is not upto date. Then cagney said it is. Now I 
don't know why ikev2-55-ipseckey-06 fails. I need to gather more info.
current verbose logs do not tell much. 

Also I would like to clarify the follow up comment.

LetoTo> but antony has been rewriting the nsd config to answer on a 
LetoTo> different port, so libreswan talks directly to nsd.

The ipseckey* and dnsoe* tests have been running with nsd! Atlest the tests 
I know.  Now I am working to make it possible to choose between nsd or 
unbound.  While at it add namespace support. 

starting unbound offline with additional root anchors is tricky. Tuomo 
mentioned we may need more config.
It was unstable and takes long to startup. I think now it is fixed, LetoTo 
commited some changes  a while ago. It was still unstable.

My plan is when it is one
swan-prep --dnssec will use nsd on 5353 + unbound port 53

swan-prep --nsd will use only nsd on 53. I know there are strong opinions 
against this idea. I would recommend keep those for another thred.  My 
argument this is the fastest and stable to run dnssec and it just works.
We have been using this.

However short not about dnssec tests and namespaces, I am not yet committing 
console output from namespaces as reference outputs. I mean sometimes I do 
by accident, then I try go back to use testing.libreswan.org produced output 
as reference. There are a few, minor and annoying, differences, between kvm 
and namespace outputs. It is a topic of its own:) I feel it is time to start 
thread on differences between namespace run and kvm runs.

[1]
https://swantest.libreswan.fi/s2/v3.30-75-gdb6e6e5de0-testrun-master/ikev2-55-ipseckey-06/OUTPUT/

cagney:
 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
 north #
+ ../bin/xfrmcheck.sh
+north #

In this case,
I forgot to update the output. empty xfrmcheck.sh is good there. I will get 
around it soon.

More information about the Swan-dev mailing list