mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
Upgrade uses of hmac-md5 to DEFAULT_HMAC
where the test is not hmac-md5 specific
This commit is contained in:
Mark Andrews
@@ -35,12 +35,12 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -35,12 +35,12 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -35,17 +35,17 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key three {
|
key three {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -35,12 +35,12 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -37,12 +37,12 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
|
|||||||
# key "one" should fail
|
# key "one" should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
|
||||||
# any other key should be fine
|
# any other key should be fine
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
copy_setports ns2/named2.conf.in ns2/named.conf
|
copy_setports ns2/named2.conf.in ns2/named.conf
|
||||||
@@ -40,18 +40,18 @@ sleep 5
|
|||||||
# prefix 10/8 should fail
|
# prefix 10/8 should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# any other address should work, as long as it sends key "one"
|
# any other address should work, as long as it sends key "one"
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
echo_i "testing nested ACL processing"
|
echo_i "testing nested ACL processing"
|
||||||
@@ -63,31 +63,31 @@ sleep 5
|
|||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# but only one or the other should fail
|
# but only one or the other should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
@@ -109,31 +109,31 @@ sleep 5
|
|||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should succeed
|
# should succeed
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should fail
|
# should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should fail
|
# should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
# should fail
|
# should fail
|
||||||
t=`expr $t + 1`
|
t=`expr $t + 1`
|
||||||
$DIG $DIGOPTS tsigzone. \
|
$DIG $DIGOPTS tsigzone. \
|
||||||
@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
@10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
|
||||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
echo_i "testing allow-query-on ACL processing"
|
echo_i "testing allow-query-on ACL processing"
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234efgh8765";
|
secret "1234efgh8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -12,12 +12,12 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234efgh8765";
|
secret "1234efgh8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
|||||||
acl badaccept { 10.53.0.1; };
|
acl badaccept { 10.53.0.1; };
|
||||||
|
|
||||||
key one {
|
key one {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key two {
|
key two {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234efgh8765";
|
secret "1234efgh8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: key allowed - query allowed"
|
echo_i "test $n: key allowed - query allowed"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: key not allowed - query refused"
|
echo_i "test $n: key not allowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: key disallowed - query refused"
|
echo_i "test $n: key disallowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: views key allowed - query allowed"
|
echo_i "test $n: views key allowed - query allowed"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: views key not allowed - query refused"
|
echo_i "test $n: views key not allowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
|
|||||||
|
|
||||||
echo_i "test $n: views key disallowed - query refused"
|
echo_i "test $n: views key disallowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo_i "test $n: zone key allowed - query allowed"
|
echo_i "test $n: zone key allowed - query allowed"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo_i "test $n: zone key not allowed - query refused"
|
echo_i "test $n: zone key not allowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo_i "test $n: zone key disallowed - query refused"
|
echo_i "test $n: zone key disallowed - query refused"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
|||||||
@@ -95,6 +95,8 @@ my $mainport = int($ENV{'PORT'});
|
|||||||
if (!$mainport) { $mainport = 5300; }
|
if (!$mainport) { $mainport = 5300; }
|
||||||
my $ctrlport = int($ENV{'EXTRAPORT1'});
|
my $ctrlport = int($ENV{'EXTRAPORT1'});
|
||||||
if (!$ctrlport) { $ctrlport = 5301; }
|
if (!$ctrlport) { $ctrlport = 5301; }
|
||||||
|
my $hmac_algorithm = $ENV{'DEFAULT_HMAC'};
|
||||||
|
if (!defined($hmac_algorithm)) { $hmac_algorithm = "hmac-sha256"; }
|
||||||
|
|
||||||
# XXX: we should also be able to set the port numbers to listen on.
|
# XXX: we should also be able to set the port numbers to listen on.
|
||||||
my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
|
my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
|
||||||
@@ -174,6 +176,7 @@ sub handleUDP {
|
|||||||
} else {
|
} else {
|
||||||
$tsig = Net::DNS::RR->new(
|
$tsig = Net::DNS::RR->new(
|
||||||
name => $key_name,
|
name => $key_name,
|
||||||
|
algorithm => $hmac_algorithm,
|
||||||
type => 'TSIG',
|
type => 'TSIG',
|
||||||
key => $key_data);
|
key => $key_data);
|
||||||
}
|
}
|
||||||
@@ -390,6 +393,7 @@ sub handleTCP {
|
|||||||
if ($Net::DNS::VERSION < 0.69) {
|
if ($Net::DNS::VERSION < 0.69) {
|
||||||
$tsig = Net::DNS::RR->new(
|
$tsig = Net::DNS::RR->new(
|
||||||
"$key_name TSIG $key_data");
|
"$key_name TSIG $key_data");
|
||||||
|
$tsig->algorithm = $hmac_algorithm;
|
||||||
} elsif ($Net::DNS::VERSION >= 0.81 &&
|
} elsif ($Net::DNS::VERSION >= 0.81 &&
|
||||||
$continuation) {
|
$continuation) {
|
||||||
} elsif ($Net::DNS::VERSION >= 0.75 &&
|
} elsif ($Net::DNS::VERSION >= 0.75 &&
|
||||||
@@ -398,6 +402,7 @@ sub handleTCP {
|
|||||||
} else {
|
} else {
|
||||||
$tsig = Net::DNS::RR->new(
|
$tsig = Net::DNS::RR->new(
|
||||||
name => $key_name,
|
name => $key_name,
|
||||||
|
algorithm => $hmac_algorithm,
|
||||||
type => 'TSIG',
|
type => 'TSIG',
|
||||||
key => $key_data);
|
key => $key_data);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -122,5 +122,5 @@ view "ch" ch {
|
|||||||
|
|
||||||
key tsig_key. {
|
key tsig_key. {
|
||||||
secret "LSAnCU+Z";
|
secret "LSAnCU+Z";
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -165,5 +165,5 @@ view "ch" ch {
|
|||||||
|
|
||||||
key tsig_key. {
|
key tsig_key. {
|
||||||
secret "LSAnCU+Z";
|
secret "LSAnCU+Z";
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -122,5 +122,5 @@ view "ch" ch {
|
|||||||
|
|
||||||
key tsig_key. {
|
key tsig_key. {
|
||||||
secret "LSAnCU+Z";
|
secret "LSAnCU+Z";
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -13,7 +13,6 @@
|
|||||||
|
|
||||||
/* Bad secret */
|
/* Bad secret */
|
||||||
key "badtsig" {
|
key "badtsig" {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "jEdD+BPKg==";
|
secret "jEdD+BPKg==";
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -16,10 +16,11 @@ rm -f bad-kasp-keydir2.conf
|
|||||||
rm -f bad-kasp-keydir3.conf
|
rm -f bad-kasp-keydir3.conf
|
||||||
rm -f bad-kasp-keydir4.conf
|
rm -f bad-kasp-keydir4.conf
|
||||||
rm -f bad-kasp-keydir5.conf
|
rm -f bad-kasp-keydir5.conf
|
||||||
|
rm -f bad-tsig.conf
|
||||||
rm -f checkconf.out*
|
rm -f checkconf.out*
|
||||||
rm -f diff.out*
|
rm -f diff.out*
|
||||||
rm -f good-kasp.conf.in
|
rm -f good-kasp.conf.in
|
||||||
rm -f good-server-christmas-tree.conf
|
rm -f good-server-christmas-tree.conf
|
||||||
rm -f good.conf.in good.conf.out badzero.conf *.out
|
rm -f good.conf good.conf.raw good.conf.out badzero.conf *.out
|
||||||
rm -f ns*/named.lock
|
rm -f ns*/named.lock
|
||||||
rm -rf test.keydir
|
rm -rf test.keydir
|
||||||
|
|||||||
@@ -267,6 +267,6 @@ dyndb "name" "library.so" {
|
|||||||
system;
|
system;
|
||||||
};
|
};
|
||||||
key "mykey" {
|
key "mykey" {
|
||||||
algorithm "hmac-md5";
|
algorithm "@DEFAULT_HMAC@";
|
||||||
secret "qwertyuiopasdfgh";
|
secret "qwertyuiopasdfgh";
|
||||||
};
|
};
|
||||||
@@ -17,4 +17,6 @@ copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf
|
|||||||
copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
|
copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
|
||||||
copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
|
copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
|
||||||
copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
|
copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
|
||||||
|
copy_setports bad-tsig.conf.in bad-tsig.conf
|
||||||
|
copy_setports good.conf.in good.conf
|
||||||
cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
|
cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
|
||||||
|
|||||||
@@ -26,11 +26,11 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo_i "checking that named-checkconf prints a known good config ($n)"
|
echo_i "checking that named-checkconf prints a known good config ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
|
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw
|
||||||
[ -s good.conf.in ] || ret=1
|
[ -s good.conf.raw ] || ret=1
|
||||||
$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1
|
$CHECKCONF -p good.conf.raw > checkconf.out$n || ret=1
|
||||||
grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
|
grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
|
||||||
cmp good.conf.in good.conf.out || ret=1
|
cmp good.conf.raw good.conf.out || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -38,10 +38,10 @@ n=`expr $n + 1`
|
|||||||
echo_i "checking that named-checkconf -x removes secrets ($n)"
|
echo_i "checking that named-checkconf -x removes secrets ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
# ensure there is a secret and that it is not the check string.
|
# ensure there is a secret and that it is not the check string.
|
||||||
grep 'secret "' good.conf.in > /dev/null || ret=1
|
grep 'secret "' good.conf.raw > /dev/null || ret=1
|
||||||
grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
|
grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1
|
||||||
$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
|
$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1
|
||||||
grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
|
grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
|
||||||
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
|
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|||||||
@@ -12,17 +12,17 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key "a" {
|
key "a" {
|
||||||
algorithm "hmac-md5";
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "aaaaaaaaaaaaaaaaaaaa";
|
secret "aaaaaaaaaaaaaaaaaaaa";
|
||||||
};
|
};
|
||||||
|
|
||||||
key "b" {
|
key "b" {
|
||||||
algorithm "hmac-md5";
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "bbbbbbbbbbbbbbbbbbbb";
|
secret "bbbbbbbbbbbbbbbbbbbb";
|
||||||
};
|
};
|
||||||
|
|
||||||
key "c" {
|
key "c" {
|
||||||
algorithm "hmac-md5";
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "cccccccccccccccccccc";
|
secret "cccccccccccccccccccc";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig"
|
|||||||
$NSUPDATE << EOF
|
$NSUPDATE << EOF
|
||||||
server 10.53.0.5 ${PORT}
|
server 10.53.0.5 ${PORT}
|
||||||
zone x21
|
zone x21
|
||||||
key a aaaaaaaaaaaaaaaaaaaa
|
key $DEFAULT_HMAC:a aaaaaaaaaaaaaaaaaaaa
|
||||||
update add added.x21 0 in txt "test string"
|
update add added.x21 0 in txt "test string"
|
||||||
send
|
send
|
||||||
EOF
|
EOF
|
||||||
@@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n"
|
|||||||
fnc="dig.out.c.ns5.test$n"
|
fnc="dig.out.c.ns5.test$n"
|
||||||
for i in 1 2 3 4 5 6 7 8 9
|
for i in 1 2 3 4 5 6 7 8 9
|
||||||
do
|
do
|
||||||
dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:b:bbbbbbbbbbbbbbbbbbbb" @10.53.0.5 \
|
||||||
txt > "$fnb" || ret=1
|
txt > "$fnb" || ret=1
|
||||||
dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:c:cccccccccccccccccccc" @10.53.0.5 \
|
||||||
txt > "$fnc" || ret=1
|
txt > "$fnc" || ret=1
|
||||||
grep "test string" "$fnb" > /dev/null &&
|
grep "test string" "$fnb" > /dev/null &&
|
||||||
grep "test string" "$fnc" > /dev/null &&
|
grep "test string" "$fnc" > /dev/null &&
|
||||||
|
|||||||
@@ -39,17 +39,17 @@ controls {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key altkey {
|
key altkey {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key restricted.example.nil {
|
key restricted.example.nil {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
key zonesub-key.example.nil {
|
key zonesub-key.example.nil {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234subk8765";
|
secret "1234subk8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ controls {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key altkey {
|
key altkey {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -690,7 +690,7 @@ echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
|||||||
# and thus this UPDATE should succeed.
|
# and thus this UPDATE should succeed.
|
||||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||||
server 10.53.0.1 ${PORT}
|
server 10.53.0.1 ${PORT}
|
||||||
key restricted.example.nil 1234abcd8765
|
key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
|
||||||
update add restricted.example.nil 0 IN TXT everywhere.
|
update add restricted.example.nil 0 IN TXT everywhere.
|
||||||
send
|
send
|
||||||
END
|
END
|
||||||
@@ -700,7 +700,7 @@ grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
|||||||
# thus this UPDATE should fail.
|
# thus this UPDATE should fail.
|
||||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||||
server 10.53.0.1 ${PORT}
|
server 10.53.0.1 ${PORT}
|
||||||
key restricted.example.nil 1234abcd8765
|
key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
|
||||||
update add example.nil 0 IN TXT everywhere.
|
update add example.nil 0 IN TXT everywhere.
|
||||||
send
|
send
|
||||||
END
|
END
|
||||||
@@ -715,7 +715,7 @@ echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
|||||||
# the A record update should be rejected as it is not in the type list
|
# the A record update should be rejected as it is not in the type list
|
||||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||||
server 10.53.0.1 ${PORT}
|
server 10.53.0.1 ${PORT}
|
||||||
key zonesub-key.example.nil 1234subk8765
|
key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
|
||||||
update add zonesub.example.nil 0 IN A 1.2.3.4
|
update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||||
send
|
send
|
||||||
END
|
END
|
||||||
@@ -725,7 +725,7 @@ grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
|||||||
# the TXT record update should be accepted as it is in the type list
|
# the TXT record update should be accepted as it is in the type list
|
||||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||||
server 10.53.0.1 ${PORT}
|
server 10.53.0.1 ${PORT}
|
||||||
key zonesub-key.example.nil 1234subk8765
|
key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
|
||||||
update add zonesub.example.nil 0 IN TXT everywhere.
|
update add zonesub.example.nil 0 IN TXT everywhere.
|
||||||
send
|
send
|
||||||
END
|
END
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
key "update.example." {
|
key "update.example." {
|
||||||
algorithm "hmac-md5";
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
|||||||
|
|
||||||
echo_i "updating zone (signed) ($n)"
|
echo_i "updating zone (signed) ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
|
||||||
server 10.53.0.3 ${PORT}
|
server 10.53.0.3 ${PORT}
|
||||||
update add updated.example. 600 A 10.10.10.1
|
update add updated.example. 600 A 10.10.10.1
|
||||||
update add updated.example. 600 TXT Foo
|
update add updated.example. 600 TXT Foo
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ controls {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key tsigzone. {
|
key tsigzone. {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -33,7 +33,7 @@ controls {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key tsigzone. {
|
key tsigzone. {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -31,12 +31,12 @@ key rndc_key {
|
|||||||
|
|
||||||
key unused_key. {
|
key unused_key. {
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
};
|
};
|
||||||
|
|
||||||
key tsig_key. {
|
key tsig_key. {
|
||||||
secret "LSAnCU+Z";
|
secret "LSAnCU+Z";
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
};
|
};
|
||||||
|
|
||||||
controls {
|
controls {
|
||||||
|
|||||||
@@ -31,7 +31,7 @@ options {
|
|||||||
};
|
};
|
||||||
|
|
||||||
key key1. {
|
key key1. {
|
||||||
algorithm hmac-md5;
|
algorithm @DEFAULT_HMAC@;
|
||||||
secret "1234abcd8765";
|
secret "1234abcd8765";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -48,14 +48,14 @@ status=$((status+tmp))
|
|||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
echo_i "testing TSIG signed zone transfers ($n)"
|
echo_i "testing TSIG signed zone transfers ($n)"
|
||||||
tmp=0
|
tmp=0
|
||||||
$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
|
$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns2.test$n || tmp=1
|
||||||
grep "^;" dig.out.ns2.test$n | cat_i
|
grep "^;" dig.out.ns2.test$n | cat_i
|
||||||
|
|
||||||
#
|
#
|
||||||
# Spin to allow the zone to transfer.
|
# Spin to allow the zone to transfer.
|
||||||
#
|
#
|
||||||
wait_for_xfer_tsig () {
|
wait_for_xfer_tsig () {
|
||||||
$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
|
$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns3.test$n || return 1
|
||||||
grep "^;" dig.out.ns3.test$n > /dev/null && return 1
|
grep "^;" dig.out.ns3.test$n > /dev/null && return 1
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@@ -414,7 +414,7 @@ echo_i "bad message id ($n)"
|
|||||||
sendcmd < ans5/badmessageid
|
sendcmd < ans5/badmessageid
|
||||||
|
|
||||||
# Uncomment to see AXFR stream with mismatching IDs.
|
# Uncomment to see AXFR stream with mismatching IDs.
|
||||||
# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
|
# $DIG $DIGOPTS @10.53.0.5 -y "${DEFAULT_HMAC}:tsig_key:LSAnCU+Z" nil. AXFR +all
|
||||||
|
|
||||||
$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
|
$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
|
||||||
|
|
||||||
@@ -465,7 +465,7 @@ test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || {
|
|||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
echo_i "test smaller transfer TCP message size ($n)"
|
echo_i "test smaller transfer TCP message size ($n)"
|
||||||
$DIG $DIGOPTS example. @10.53.0.8 axfr \
|
$DIG $DIGOPTS example. @10.53.0.8 axfr \
|
||||||
-y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1
|
-y "${DEFAULT_HMAC}:key1.:1234abcd8765" > dig.out.msgsize.test$n || status=1
|
||||||
|
|
||||||
bytes=`wc -c < dig.out.msgsize.test$n`
|
bytes=`wc -c < dig.out.msgsize.test$n`
|
||||||
if [ $bytes -ne 459357 ]; then
|
if [ $bytes -ne 459357 ]; then
|
||||||
|
|||||||
Reference in New Issue
Block a user