[Swan-dev] dnsec and namespaces tests

Andrew Cagney andrew.cagney at gmail.com
Sun Feb 23 01:06:26 UTC 2020

On Sat, 22 Feb 2020 at 13:49, Antony Antony <antony at phenome.org> wrote:
> to follow up from IRC. Hopping, for better coordination, instead of stepping
> on each other's toes, on DNSSEC test clean ups. My current issue is
> difference between two KVM runs, testing.libreswan.org and
> swantest.libreswan.fi/s2/. I am not comparing namespace output here. My kvm
> run output [1].
> the issues raced irc:
> cagney>
> https://testing.libreswan.org/v3.30-92-g453384a8eb-master/ikev2-55-ipseckey-06/OUTPUT/nic.console.diff
> seems to be something wrong with ipseckey
> Something is odd. I can run the same test on my KVM setup without any issues.
> First I thought testing is not upto date. Then cagney said it is. Now I
> don't know why ikev2-55-ipseckey-06 fails. I need to gather more info.
> current verbose logs do not tell much.

Yea, even on testing the results flip flop.   Perhaps it just has to
try for longer?

> Also I would like to clarify the follow up comment.
> LetoTo> but antony has been rewriting the nsd config to answer on a
> LetoTo> different port, so libreswan talks directly to nsd.
> The ipseckey* and dnsoe* tests have been running with nsd! Atlest the tests
> I know.  Now I am working to make it possible to choose between nsd or
> unbound.  While at it add namespace support.
> starting unbound offline with additional root anchors is tricky. Tuomo
> mentioned we may need more config.
> It was unstable and takes long to startup. I think now it is fixed, LetoTo
> commited some changes  a while ago. It was still unstable.
> My plan is when it is one
> swan-prep --dnssec will use nsd on 5353 + unbound port 53
> swan-prep --nsd will use only nsd on 53. I know there are strong opinions
> against this idea. I would recommend keep those for another thred.  My
> argument this is the fastest and stable to run dnssec and it just works.
> We have been using this.
> However short not about dnssec tests and namespaces, I am not yet committing
> console output from namespaces as reference outputs. I mean sometimes I do
> by accident, then I try go back to use testing.libreswan.org produced output
> as reference. There are a few, minor and annoying, differences, between kvm
> and namespace outputs. It is a topic of its own:) I feel it is time to start
> thread on differences between namespace run and kvm runs.
> [1]
> https://swantest.libreswan.fi/s2/v3.30-75-gdb6e6e5de0-testrun-master/ikev2-55-ipseckey-06/OUTPUT/
> cagney:
> dev eth1 proto kernel scope link src
>  north #
> + ../bin/xfrmcheck.sh
> +north #
> In this case,
> I forgot to update the output. empty xfrmcheck.sh is good there. I will get
> around it soon.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list