rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/test
History
Ryan Malloy 3dd99fa81a test: sandboxed docker-compose stack for plugin smoke testing 
Brings up a parallel CoreDNS instance on ports 11053/19153 with a
single test.example.com zone. Useful for verifying the custom image
builds and the rfc2136 plugin accepts/applies UPDATEs end-to-end
before touching production zones.

Already validated the msgAcceptFunc override fix end-to-end via
nsupdate, with the auto plugin re-serving the new record within 5s.

Note: zones/test.example.com.zone gets rewritten by the plugin
during testing. If perms get hosed (docker writes as root), run
sudo chown -R rpm:rpm test/zones/ to reclaim.
2026-05-21 12:17:49 -06:00
..
zones
test: sandboxed docker-compose stack for plugin smoke testing
2026-05-21 12:17:49 -06:00
Corefile
test: sandboxed docker-compose stack for plugin smoke testing
2026-05-21 12:17:49 -06:00
docker-compose.yml
test: sandboxed docker-compose stack for plugin smoke testing
2026-05-21 12:17:49 -06:00
README.md
test: sandboxed docker-compose stack for plugin smoke testing
2026-05-21 12:17:49 -06:00

README.md

Test stack — sandboxed CoreDNS + rfc2136 plugin

Brings up a parallel CoreDNS instance for smoke-testing the git.supported.systems/rsp2k/coredns-rfc2136 plugin without touching the production stack on dell01.

What this proves

  • The custom CoreDNS image builds and links the plugin successfully.
  • The plugin parses its Corefile directive at startup.
  • Queries (SOA, A, TXT, etc.) flow through the auto plugin as normal (the rfc2136 plugin is transparent for non-UPDATE traffic).
  • UPDATE messages signed with the configured TSIG key apply changes to the on-disk zone file.
  • After an UPDATE, dig returns the new record (CoreDNS's auto plugin sees the mtime change and reloads within 5s).

Quickstart

cd test/

# 1. Build + start. The build clones CoreDNS source and pulls the
#    plugin via `go get` -- expect ~2-3 min for the first build.
docker compose up -d --build

# 2. Sanity-check the apex SOA is served.
dig @127.0.0.1 -p 11053 test.example.com SOA +short

# 3. Push an UPDATE via nsupdate. The TSIG secret comes from .env.
nsupdate -y "hmac-sha256:acme-update-key.:$(grep ACME_TSIG_SECRET .env | cut -d= -f2)" <<'EOF'
server 127.0.0.1 11053
zone test.example.com
update add token.test.example.com 60 TXT "validation-token-1"
send
EOF

# 4. Wait ~5s for the auto plugin to reload, then verify.
sleep 6
dig @127.0.0.1 -p 11053 token.test.example.com TXT +short
# expected: "validation-token-1"

# 5. Inspect the updated zone file on disk.
cat zones/test.example.com.zone

# 6. Tear down when done.
docker compose down

Files

Path Role
Corefile Two plugins: auto (serves queries) + rfc2136 (handles UPDATE)
zones/test.example.com.zone The one test zone; rewritten by rfc2136 on UPDATE
docker-compose.yml Standalone stack on ports 11053 / 19153
.env Isolated COMPOSE_PROJECT_NAME + a fixed throwaway TSIG secret

What this does NOT test

  • TSIG cryptographic correctness against a malicious client. (Unit tests in the plugin's tsig.go + miekg/dns's own tests cover this.)
  • Git auto-commit. We disable it here (auto-commit false in Corefile) because there's no git repo at /zones inside the container. That path gets exercised on dell01 in Phase 3.
  • Caddy → caddy-dns/rfc2136 end-to-end cert issuance. (Phase 3.)

Cleanup

docker compose down
git checkout -- zones/test.example.com.zone   # restore baseline