rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/test/README.md
Ryan Malloy 3dd99fa81a test: sandboxed docker-compose stack for plugin smoke testing 
Brings up a parallel CoreDNS instance on ports 11053/19153 with a
single test.example.com zone. Useful for verifying the custom image
builds and the rfc2136 plugin accepts/applies UPDATEs end-to-end
before touching production zones.

Already validated the msgAcceptFunc override fix end-to-end via
nsupdate, with the auto plugin re-serving the new record within 5s.

Note: zones/test.example.com.zone gets rewritten by the plugin
during testing. If perms get hosed (docker writes as root), run
sudo chown -R rpm:rpm test/zones/ to reclaim.
2026-05-21 12:17:49 -06:00

74 lines
2.4 KiB
Markdown
Raw Blame History

# Test stack — sandboxed CoreDNS + rfc2136 plugin
Brings up a parallel CoreDNS instance for smoke-testing the
`git.supported.systems/rsp2k/coredns-rfc2136` plugin without
touching the production stack on dell01.
## What this proves
- The custom CoreDNS image builds and links the plugin successfully.
- The plugin parses its Corefile directive at startup.
- Queries (SOA, A, TXT, etc.) flow through the `auto` plugin as
normal (the rfc2136 plugin is transparent for non-UPDATE traffic).
- UPDATE messages signed with the configured TSIG key apply changes
to the on-disk zone file.
- After an UPDATE, `dig` returns the new record (CoreDNS's `auto`
plugin sees the mtime change and reloads within 5s).
## Quickstart
```bash
cd test/
# 1. Build + start. The build clones CoreDNS source and pulls the
# plugin via `go get` -- expect ~2-3 min for the first build.
docker compose up -d --build
# 2. Sanity-check the apex SOA is served.
dig @127.0.0.1 -p 11053 test.example.com SOA +short
# 3. Push an UPDATE via nsupdate. The TSIG secret comes from .env.
nsupdate -y "hmac-sha256:acme-update-key.:$(grep ACME_TSIG_SECRET .env | cut -d= -f2)" <<'EOF'
server 127.0.0.1 11053
zone test.example.com
update add token.test.example.com 60 TXT "validation-token-1"
send
EOF
# 4. Wait ~5s for the auto plugin to reload, then verify.
sleep 6
dig @127.0.0.1 -p 11053 token.test.example.com TXT +short
# expected: "validation-token-1"
# 5. Inspect the updated zone file on disk.
cat zones/test.example.com.zone
# 6. Tear down when done.
docker compose down
```
## Files
| Path | Role |
|---|---|
| `Corefile` | Two plugins: `auto` (serves queries) + `rfc2136` (handles UPDATE) |
| `zones/test.example.com.zone` | The one test zone; rewritten by rfc2136 on UPDATE |
| `docker-compose.yml` | Standalone stack on ports 11053 / 19153 |
| `.env` | Isolated `COMPOSE_PROJECT_NAME` + a fixed throwaway TSIG secret |
## What this does NOT test
- TSIG cryptographic correctness against a malicious client. (Unit
tests in the plugin's `tsig.go` + miekg/dns's own tests cover this.)
- Git auto-commit. We disable it here (`auto-commit false` in Corefile)
because there's no git repo at `/zones` inside the container. That
path gets exercised on dell01 in Phase 3.
- Caddy → caddy-dns/rfc2136 end-to-end cert issuance. (Phase 3.)
## Cleanup
```bash
docker compose down
git checkout -- zones/test.example.com.zone # restore baseline
```
Reference in New Issue View Git Blame Copy Permalink