[Swan-dev] testing and unstable dns

Andrew Cagney andrew.cagney at gmail.com
Sat Apr 17 23:55:13 UTC 2021 

On Sat, 17 Apr 2021 at 15:17, Antony Antony <antony at phenome.org> wrote:

> On Sat, Apr 17, 2021 at 11:03:15AM -0400, Andrew Cagney wrote:
> > Problem is still there :-(  Anyone had some inspiration?  For instance
> with
> > nsd-4.3.2-1.fc32.x86_64
> >
> https://testing.libreswan.org/v4.3-474-g9267a3fd5d-main/ikev2-55-ipseckey-06/
> > OUTPUT/nic.console.diff
> >
> > On Mon, 29 Mar 2021 at 10:09, Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
> >
> >     Picking up an IRC discussion, I'm wondering if anyone has ideas on
> why DNS
> >     isn't robust within the KVM test environment.
>
> I just pushed a minor fix. Let me see how ikev2-55-ipseckey-06 runs on
> testing.
>
> my last attempt to fix to dnssec tests:
> https://lists.libreswan.org/pipermail/swan-dev/2020-February/003660.html
>
> then I fixed only ikev2-55-ipseckey-01 and added namespace support.
> A quick look on testing shows ikev2-55-ipseckey-01 nic is not the issue
> anymore.
>
> ls -lt v4.3*/ikev2-55-ipseckey-01/OUTPUT/nic.console.diff
> all diff files are 0 bytes. which suggest my fix should work.
>
> next dnssec issue is  dns key sort order.
>
> https://testing.libreswan.org/v4.3-474-g9267a3fd5d-main/ikev2-55-ipseckey-01/OUTPUT/east.console.diff
>
> DNS tests should work in namespace too, atleast the NIC part.
> pubkey sorting order is a different problem.
>
> since afce9e92f nsd and unbound start is handled in swan-prep. It knows how
> to handle namespace vs systemctl.
>
> I recollect thinking, that we should add 10 sec while loop on nic like we
> do
> for strongswan.
>
> BTW:
> 6e9893ef090 comment and ./testing/guestbin/start-dns.sh are in the wrong
> direction, however, lets see if ikev2-55-ipseckey-06 nic is stable after
> my
> fix.
>

How so?  It replaced all of:

-#once unbound work properly replace the next lines
+setenforce Permissive
 nic #
- sed -i 's/5353/53/' /etc/nsd/nsd.conf
-nic #
- #/testing/guestbin/swan-prep --dnssec
-nic #
- setenforce Permissive
-nic #
- systemctl start nsd-keygen
-nic #
- systemctl start nsd
-nic #
- dig +short  @127.0.0.1  road.testing.libreswan.org  IPSECKEY
-10 0 2 . AQPHFfpyJ3Ck4fMKcCH5DD/iZRKH2f0Sy6/U4M<HUGE_RAW_KEY>

with a small script and brief log lines:

+ ../../pluto/bin/start-dns.sh
+starting dns
+digging for road.testing.libreswan.org IPSECKEY
+Everything went well, including things like NXDOMAIN.
+Found 2 records

Note, in particular, it removed the raw keys from dig..  The assumption is
that this standalone script can be tweaked to handle namespaces (and
further bloat to swan-prep can be avoided).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210417/424396ea/attachment.html>

More information about the Swan-dev mailing list