nsupdate: tls does not work in FIPS mode prior to OpenSSL 3.0.0

bin/tests/system/nsupdate/clean.sh

@@ -32,6 +32,8 @@ rm -f ns1/many.test.db
 rm -f ns1/maxjournal.db
 rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
 rm -f ns1/sample.db
+rm -f ns1/tls.conf
+rm -f ns1/tls.options
 rm -f ns1/sha512.key ns1/ddns.key
 rm -f ns10/_default.tsigkeys
 rm -f ns10/example.com.db

bin/tests/system/nsupdate/ns1/named.conf.in

@@ -11,53 +11,22 @@
  * information regarding copyright ownership.
  */
 
-tls tls-forward-secrecy {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv01.crt01.example.nil.key";
-    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-};
-
-tls tls-forward-secrecy-mutual-tls {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv01.crt01.example.nil.key";
-    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-tls tls-expired {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv01.crt02-expired.example.nil.key";
-    cert-file "../CA/certs/srv01.crt02-expired.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-};
-
+include "tls.conf";
 
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
-	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.1; 127.0.0.1; };
-	listen-on tls ephemeral { 10.53.0.1; };
-	listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.1; };
-	listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; };
-	listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
 	update-quota 1;
+	include "tls.options";
 };
 
 acl named-acl {

bin/tests/system/nsupdate/ns1/tls.conf.in

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt01.example.nil.key";
+    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt01.example.nil.key";
+    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt02-expired.example.nil.key";
+    cert-file "../CA/certs/srv01.crt02-expired.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};

bin/tests/system/nsupdate/ns1/tls.options.in

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls-port @TLSPORT@;
+listen-on tls ephemeral { 10.53.0.1; };
+listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.1; };
+listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; };
+listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.1; };

bin/tests/system/nsupdate/setup.sh

@@ -18,6 +18,14 @@
 #
 $SHELL clean.sh
 
+if $FEATURETEST --have-fips-dh
+then
+	copy_setports ns1/tls.conf.in ns1/tls.conf
+	copy_setports ns1/tls.options.in ns1/tls.options
+else
+	: > ns1/tls.conf
+	: > ns1/tls.options
+fi
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf

bin/tests/system/nsupdate/tests.sh

@@ -783,177 +783,232 @@ fi
 n=$((n + 1))
 ret=0
 echo_i "check DoT (opportunistic-tls) ($n)"
-$NSUPDATE -D -S -O -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
-server 10.53.0.1 ${TLSPORT}
-update add dot-non-auth-client-o.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -O -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${TLSPORT}
+    update add dot-non-auth-client-o.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client-o.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client-o.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
-server 10.53.0.1 ${EXTRAPORT1}
-update add dot-non-auth-client.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${EXTRAPORT1}
+    update add dot-non-auth-client.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
-server 10.53.0.1 ${EXTRAPORT1}
-update add dot-fs.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${EXTRAPORT1}
+    update add dot-fs.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fs.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fs.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (strict-tls) with a correct hostname ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.nil -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
-server 10.53.0.1 ${EXTRAPORT1}
-update add dot-fs-h.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.nil -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${EXTRAPORT1}
+    update add dot-fs-h.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fs-h.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (strict-tls) with an incorrect hostname (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT1}
-update add dot-fs-h-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT1}
+    update add dot-fs-h-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fs-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (strict-tls) with a wrong authority (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA-other.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT1}
-update add dot-fs-auth-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA-other.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT1}
+    update add dot-fs-auth-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fs-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fs-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (mutual-tls) with a valid client certificate ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
-server 10.53.0.1 ${EXTRAPORT2}
-update add dot-fsmt.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${EXTRAPORT2}
+    update add dot-fsmt.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fsmt.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (mutual-tls) with a valid client certificate but with an incorrect hostname (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT2}
-update add dot-fsmt-h-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT2}
+    update add dot-fsmt-h-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (mutual-tls) with a valid client certificate but with a wrong authority (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA-other.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/client01.crt01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT2}
-update add dot-fsmt-auth-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA-other.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/client01.crt01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT2}
+    update add dot-fsmt-auth-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (mutual-tls) with an expired client certificate (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client02-expired.example.nil.key -E CA/certs/srv01.client02-expired.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT2}
-update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+    then
+    $NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client02-expired.example.nil.key -E CA/certs/srv01.client02-expired.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT2}
+    update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))
 ret=0
 echo_i "check DoT (mutual-tls) with a valid client certificate and an expired server certificate (failure expected) ($n)"
-$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
-server 10.53.0.1 ${EXTRAPORT3}
-update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
-send
+if $FEATURETEST --have-fips-dh
+then
+    $NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+    server 10.53.0.1 ${EXTRAPORT3}
+    update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
+    send
 END
-sleep 2
-$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
-grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
-if [ $ret -ne 0 ]; then
-    echo_i "failed"
-    status=1
+    sleep 2
+    $DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+    grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then
+        echo_i "failed"
+        status=1
+    fi
+else
+    echo_i "skipped: DH not supported in FIPS mode"
 fi
 
 n=$((n + 1))