mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Merge branch '1781-nsupdate-dot' into 'main'

Browse Source 
Implement DoT support for nsupdate

Closes #1781

See merge request isc-projects/bind9!6752
This commit is contained in:
Arаm Sаrgsyаn
2022-09-23 16:10:05 +00:00
parent 73cc9a3232 34f06fd2b5
commit d1508a13cb
35 changed files with 1770 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.reuse/dep5
View File

@@ -49,6 +49,11 @@ Files: **/*.after*
bin/tests/system/keepalive/expected
bin/tests/system/legacy/ns6/edns512.db.signed
bin/tests/system/legacy/ns7/edns512-notcp.db.signed
bin/tests/system/nsupdate/CA/CA.cfg
bin/tests/system/nsupdate/CA/README
bin/tests/system/nsupdate/CA/index.txt
bin/tests/system/nsupdate/CA/index.txt.attr
bin/tests/system/nsupdate/CA/serial
bin/tests/system/nsupdate/commandlist
bin/tests/system/nsupdate/verylarge.in
bin/tests/system/org.isc.bind.system.plist

2
CHANGES
View File

@@ -1,3 +1,5 @@
5979. [func] Implement DoT support for nsupdate. [GL #1781]
5978. [port] The ability to use pkcs11 via engine_pkcs11 has been
restored, by only using deprecated APIs in
OpenSSL 3.0.0. BIND needs to be compiled with

187
bin/nsupdate/nsupdate.c
View File

@@ -46,6 +46,7 @@
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/tls.h>
#include <isc/types.h>
#include <isc/util.h>
@@ -68,6 +69,7 @@
#include <dns/rdatatype.h>
#include <dns/request.h>
#include <dns/tkey.h>
#include <dns/transport.h>
#include <dns/tsig.h>
#include <dst/dst.h>
@@ -120,6 +122,7 @@ static bool memdebugging = false;
static bool have_ipv4 = false;
static bool have_ipv6 = false;
static bool is_dst_up = false;
static bool use_tls = false;
static bool usevc = false;
static bool usegsstsig = false;
static bool use_win2k_gsstsig = false;
@@ -147,6 +150,14 @@ static dns_tsigkey_t *tsigkey = NULL;
static dst_key_t *sig0key = NULL;
static isc_sockaddr_t *servers = NULL;
static isc_sockaddr_t *primary_servers = NULL;
static dns_transport_list_t *transport_list = NULL;
static dns_transport_t *transport = NULL;
static isc_tlsctx_cache_t *tls_ctx_cache = NULL;
static char *tls_hostname = NULL;
static char *tls_client_key_file = NULL;
static char *tls_client_cert_file = NULL;
static char *tls_ca_file = NULL;
static bool tls_always_verify_remote = true;
static bool default_servers = true;
static int ns_inuse = 0;
static int primary_inuse = 0;
@@ -793,6 +804,19 @@ set_source_ports(dns_dispatchmgr_t *manager) {
isc_portset_destroy(gmctx, &v6portset);
}
static isc_result_t
create_name(const char *str, char *namedata, size_t len, dns_name_t *name) {
isc_buffer_t namesrc, namebuf;
dns_name_init(name, NULL);
isc_buffer_constinit(&namesrc, str, strlen(str));
isc_buffer_add(&namesrc, strlen(str));
isc_buffer_init(&namebuf, namedata, len);
return (dns_name_fromtext(name, &namesrc, dns_rootname,
DNS_NAME_DOWNCASE, &namebuf));
}
static void
setup_system(void) {
isc_result_t result;
@@ -800,6 +824,8 @@ setup_system(void) {
isc_sockaddrlist_t *nslist;
isc_logconfig_t *logconfig = NULL;
irs_resconf_t *resconf = NULL;
dns_name_t tlsname;
char namedata[DNS_NAME_FORMATSIZE + 1];
ddebug("setup_system()");
@@ -936,6 +962,31 @@ setup_system(void) {
&dispatchv4);
check_result(result, "dns_dispatch_createudp (v4)");
}
transport_list = dns_transport_list_new(gmctx);
tls_ctx_cache = isc_tlsctx_cache_new(gmctx);
if (tls_client_key_file == NULL) {
result = create_name("tls-non-auth-client", namedata,
sizeof(namedata), &tlsname);
check_result(result, "create_name (tls-non-auth-client)");
transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS,
transport_list);
dns_transport_set_tlsname(transport, "tls-non-auth-client");
} else {
result = create_name("tls-auth-client", namedata,
sizeof(namedata), &tlsname);
check_result(result, "create_name (tls-auth-client)");
transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS,
transport_list);
dns_transport_set_tlsname(transport, "tls-auth-client");
dns_transport_set_keyfile(transport, tls_client_key_file);
dns_transport_set_certfile(transport, tls_client_cert_file);
}
dns_transport_set_cafile(transport, tls_ca_file);
dns_transport_set_remote_hostname(transport, tls_hostname);
dns_transport_set_always_verify_remote(transport,
tls_always_verify_remote);
result = dns_requestmgr_create(gmctx, taskmgr, dispatchmgr, dispatchv4,
dispatchv6, &requestmgr);
@@ -972,7 +1023,7 @@ get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr,
return (count);
}
#define PARSE_ARGS_FMT "46C:dDghilL:Mok:p:Pr:R:t:Tu:vVy:"
#define PARSE_ARGS_FMT "46A:C:dDE:ghH:iK:lL:MoOk:p:Pr:R:St:Tu:vVy:"
static void
pre_parse_args(int argc, char **argv) {
@@ -1015,7 +1066,9 @@ pre_parse_args(int argc, char **argv) {
fprintf(stderr, "usage: nsupdate [-CdDi] [-L level] "
"[-l] [-g | -o | -y keyname:secret "
"| -k keyfile] [-p port] "
"[-v] [-V] [-P] [-T] [-4 | -6] "
"[ -S [-K tlskeyfile] [-E tlscertfile] "
"[-A tlscafile] [-H tlshostname] "
"[-O] ] [-v] [-V] [-P] [-T] [-4 | -6] "
"[filename]\n");
exit(1);
@@ -1087,6 +1140,11 @@ parse_args(int argc, char **argv) {
fatal("can't find IPv6 networking");
}
break;
case 'A':
use_tls = true;
usevc = true;
tls_ca_file = isc_commandline_argument;
break;
case 'C':
resolvconf = isc_commandline_argument;
break;
@@ -1097,12 +1155,27 @@ parse_args(int argc, char **argv) {
debugging = true;
ddebugging = true;
break;
case 'E':
use_tls = true;
usevc = true;
tls_client_cert_file = isc_commandline_argument;
break;
case 'H':
use_tls = true;
usevc = true;
tls_hostname = isc_commandline_argument;
break;
case 'M':
break;
case 'i':
force_interactive = true;
interactive = true;
break;
case 'K':
use_tls = true;
usevc = true;
tls_client_key_file = isc_commandline_argument;
break;
case 'l':
local_only = true;
break;
@@ -1135,6 +1208,11 @@ parse_args(int argc, char **argv) {
usegsstsig = true;
use_win2k_gsstsig = true;
break;
case 'O':
use_tls = true;
usevc = true;
tls_always_verify_remote = false;
break;
case 'p':
result = isc_parse_uint16(&dnsport,
isc_commandline_argument, 10);
@@ -1146,6 +1224,10 @@ parse_args(int argc, char **argv) {
exit(1);
}
break;
case 'S':
use_tls = true;
usevc = true;
break;
case 't':
result = isc_parse_uint32(&timeout,
isc_commandline_argument, 10);
@@ -1211,6 +1293,24 @@ parse_args(int argc, char **argv) {
}
#endif /* HAVE_GSSAPI */
if (use_tls) {
if ((tls_client_key_file == NULL) !=
(tls_client_cert_file == NULL)) {
fprintf(stderr,
"%s: cannot specify the -K option without"
"the -E option, and vice versa.\n",
argv[0]);
exit(1);
}
if (tls_ca_file != NULL && tls_always_verify_remote == false) {
fprintf(stderr,
"%s: cannot specify the -A option in "
"conjuction with the -O option.\n",
argv[0]);
exit(1);
}
}
if (argv[isc_commandline_index] != NULL) {
if (strcmp(argv[isc_commandline_index], "-") == 0) {
input = stdin;
@@ -2448,8 +2548,10 @@ static void
send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
isc_result_t result;
dns_request_t *request = NULL;
unsigned int options = DNS_REQUESTOPT_CASE;
isc_sockaddr_t *srcaddr;
unsigned int options = DNS_REQUESTOPT_CASE;
dns_transport_t *req_transport = NULL;
isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
ddebug("send_update()");
@@ -2457,7 +2559,12 @@ send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
if (usevc) {
options |= DNS_REQUESTOPT_TCP;
if (use_tls) {
req_transport = transport;
req_tls_ctx_cache = tls_ctx_cache;
}
}
if (tsigkey == NULL && sig0key != NULL) {
result = dns_message_setsig0key(updatemsg, sig0key);
check_result(result, "dns_message_setsig0key");
@@ -2480,10 +2587,10 @@ send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
}
result = dns_request_create(requestmgr, updatemsg, srcaddr, primary,
NULL, NULL, -1, options, tsigkey, timeout,
udp_timeout, udp_retries, global_task,
update_completed, NULL, &request);
result = dns_request_create(
requestmgr, updatemsg, srcaddr, primary, req_transport,
req_tls_ctx_cache, -1, options, tsigkey, timeout, udp_timeout,
udp_retries, global_task, update_completed, NULL, &request);
check_result(result, "dns_request_create");
if (debugging) {
@@ -2574,6 +2681,10 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
result = dns_request_getresponse(request, rcvmsg,
DNS_MESSAGEPARSE_PRESERVEORDER);
if (result == DNS_R_TSIGERRORSET && servers != NULL) {
unsigned int options = DNS_REQUESTOPT_CASE;
dns_transport_t *req_transport = NULL;
isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
dns_message_detach(&rcvmsg);
ddebug("Destroying request [%p]", request);
dns_request_destroy(&request);
@@ -2583,6 +2694,14 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
dns_message_renderreset(soaquery);
ddebug("retrying soa request without TSIG");
if (usevc) {
options |= DNS_REQUESTOPT_TCP;
if (!default_servers && use_tls) {
req_transport = transport;
req_tls_ctx_cache = tls_ctx_cache;
}
}
if (isc_sockaddr_pf(addr) == AF_INET6) {
srcaddr = localaddr6;
} else {
@@ -2590,9 +2709,10 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
}
result = dns_request_create(
requestmgr, soaquery, srcaddr, addr, NULL, NULL, -1, 0,
NULL, FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, global_task,
recvsoa, reqinfo, &request);
requestmgr, soaquery, srcaddr, addr, req_transport,
req_tls_ctx_cache, -1, options, NULL, FIND_TIMEOUT * 20,
FIND_TIMEOUT, 3, global_task, recvsoa, reqinfo,
&request);
check_result(result, "dns_request_create");
requests++;
return;
@@ -2797,6 +2917,17 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
isc_result_t result;
nsu_requestinfo_t *reqinfo;
isc_sockaddr_t *srcaddr;
unsigned int options = DNS_REQUESTOPT_CASE;
dns_transport_t *req_transport = NULL;
isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
if (usevc) {
options |= DNS_REQUESTOPT_TCP;
if (!default_servers && use_tls) {
req_transport = transport;
req_tls_ctx_cache = tls_ctx_cache;
}
}
reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
reqinfo->msg = msg;
@@ -2808,10 +2939,11 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
srcaddr = localaddr4;
}
result = dns_request_create(
requestmgr, msg, srcaddr, destaddr, NULL, NULL, -1, 0,
default_servers ? NULL : tsigkey, FIND_TIMEOUT * 20,
FIND_TIMEOUT, 3, global_task, recvsoa, reqinfo, request);
result = dns_request_create(requestmgr, msg, srcaddr, destaddr,
req_transport, req_tls_ctx_cache, -1,
options, default_servers ? NULL : tsigkey,
FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
global_task, recvsoa, reqinfo, request);
check_result(result, "dns_request_create");
requests++;
}
@@ -2991,8 +3123,15 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
dns_request_t **request, gss_ctx_id_t context) {
isc_result_t result;
nsu_gssinfo_t *reqinfo;
unsigned int options = 0;
isc_sockaddr_t *srcaddr;
unsigned int options = DNS_REQUESTOPT_CASE | DNS_REQUESTOPT_TCP;
dns_transport_t *req_transport = NULL;
isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
if (!default_servers && use_tls) {
req_transport = transport;
req_tls_ctx_cache = tls_ctx_cache;
}
debug("send_gssrequest");
REQUIRE(destaddr != NULL);
@@ -3002,18 +3141,16 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
reqinfo->addr = destaddr;
reqinfo->context = context;
options |= DNS_REQUESTOPT_TCP;
if (isc_sockaddr_pf(destaddr) == AF_INET6) {
srcaddr = localaddr6;
} else {
srcaddr = localaddr4;
}
result = dns_request_create(requestmgr, msg, srcaddr, destaddr, NULL,
NULL, -1, options, tsigkey,
FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
global_task, recvgss, reqinfo, request);
result = dns_request_create(
requestmgr, msg, srcaddr, destaddr, req_transport,
req_tls_ctx_cache, -1, options, tsigkey, FIND_TIMEOUT * 20,
FIND_TIMEOUT, 3, global_task, recvgss, reqinfo, request);
check_result(result, "dns_request_create");
if (debugging) {
show_message(stdout, msg, "Outgoing update query:");
@@ -3271,6 +3408,14 @@ static void
cleanup(void) {
ddebug("cleanup()");
if (tls_ctx_cache != NULL) {
isc_tlsctx_cache_detach(&tls_ctx_cache);
}
if (transport_list != NULL) {
dns_transport_list_detach(&transport_list);
}
LOCK(&answer_lock);
if (answer != NULL) {
dns_message_detach(&answer);

48
bin/nsupdate/nsupdate.rst
View File

@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility
Synopsis
~~~~~~~~
:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
Description
~~~~~~~~~~~
@@ -71,6 +71,15 @@ Options
This option sets use of IPv6 only.
.. option:: -A tlscafile
This option specifies the file of the certificate authorities (CA) certificates
(in PEM format) in order to verify the remote server TLS certificate when
using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
override the certificates from the global certificates store, which are
otherwise used by default when :option:`-S` is enabled. This option can not
be used in conjuction with :option:`-O`, and it implies :option:`-S`.
.. option:: -C
Overrides the default `resolv.conf` file. This is only intended for testing.
@@ -84,10 +93,23 @@ Options
This option sets extra debug mode.
.. option:: -E tlscertfile
This option sets the certificate(s) file for authentication for the
DNS-over-TLS (DoT) transport to the remote server. The certificate
chain file is expected to be in PEM format. This option implies :option:`-S`,
and can only be used with :option:`-K`.
.. option:: -g
This option enables standard GSS-TSIG mode.
.. option:: -H tlshostname
This option makes :program:`nsupdate` use the provided hostname during remote
server TLS certificate verification. Otherwise, the DNS server name
is used. This option implies :option:`-S`.
.. option:: -i
This option forces interactive mode, even when standard input is not a terminal.
@@ -104,6 +126,13 @@ Options
key used to authenticate Dynamic DNS update requests. In this case,
the key specified is not an HMAC-MD5 key.
.. option:: -K tlskeyfile
This option sets the key file for authenticated encryption for the
DNS-over-TLS (DoT) transport with the remote server. The private key file is
expected to be in PEM format. This option implies :option:`-S`, and can only
be used with :option:`-E`.
.. option:: -l
This option sets local-host only mode, which sets the server address to localhost
@@ -123,6 +152,14 @@ Options
This option enables a non-standards-compliant variant of GSS-TSIG
used by Windows 2000.
.. option:: -O
This option enables Opportunistic TLS. When used, the remote peer's TLS
certificate will not be verified. This option should be used for debugging
purposes only, and it is not recommended to use it in production. This
option can not be used in conjuction with :option:`-A`, and it implies
:option:`-S`.
.. option:: -p port
This option sets the port to use for connections to a name server. The default is
@@ -138,6 +175,15 @@ Options
This option sets the number of UDP retries. The default is 3. If zero, only one update
request is made.
.. option:: -S
This option indicates whether to use DNS-over-TLS (DoT) when querying
name servers specified by ``server servername port`` syntax in the input
file, and the primary server discovered through a SOA request. When the
:option:`-K` and :option:`-E` options are used, then the specified TLS
client certificate and private key pair are used for authentication
(Mutual TLS). This option implies :option:`-v`.
.. option:: -t timeout
This option sets the maximum time an update request can take before it is aborted. The

2
bin/tests/system/doth/CA/CA.cfg
View File

@@ -5,7 +5,7 @@
# xxd -l 8 -u -ps /dev/urandom > ./serial
# 2. Create the new certificate request (e.g. for foo.example.com):
# openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \
# -addext "subjectAltName=DNS:foo.example.com,IP=X.X.X.X" \
# -addext "subjectAltName=DNS:foo.example.com,IP:X.X.X.X" \
# -newkey rsa -keyout ./certs/foo.example.com.key \
# -out ./certs/foo.example.com.csr
#

5
bin/tests/system/nsupdate/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
# temporary files generated by "openssl ca"
/CA/*.old
# there is little point in keeping the certificate requests
# for the issued certificates
/CA/certs/*.csr

26
bin/tests/system/nsupdate/CA/CA-other.pem Normal file
View File

@@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEZTCCAs0CFDYlin3oeYDu16bFItl9tGZz1Ra4MA0GCSqGSIb3DQEBCwUAMG4x
CzAJBgNVBAYTAlVBMRcwFQYDVQQIDA5LaGFya2l2IE9ibGFzdDEQMA4GA1UEBwwH
S2hhcmtpdjEMMAoGA1UECgwDSVNDMSYwJAYDVQQLDB1Tb2Z0d2FyZSBFbmdlbmVl
cmluZyAoQklORCA5KTAgFw0yMjA5MDcyMTIzNTBaGA8yMDUyMDgzMDIxMjM1MFow
bjELMAkGA1UEBhMCVUExFzAVBgNVBAgMDktoYXJraXYgT2JsYXN0MRAwDgYDVQQH
DAdLaGFya2l2MQwwCgYDVQQKDANJU0MxJjAkBgNVBAsMHVNvZnR3YXJlIEVuZ2Vu
ZWVyaW5nIChCSU5EIDkpMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9IYVyR/0Mibg79FAs+
rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50OeQnbbTrBl0PuNwvzE
kbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmwUTX5Jxndsjydk/zW
/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA+45GT2lHu07xc+cV
eZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QBXkotnq3rHnrI/ku6
dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9awEqwvy8uVbGkTmUZd
tjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGWvcfMRZZhWaoHyhnH
g9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeYfcQ5eaIZ3OuIpyQz
AgMBAAEwDQYJKoZIhvcNAQELBQADggGBAKdQkmmyUqcE1by7AeHoxkqFgqUeSAlh
flXi5DD+j5+Op2GAUrx84LGy4+heKEwAkV5Cw2c9IMHmDDMnGe/g4FjBS+dTZsTs
JRXXDR7t20eWiBpvO/3IMqVpPq9CAQY1L9PYAVuVM5cwdzsJXdH82z2BZ3Ttg3GX
NPnybxzD/auC051vqEp28Jzbswd4c3VvTmRnYY7rYNNKnLD7812BIp7lnE6s5X2D
y0PPSYdhscTqfJV0+GDF5hUduOFX1xTcPlXaXfyKLLelqtrw40p3ynww9v/J4mwt
FBV+a8gguM7tCZMoV/VJZghObglV/wpokAQchL/pnxL7+U8JklRqaU4DlxyGZ+K4
QlR5mJe19ZlkgHePk1MbwNZaTXjaOFirYmZzs4YynOp3iBHrW3CYY3kVlrUpKP08
o101hce32VxkyST6i5W24MU02O/wuPdyQpN+rJjYv32Axsrh/ePkI5qKew9eZ63i
WzNb7BW1LrHrQ/lXoJ3ekRQd10UX3xhk/w==
-----END CERTIFICATE-----

77
bin/tests/system/nsupdate/CA/CA.cfg Normal file
View File

@@ -0,0 +1,77 @@
# See ../../doth/CA/ca.cfg for more information
# certificate authority configuration
[ca]
default_ca = CA_default # The default ca section
[CA_default]
dir = .
new_certs_dir = $dir/newcerts # new certs dir (must be created)
certificate = $dir/CA.pem # The CA cert
private_key = $dir/private/CA.key # CA private key
serial = $dir/serial # serial number file for the next certificate
# Update before issuing it:
# xxd -l 8 -u -ps /dev/urandom > ./serial
database = $dir/index.txt # (must be created manually: touch ./index.txt)
default_days = 1 # how long to certify for
#default_crl_days = 30 # the number of days before the
default_crl_days = 10950 # next CRL is due. That is the
# days from now to place in the
# CRL nextUpdate field. If CRL
# is expired, certificate
# verifications will fail even
# for otherwise valid
# certificates. Clients might
# cache the CRL, so the expiry
# period should normally be
# relatively short (default:
# 30) for production CAs.
default_md = sha256 # digest to use
policy = policy_default # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
# We need the following in order to copy Subject Alt Name(s) from a
# request to the certificate.
copy_extensions = copy # copy extensions from request
[policy_default]
countryName = optional
stateOrProvinceName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# default certificate requests settings
[req]
# Options for the `req` tool (`man req`).
default_bits = 3072 # for RSA only
distinguished_name = req_default
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-256 instead.
default_md = sha256
# do not encrypt the private key file
encrypt_key = no
[req_default]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (e.g., city)
0.organizationName = Organization Name (e.g., company)
organizationalUnitName = Organizational Unit Name (e.g. department)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
# defaults
countryName_default = UA
stateOrProvinceName_default = Kharkiv Oblast
localityName_default = Kharkiv
0.organizationName_default = ISC
organizationalUnitName_default = Software Engeneering (BIND 9)

29
bin/tests/system/nsupdate/CA/CA.pem Normal file
View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
8Q==
-----END CERTIFICATE-----

2
bin/tests/system/nsupdate/CA/README Normal file
View File

@@ -0,0 +1,2 @@
Please take a look at the contents of the CA.cfg file for further
instructions and configurations options.

40
bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCrYC6cYeOJxlIr
vOnhBf0YZUIg9lYWQDPSy5/37yJUp8lVcMpS8OKiWDh/EK0rBeARtmkhfy04Vt3V
5PPepzI19zMqUoCut9Z8NXTDDIrDOhhhaHNiWFb/eCVXHHu+mIgh3RyKE6WaUkiY
2T3EKKZ+mxFWfs4Ju1GJiqgbALVzK0GTsWJAMCnq9qPnvPDpngcrrqmgHU3Z+BhN
g0dOaO5XyFUVhjxtHvUx8d7Pwn5rjiJaxXav0AHeq3oDspYzzKAmrt7EvXaFlseI
5Ea8P8ZUyZWDh5xJDTHdxBdSmeRlSZud863OZghX9IO+XofaQloBKm1o0Y042Riu
Xi5UcosBRZav9aPQKV0ii7TUMK8CNsUt6SnrLOpqfiezcPyHHyvEsTqmwum3wm9G
Y7eWLlPYt83D9LVtsvxXSayfmMn+tPV8k0guk9zpGFRjXxij5xKq/jjwc+UXHv5A
ZYGoj2BGwhbyqJ2xG7zOBd43sqiGR72Nkt7g5UKJuOP4sSQIfpkCAwEAAQKCAYEA
i3PT2fsp3cXcvayXID3wSvayzgHF4YtS4FhEDsuvwvVZtsX2TXGo6fQh3Pvj/dtl
DuTBPbmwQWUmVNRewbKKADHsl6bVAdekmCQjpEhDbkOK7VDCe6do+693qyAJbfnO
5Md5Xr5IBoCohIBaa5Gskd97R0gePvsHiYWj730vKc1sKlOwoIzQv1r92yf7Xg7y
xM/3RcwyuojQtdp6nspyEEp7Oe2mpCEJ4x9vcN5SYxEg0X5Xaw83RkuBGRsscHA0
GN+4eJ59Ld1R9uktLYvUA06ZdoAVZyblE4xxjk2vueE3K2/kT2ooKHVWulGI+PnF
2xYedZsZkgwLbXcEhPXBo3vMTjzRlePh668ULi9B6ntMjWpCSCvGnz142Uwatfq0
PeasBVgRngu9Wg+smkA4kHnDi7ih3zpLh6sTcOKL7F1cBgvtjgIyzZDp9eJUEfVH
G/89mTCswhqV1WtQ3n9zbYVbSK9vaAxCrfK50pG+IfHXG9EqnrQPzKsRxNsDpN91
AoHBANeNLQb3gSk6sBg53smh9oFUEwwgAjHY31ZOOInO4X7udXrtRcON6SCkZjaD
6y1N3Orjama6mr+/eHxJeDEbWBB7INOsaqHewoQF8qaOa7HHmCbXcUIlAQFvaE6e
Qd5e+YHLmbYZbkPfntqWmXuSmk7hUxjnPPOv1P9sgv/3b4TJQJ4FEJasKpWgIOAy
3g8UrjtbI3ITSo3SKCei3wvOCzIdnzwgcHY420jU1yU/oDzN07D4K0iODAbasUl1
ZH5UvwKBwQDLiNual2aCUtjKAoRLnGDtP6LOYV3eXchBrywIj2tNAMlD7TXbjG04
Le+I9O+azRorvXQ2WBBIYzka1JozK8WTsxkQYRd9AEy2AsQgPlK5hfy3xcGxSscC
vdxSdQQQ/ASKHHbCTKhDhnA2b2fvLhWxZqsbSO4hSmvjXrSUpGrAABFipK9VqS6Y
Sg6uEo1AlTrwsGW66LHpFeG6YQ0uj4sF0x5mzH7R50And30lVg8DjJASdClzOIWJ
WV+3opbgSqcCgcEAvGGJhJkyrJG57LJG3vlJsmWD8AjZYi8joQ3jo6zGrmRBEBnl
6q5PnFORcPuBwapW9IGkL/vN2t6/sf+Tp3c6U80IN3ZsCuPgI/n+w0mdHVZOx0Nq
nGAyrMps4qi08F8YuDL0N42qLG93KZqMsM7DRUTvlsghIOf+wuxW4NWjBO3OJ0xN
3yDAZtv3X3mVUKDGVOGl7MCnW6LbrShOvsZoSnhQ/f9ryiaOnuxEyyz8IafQ5s09
Jr/eCu9+GbEbDr2JAoHAXUZg7Z3IupzhAOLaYhROTyvEnrP8YrWz2nY+xcWENQvR
MLH65pyaSQ60IZ2uWND512XBZk5BWAsw1lzsNdsvdpqzN9BnBUAn55mo6+Xj32XK
BSY5t9g/D8CWwasiq+3y3qBgxHaA/kEUF75CcVg7VMtqStzHVLZYbyCtvRkEWu0t
CnnSaH1Z/yyhQaD63sgE9NzCIkAVmG4QvmtPsTDTU14HJrE8xVEnE28tCPlBdCzs
sahOfqE+gU1WEkAOyMctAoHAASVc1KFfBI48tM+cr8vDt1QklVgnKn44DL6HF5tp
iA8/xhB2fHKq6a+xuGxubXo7jo0KbKyYXPFyE5MDrzIDKp0GLUr7WtaunNVMKbKs
B/2YSw+PELoIc5GpiH4lqP5iFYyHKmJighou4oxLcjMlHpRWUERPdxA+L6zggPyJ
56PX2tcezcCZMVm65VpHsX3CqEQyWnFDCt0zclRNFWPKCENsl10emenBZVnxb8fc
smxv7aRpgoWBRa5vinKvOv2T
-----END PRIVATE KEY-----

93
bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 8 08:20:17 2022 GMT
Not After : Aug 31 08:20:17 2052 GMT
Subject: CN=srv01.client01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05:
fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef:
22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10:
ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4:
f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35:
74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78:
25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52:
48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb:
51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30:
29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d:
4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86:
3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5:
76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae:
de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9:
95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49:
9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42:
5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72:
8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30:
af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70:
fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63:
b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49:
ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18:
54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e:
fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b:
bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5:
42:89:b8:e3:f8:b1:24:08:7e:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.client01.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:
5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba:
51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c:
19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69:
26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b:
4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb:
73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17:
ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e:
01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07:
79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9:
a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14:
89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88:
ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d:
f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d:
4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6:
f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98:
bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80:
af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91:
76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31:
f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1:
d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79:
97:e3:7f:2a:14:73
-----BEGIN CERTIFICATE-----
MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx
MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC
AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl
QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3
MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b
EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI
VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ
lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF
lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3
zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC
FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE
JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B
AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl
SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7
hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/
EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl
lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD
Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu
ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp
jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg
j5x5l+N/KhRz
-----END CERTIFICATE-----

40
bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDAEScXJTqthaA7
WQsiZGN9uwUyNU9o1RkrzUa94rZCjAjPCQ2ozVjZG3fbF4r88FXy4VD0/ZCqSRVd
6ptaR8QvggdGh/YF7xUCpDyh2vxbdTYS9xJQVfi+DH0hkeKS2EE/cf6yF8BoHQm+
/MQk7O/SXFKpT9ZdMLiraC456YtbxvBkQve4vbKQMiJovDhwLxSuyHxjBNURsgrx
jhMQsjtp9P464vFYViiTwSiqpxnJkRJD+PUdNFg9Mp8RZ9EfU9Tg1Qx4LG84P+GJ
abUJPBL0qe7lL8VHZaaC+up4SDGJEbYjiiftfB1t6KugKd5A9PKbYSLanCIy9z34
TOE4p+LDr6Rnf5Sk/VIliU30mtY1upgg8UvJpc+sclgqzTtKPukEMeKadDLVUmA0
rQyFAmVYQXQqV5E0VTapFFtFzCgn1226VaPdnwAEpEPCr1yvhlOm1adJqjHWXpJ9
Jt2N9IeKm0joJfTHNMrP4/eEGTtDx2q42m5vha+NDPt86sdznJsCAwEAAQKCAYBv
D3wTHiv3+rTUnICbuoDtSx+OENWCQPb1JRYq5tWNVXwie5GycktV/1QnFE4CRNbu
QuuVPqpQTUJVtDtw0N7Yuc+LMUNJ2x3DEUUeMoqKOBS0krm8SnozKvWQW9MwJmxU
S46DXMida20fSvoAgCGM+mWyEcBa0rl2JB/WzP0QbNDEqRSldsuyJctP1Mat2AuV
pciHWVv7h4BcfVL47Jb+hfQcCO6Vrfx4s9DYHRgEPibZtzPFV2dOu97PKcD65HXL
o30hP9xhhy8nT4oFijEQ9rPi0JvOpvB5bJQ42OAznWByR0uL9ZoXopkYDDemzt7t
D5F9X/2iH9dv3GA0AiPCF6DjyVMwbh/NOt8oxS+NMY2RPlzA+r9SZpCcyPFk1hMi
LHzrPU8dwC2GmaMKB3Uw/bA5ufw3IpcbJIZEBJQ5Ttf7zEFcfDo/jidTz3ZOptOT
kSKoCN73AUlmcx8UoKF9JwcpJq63ww8eef+1HLL5Dk0uM4YSKd15gI6477RgfgEC
gcEA48ZpMdz4mz7rO0CMyPfOLdHOcxHuZI4oJg6gJ1IBxCnIB1mhy6xn+NdkS5Mm
/1S6eFuo+DgabXO/A2xSDrJ4Lnlf4H4OjQKCeJdO9JglHjdTzv7TB8Vm/IdGC0Jk
eDRY1lmkSXcdSmGqPVgd2AHpkcTgLyUb+iIWkIspelsaNNQBHJzd4S/x9Pp/ftrg
CpfwGKsmNia3n3m21lkeTLtKVsPuK8CAJnCDaEI22mhV83x6grPxA0GVFZ0VHfCL
qZVhAoHBANfd/oVKWGTiJzlc+aHJAb4XRROQzCL4yi6uspT3h9QN5QiFD7PhgIOg
mES35mpGocN78oc19zhfD4XLNkLbQuMQhpk0D4MjLfUS/IskFoOJWuQbIBPqrMzY
Z93DDkiBno2As1IN7fZ9amw7Thcf8Qt6yVNFjIMcfk63VmC+AnPUj4KCes7IuGDH
SA/LjjiKgMa3g3I5/HVB6q1dyZQggBF3dCJ/V8ecgtdibUfzvvViZ52Hd7XDs1SX
yCas+IE3ewKBwQC/YSFYBRtZjacmFNl1rkitVQCKzMEp+guf1mAYSZ40TQrFqjj4
obaGbavWmCCHHpDCufkh/jmuRzdyT9wufyPdoJu/Sws8zaQEYNW1S/S8C66+WHvF
psYeXiarJTC3kvwlthIErDGPIrpgap5AtXKjyPC4jAySwXuGHXdPWCaPxqXcfa0s
HRXGSYdAdfUS0ZCpmXw0uZlFRIYsWZrMy/ztJBkE5+yE37p5qlDeeBXnzGo/UaOq
obr6+w4YJtmiNmECgcEAsSAPqzEgrM7AnpoCn1S+4EpZvL8wMXXw+DMSh5dAVah9
COudwdzDxb2tk51OLF/+dderXnTSgOfHZeIjiOI+1PAHcYg9Pj5MhG5q2ITpEE9R
TCBRxuXlmkPrnhRiEO6CudsjyK1zV7D69QoIfoMQF3pN3c0QibiEj3RyJPlkK8T7
aHxF5ozedVKvd35wGUbUebm02rJny5Mly9FMCQZN74cTvQa+cSSkW7UAtGx1gQWY
vbKdcIC/Eidk7Q867VQnAoHBAKqiugBoItfhuN1GUI5bqIx0ya4DSVECpSFiF8h3
eK+bO7uG4OBH+qoAmC8EqQNVPtivxpsA2aBvdoUMTYPu/S5cVFXcMkEJ1jX8L8IZ
ImE5LXC+SiZO3G9SyHfj+rgwr66G7NWDVJhZ2t/56s4qEdewwR4Vjm99gVvHHAFP
rrkT9jfHVmozRroL/XAMNITZpJw+vwPMwWOaRncjzyyPp0JWt0h+Wv0+A3SjBIh2
c+Ctg5Ig6vwr2weVc7s/4jz9Kg==
-----END PRIVATE KEY-----

93
bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 7 08:14:18 2022 GMT
Not After : Sep 8 08:14:18 2022 GMT
Subject: CN=srv01.client02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64:
63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2:
b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17:
8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea:
9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4:
3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c:
7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d:
09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30:
b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd:
b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04:
d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2:
f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8:
f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5:
0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9:
ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11:
b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4:
f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7:
e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a:
d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd:
3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad:
0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14:
5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4:
43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e:
92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34:
ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85:
af:8d:0c:fb:7c:ea:c7:73:9c:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:
bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a:
c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb:
ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb:
ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22:
12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31:
e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48:
07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17:
7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa:
4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82:
b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28:
33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c:
51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1:
6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e:
5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db:
52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54:
e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7:
4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab:
70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55:
2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e:
e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b:
44:b8:6f:2b:af:6e
-----BEGIN CERTIFICATE-----
MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4
MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl
Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ
CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q
m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78
xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO
ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp
tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM
4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt
DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m
3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz
BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK
NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE
msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6
w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX
XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn
+SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR
ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+
knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z
3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m
GJALaoX444MqfJHDUhxtqitEuG8rr24=
-----END CERTIFICATE-----

40
bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQC0mmOYBK29qym/
InBUMN/Ha3dduF4LzQ6gbHQ350t40Zbaypl9krHkGgoetBy+7syVjFIDk4XhQENo
hoa8amJt1grK7k+TLe5r33r23PpEpjmALDh8ic3Zo5ns6CtIbYRBPQ4aH2heF4iP
pdpNHDYmrrR+0v6iWdVnOlbCIWUN3Zdv8OW0HoeulzUN9Juu3Io+KKq4oqvunbLF
kfZxmaWGyzGcBdablBNGqZrJpVVfbMzQhCfisbVzOQh/gC8EJpYMjSmbvl7MOa+i
24KCVwfmskrZPch5bmdh80g3qE+fs8+EtlAIPemF6al2UIDnLG9llcviI0FYOXDn
eCk9wtYgfCuHML2Yh2PtSq257XpLE6E9Yl62dGTvJaPdk0eq0yV+KtcJG1xZUPHU
xpzyZIp8y8xSN1CIS4Q1QFEOoQaiYLaw44/52I5Fd30OfRGSIhUPozeExCXcFLQg
ercWlnLUv01d0qtxQ0S+h0TSuHT3hj/SXd1e5nSr+8yjXaaEgAsCAwEAAQKCAYAG
wzkzeglfbsdTZuC55lKazwVbNwoeewEvNKBtb3W+AmsZqjhxIUsT9X2nhKsG4z45
41U22RFMS/G6Oj9VUs54umkRDDdilXe2Blo+YCvm4iqJCB7dWvOgUKX03wSv45nu
L3EVvVNVIqB0cItqE8JbVHNhxFjQj3iUMvUIs+Nqz39aK7UON45xFSxhZ2Vk+NEc
Xr11yHGTr8f/6eVGf7BZCcbDxtwwWy0Vmkg3gL9foV1R+YDc1jarJ9mPnKcmCqPH
lW5aT5putR0kO1vO6Rh7YfbHsqw334B9v1yjB4TgaJBKVHz5Z8KTvDFHodMtLqCC
WV61O2h7gh4mQ6lEX5tjArqYdKMuWLAhZ+9AK9sSs4k+/nlvEbqAOCbkx7UmrZoF
QkYfDt2Gjrk7WLwb9CCFIH0a2EEB2Fms1iHBK++S3iA4w0kfbePP0mo4GTsTwA45
DKDbYByzJzVUvGmowMaaypE548sopQ9K4kQJ9okLV+Gc1V7fjklYIIBmwDgqfIEC
gcEA5Xt0qFjYn4H2gu2xyD0etx83CjKUx0mjwPvdwLg79HMb9P+OTTU+NzsHTa2I
CTEJ1gA4VkqOtKxEBJQarQmJnVL/fiIp88h9fmLBQ48HLefH33S+bF3VWvKOgJeY
uVyyWnhTwHNQv3RsO+DEcjqG3aJ2vdzCnDLBr9ATFV8uzpk1Op0h7QljUbhHv1mS
ip2yQVeuJwtWFixjqEp7BuTluqk/UlGP39PBjgG04Tpw3MkiZNJgk/kSnN+YYOiu
i91rAoHBAMl4/WAaIL5lHiyakHAmE0fwUm+LUKPG1rF22qvqdBFV6OE14/VgTKNP
LfcS7Ulzmt7hM7fbcJ0FYxeyPbbQRjBRsGXFzLU96VgoUxoI/IyFXFY83UJ0s63L
RhZmg4GNvpO0qfOjL4wQtB3N6LPhxpF+pLkkHXSdFkUyocaXGUGOBC+ZEBaCd8Lm
2GlGoi/f+zSl4xSY4crspS7GNG2+jcXh5K/OMdjEb1/tyRYnHf0D89WNmr10EeYG
Pe9alaDv4QKBwDROcYa1yZqB6who2W8Ez216BfejE9pg5JxmTGNTGwda/XJYlbzv
d+Dq6X1BIpLFxLIslqrEj8aKxW4tu+7ZD672bhn3+4v/lOsr41Vc0owaGqrKV2Un
9iumweh5pWwKvvR0HNLu9ebNyKXVU7GduYPnNh2MpicoQpGqYc8rROX+ce2MR2Fa
FHNaB7CL4CUMUMcoDyADK3oeYBDJ+UTXA64KSc6fnKWuBJ4zsWDtCzCn/9jvQug3
i5CKPpdIMhDbRQKBwEekz61B/UzXVnCUEjLfR1H4osfpqaZjyerXkhE6UUXs3+Be
Mo8KTJZyTK0kvN62zmbdfG+wCA6+YKuHhayhyaPbGLhIK3Bz8KuZw1tpwK0Tq287
O48rQs3VkDndAHysdA3AXAM4j2rmcbZ7h3mYGu2YNGll71eNmOLIi4C8MI4AO3rV
mkP25zGWt3RQWtJdes4RA3xKlVh86IyGjRRNg8rPdmwSDeXAjL53J1/KTz6vDiFt
to4SXV8H7zRTaQwO4QKBwBwMU2zjMYXLJq0LAmn3h4h6CVZjPrqzR8PeSd/YM831
qdH7OvnkadqIdqMOo6BUA9PvUIY/B5c5zSSOJg9gh1PJ3vDLIZY23zkXigh7poBe
YW6/PLvGQJ0Rzyz5pf6uPX8AWkAqTyI1Ox3NdxzirarxWDPznvA2KsVxVF/jxnvr
TD/R5kCQUcxZuInguahGYd1JF3dArYh6NKRPyVO0r73LfVeZ+udlo/+ZMNVGlNNF
v3Tmy/b2gUdEwuKFCxx97g==
-----END PRIVATE KEY-----

93
bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 7 20:28:03 2022 GMT
Not After : Aug 30 20:28:03 2052 GMT
Subject: CN=srv01.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30:
df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7:
4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4:
1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86:
86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df:
7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3:
99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17:
88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59:
d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e:
87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2:
ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05:
d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84:
27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d:
29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2:
4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3:
cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c:
6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2:
d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed:
7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93:
47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6:
9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40:
51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77:
7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14:
b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43:
44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6:
74:ab:fb:cc:a3:5d:a6:84:80:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:
7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb:
2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5:
c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00:
07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a:
75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14:
e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11:
71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98:
2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64:
69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20:
b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1:
1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1:
79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5:
9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0:
90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30:
0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04:
93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55:
33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd:
87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65:
ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b:
52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd:
1c:4e:e0:3f:0a:8b
-----BEGIN CERTIFICATE-----
MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw
MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw
DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124
XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru
T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S
/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF
1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9
yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw
vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3
UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S
q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf
ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC
AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi
D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50
iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX
Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b
IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s
pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM
ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd
TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g
PwqL
-----END CERTIFICATE-----

40
bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDsLIgBtYs6dFYN
V7N1/QVYBe2Kq+gpDvFSNC4iYm5BdP94M7T/FXP6zpAQpP7SZhR7C3l71iCI+UEx
FJpJNow4dEvz4lHn5W+9ZTjmnDCAPyRW9mieCXaBW1mBRFafHD9I8JW/YEAp36xC
PcNvhS3DDgi29xIqUQC/z/5srtd93sFy+DIDX8k/St7l+iSQRvBKXwnYk0y/HGFM
0tzbbPivc1u3O3robRy7JiNHh/1QBg/xtYiKqCVpV+NGO9JrUvtaAfaW6SrPE+cW
TP1a9h8Ljfclo2jXFfxcSEkF4oUkcFex2AUkriY6AJtyqEcFxfN8LfJYcjf7wYtP
Qo/dmqxbrm8hYq0pgbmLS2z/YZkPfAnTbQAgLbEMAGyZTJLcDhEt57p7x8ixoxph
+Mwsrxe228w2Av77ZhV3hHDNQiW3FmQorp2MgYWg4FCCqujprFH8K2NEsQi4kNeM
HCOyGwhZhdXdOUT3R15ICDTrLN91Rwi2tuYy7XZ0d849Tf4CsTMCAwEAAQKCAYA+
B7AtKr6HutiDJp63BZ6qsNvkCSSv7AHMAnJ/i3TD8nPK4WHPgZX1sN070eov3qnQ
a4Ib2XCwKS9LMcsYIaCQj1MHmlDC5IsFpplcUHeYp3zm7k8p+vhKH3ERt548qhGh
GbdrDV+s39eBinFTUBpl2cDGNXxq6t2Ug4+iggWNRL1wcenI4xabbhG/O4Tw9ADW
t8GBRabppw2TPOrPIv7qLhVPueqdM1NRgEHR3tDUfNMhO/nB2UoCMhg6cSniEGf8
32NDQHI7ajIcETnn9z0tAP67+w5VUYMlP3+VGr8v4UZCL6Qal9Swv4XWPqHjHoIi
q5by4H6HEYeoUPT5hCJjMdXlHrWWUgsX/YdgY4tJJBowMR6rovA7Ypy71FxRnXkP
2iD36jZmDI1mBQ41Yx7P5iM+veRQmBOH/x70Bd9ZbSLlmeTX5dhjAxNShjZxxeUy
QbQGe3JLzdCGzRY9TKFMmLa/qs+Ggqxopdh4AZuHtQpKUej6g9GI9Eo0IIWTKEkC
gcEA+EC1ms0MEIIq/JJrsN4ByEyZXbuNKny/04h8dfkT0lTXk8QihQLke6ZLLOl9
mwgO9NOHkghtU9wdNXg/dNR2VDevUZCjIlYZT6stjEX7X0oNACJwSeBwEXxn6I94
umuvJ9hq9WchTnQA4lrIXCETIUxThjm7jfJe9RKzghQkCfGnxzclXg0viqxvm21j
eg0iide23y9xpFd8Qn1oq+hhzcKqHWdkHuDjRJD5gfAEPD7MJ7oT5jR4szQoIUcP
4C+NAoHBAPOLUwAwcY5zUBAZ7oZ8wRgnAFZjHdYYWDr04ahA1DpwPeX67MczdGud
L7hUq3APa3qcj4hrDL2jkF6FkbURhtdguMccb4hBENyYr+qjoTAfYJIZwJ9akQ/j
x8u+5kGsN+ozaKikHFsI2xXHJhbShICL3sIfNeqGFB2onp/dv8WdywTnSf2aXGjf
NFvVJYnaEOGiTM7uIf/F0n8Iae8HSdPZXtDTXNjnLFzzHjvFe1mfyYO55BDkxmr2
PDnhVkbTvwKBwQCNPwQU16WNnwImQojTUP1ioXKBSjy/d8sM6BMobFdCzNL7WBTr
6QFm+O681vyIQMWBtvjjtbe+hvZ3fbtdFaVdtXEiz1CCMMql8ZcwwICNbuyGrxGE
dxZMXKQiRb9DEhHOcewpRExG/umh4FUvVgI0Z+D99csosEYm2kUYNa1rmvsC9fVk
1cu+8u1tWYfH4cFM/FcoFS5revtQOVpctRMwpxlzMWhdyUaFtJbBv3YpcPFniQ/Z
YvFpxLswc+Ysf+ECgcEAhEeMUXH+e6zOM7CiCZIBHykv2bwEHKEkawFO/6AWpZcJ
R7y+loOwHDNIFAqJA1icvAAFRcc/KFGKvIw30+0tHBaAxkT/nzYX/nlAM2Wkywp/
3Vr3cJY0bDj/7/5D+i+cPyylD9PzQs7QkEeWvJajOV6/Ixjoo/UnP+SyI4rB+of2
GTe2zHPm9V8mhSqENReoS6Vnqo1VEiNUbYMYZqfCxbou8aWbrIQDaIj0RurAULGl
NlLlOPfJfZc4pwdpYRbpAoHAJ7Vxdfn1ec+8xIpjn6dQzWDQWrOw+4pyi54sPlVb
RUWC9nYDbTwEKkWdQ0FdyJkU7tiYIIFlVNfPAa1lkujIiC5zxe41VJ1598pXPEXn
a6UB1yn2Ay7kmCq7/qOD6IRkAS8TKyzM6Z7nFgglMEPPdzYBkeKP/aWl75el1B4e
mpGz7o6u6kSHXt0UWZ7VT9AspEw0oyHIoaXmYHvpXjGtWghn6MKPMngKIb87Xjvt
bKvcUjDKJOb0BURXpKzS8Rf9
-----END PRIVATE KEY-----

93
bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 6 20:34:09 2022 GMT
Not After : Sep 7 20:34:09 2022 GMT
Subject: CN=srv01.crt02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd:
05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62:
6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4:
fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14:
9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65:
38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b:
59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df:
ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51:
00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f:
c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93:
4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b:
7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5:
88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01:
f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d:
f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70:
57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5:
f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a:
ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61:
99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c:
92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8:
cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84:
70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0:
50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90:
d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47:
5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed:
76:74:77:ce:3d:4d:fe:02:b1:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:
b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34:
cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45:
ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2:
7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad:
6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97:
bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49:
7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86:
c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7:
b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc:
42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68:
a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c:
db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c:
8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9:
73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d:
cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5:
e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56:
da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1:
a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb:
30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba:
9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a:
1f:5c:c5:04:10:f6
-----BEGIN CERTIFICATE-----
MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw
MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p
bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9
BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2
jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F
LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts
+K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2
HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a
rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv
F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib
CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV
HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G
CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG
MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31
CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+
ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn
jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/
awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L
hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq
4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/
4N9ksrVfmKFFP0ofXMUEEPY=
-----END CERTIFICATE-----

4
bin/tests/system/nsupdate/CA/index.txt Normal file
View File

@@ -0,0 +1,4 @@
V 20520830202803Z 70B9F4EB2FA19598 unknown /CN=srv01.crt01.example.nil
V 220907203409Z 70B9F4EB2FA19599 unknown /CN=srv01.crt02-expired.example.nil
V 20520831082017Z 70B9F4EB2FA1959A unknown /CN=srv01.client01.example.nil
V 220908081418Z 70B9F4EB2FA1959B unknown /CN=srv01.client02-expired.example.nil

1
bin/tests/system/nsupdate/CA/index.txt.attr Normal file
View File

@@ -0,0 +1 @@
unique_subject = yes

93
bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 7 20:28:03 2022 GMT
Not After : Aug 30 20:28:03 2052 GMT
Subject: CN=srv01.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30:
df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7:
4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4:
1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86:
86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df:
7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3:
99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17:
88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59:
d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e:
87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2:
ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05:
d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84:
27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d:
29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2:
4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3:
cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c:
6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2:
d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed:
7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93:
47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6:
9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40:
51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77:
7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14:
b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43:
44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6:
74:ab:fb:cc:a3:5d:a6:84:80:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:
7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb:
2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5:
c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00:
07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a:
75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14:
e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11:
71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98:
2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64:
69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20:
b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1:
1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1:
79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5:
9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0:
90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30:
0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04:
93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55:
33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd:
87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65:
ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b:
52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd:
1c:4e:e0:3f:0a:8b
-----BEGIN CERTIFICATE-----
MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw
MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw
DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124
XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru
T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S
/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF
1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9
yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw
vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3
UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S
q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf
ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC
AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi
D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50
iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX
Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b
IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s
pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM
ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd
TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g
PwqL
-----END CERTIFICATE-----

93
bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 6 20:34:09 2022 GMT
Not After : Sep 7 20:34:09 2022 GMT
Subject: CN=srv01.crt02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd:
05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62:
6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4:
fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14:
9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65:
38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b:
59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df:
ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51:
00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f:
c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93:
4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b:
7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5:
88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01:
f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d:
f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70:
57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5:
f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a:
ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61:
99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c:
92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8:
cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84:
70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0:
50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90:
d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47:
5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed:
76:74:77:ce:3d:4d:fe:02:b1:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:
b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34:
cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45:
ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2:
7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad:
6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97:
bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49:
7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86:
c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7:
b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc:
42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68:
a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c:
db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c:
8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9:
73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d:
cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5:
e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56:
da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1:
a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb:
30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba:
9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a:
1f:5c:c5:04:10:f6
-----BEGIN CERTIFICATE-----
MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw
MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p
bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9
BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2
jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F
LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts
+K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2
HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a
rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv
F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib
CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV
HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G
CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG
MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31
CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+
ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn
jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/
awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L
hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq
4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/
4N9ksrVfmKFFP0ofXMUEEPY=
-----END CERTIFICATE-----

93
bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 8 08:20:17 2022 GMT
Not After : Aug 31 08:20:17 2052 GMT
Subject: CN=srv01.client01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05:
fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef:
22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10:
ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4:
f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35:
74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78:
25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52:
48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb:
51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30:
29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d:
4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86:
3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5:
76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae:
de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9:
95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49:
9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42:
5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72:
8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30:
af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70:
fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63:
b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49:
ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18:
54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e:
fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b:
bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5:
42:89:b8:e3:f8:b1:24:08:7e:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.client01.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:
5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba:
51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c:
19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69:
26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b:
4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb:
73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17:
ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e:
01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07:
79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9:
a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14:
89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88:
ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d:
f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d:
4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6:
f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98:
bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80:
af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91:
76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31:
f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1:
d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79:
97:e3:7f:2a:14:73
-----BEGIN CERTIFICATE-----
MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx
MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC
AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl
QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3
MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b
EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI
VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ
lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF
lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3
zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC
FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE
JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B
AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl
SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7
hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/
EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl
lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD
Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu
ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp
jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg
j5x5l+N/KhRz
-----END CERTIFICATE-----

93
bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem Normal file
View File

@@ -0,0 +1,93 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Sep 7 08:14:18 2022 GMT
Not After : Sep 8 08:14:18 2022 GMT
Subject: CN=srv01.client02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (3072 bit)
Modulus:
00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64:
63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2:
b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17:
8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea:
9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4:
3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c:
7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d:
09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30:
b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd:
b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04:
d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2:
f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8:
f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5:
0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9:
ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11:
b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4:
f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7:
e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a:
d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd:
3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad:
0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14:
5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4:
43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e:
92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34:
ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85:
af:8d:0c:fb:7c:ea:c7:73:9c:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
Signature Algorithm: sha256WithRSAEncryption
18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:
bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a:
c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb:
ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb:
ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22:
12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31:
e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48:
07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17:
7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa:
4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82:
b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28:
33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c:
51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1:
6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e:
5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db:
52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54:
e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7:
4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab:
70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55:
2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e:
e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b:
44:b8:6f:2b:af:6e
-----BEGIN CERTIFICATE-----
MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4
MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl
Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ
CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q
m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78
xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO
ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp
tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM
4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt
DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m
3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz
BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK
NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE
msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6
w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX
XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn
+SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR
ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+
knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z
3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m
GJALaoX444MqfJHDUhxtqitEuG8rr24=
-----END CERTIFICATE-----

39
bin/tests/system/nsupdate/CA/private/CA-other.key Normal file
View File

@@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEA10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9I
YVyR/0Mibg79FAs+rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50Oe
QnbbTrBl0PuNwvzEkbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmw
UTX5Jxndsjydk/zW/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA
+45GT2lHu07xc+cVeZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QB
Xkotnq3rHnrI/ku6dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9aw
Eqwvy8uVbGkTmUZdtjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGW
vcfMRZZhWaoHyhnHg9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeY
fcQ5eaIZ3OuIpyQzAgMBAAECggGAD+vUWvsr2datgeZqhfR0YdM9czyGhasn7B4q
EH8VPrA5iGDZCpJdHeLqNfeX0hau0SQ69Q0PDRy/J6O61wtNv2lOy5bLXKMIRBor
FMRxNQDlHEmM999wgtZbAWTJbEVjiF+Jw0M8kMiuA7UnSp31uqhJfhcHt+JU6Gtt
9jlOD2oDzzxS9P6n6bNpCRigkuRdRhQvHUxcjrE2EbyGsaTXIR4+Uh1xh1EcT9Hg
uYqFIfzo3nkhpDk2jAL+UiUZiHfrpO6OfqpNQj27jju/35DT+2hgGuS2JApzpi91
gJSDXwsDQYdP2a2B0y3K0+HwC7/YovAzlXkfes06ebtsiG4Nzl15vnKaTbON0vZO
7jMkedmstKaLGM5PlLW0afls5ahr0dtrhWFs+1QKcv1JahcfeEvggeH9/gtjpunM
MT31VuYbwleWAsRxjGG3OWKLgst4cJXqGTdM21JzBDOP43/ZIaaedl43jJzIgIM5
b4ae9DrhsTNIboYO20XYdwtn9Q2pAoHBAPLO1xTWfqpCwZU6udtX73jMfpwhGlWW
0jqg9gvxs9Neg4nfYMtiliBS5VT+6oID8YSKOSWXHWFGFkBN5hqfGbu5Nd94rY0J
g6UYgGOAcNfoGOTpI2xljpEWJJfquTFgbajwFg+q3p6mL1zShkzvf6hzqENxbLxy
OvEPkszN6cy16jgEUv5qK9qNf7ISB8Ki3yFSKAfuRlapny3TcRTYkJNZ0y398/sG
E5vqrrYyjUWv5Uwz0mHmZpmZuZuaUJxtlwKBwQDi+BKnIiYYwdJPmCNCykRJB02Z
QZlxtnrrajxZsXHysTopX5HkOQH80VSbH6fj287qX7vV0ux2maFLoszjM0wtfQhE
8fsuKRPfzxR0cFtPFtncCHI5FVT2MOsdz5dZ8BsinCgsVlZ3SrUC9gxPKpVdRd21
OUC3r+tOPvM0gdfyT560GDLhaH12iOA5KtWnE3FIEpk6y95D1a4E7zu4ZaoI98UU
F8ezSREzF9UzAcdVn8MA3v82nlGQS8iFI9mHicUCgcACWkS1O/rQNYNgqcgBOxHj
7r9PTfbOW36/+K1JolbmtmS54kMy1Uq1F3iHYUzuY5Fkgl5ZYeRz+9TdXKPdICuE
qR+/gZDU7AGtiNY9oJH3VZVgKm4gb7944mkKW8jdlJybZXAhSLuNd/i/gn6woiVv
gWdg9+lgzg6KJWd7uocIZ77UOh5/vpGcNYDGPex7U06sKPqgUQu3bT9Ql1riI9MK
ynUEXhCOHxnzicuVklnSEgk7usjQEAZweI/W1SDw0xMCgcEAm9BQBdsEqlRNDAVW
l6CB9lyEIiUNsSnkAr9AxRZzMngGhKauYi3ctnICkifOOzgIOZAVRDpzyQu41lLi
M0thDY1bYvF4TX03vprL4Q/NL2NxloNZ3uRNGmIE1sdPkRermTv4vE9dNrHbyDef
xa1nMswm4yV1z2R+to2yqqZE2H1eZyaBr4rrLrfSroxAdl17lE3oUZvpb0o/F/Yg
Wnu4mkV2T0/v8Z3Ep/3BiC29aYOu/Gcab6WKOvQ7qWMuD8U9AoHBAJslXJMsMZVc
UIaxRbknRMEBRBJW6X6EPbV3zGa+R9e9XRSG7jYSOWB9Yb2AbwjsvF4Qq+8VQq+V
Ksxs7XOuwR202oZFzQDMoVj1LL4Cn60rRWlI+p6Q5SB2DQVo2kulTv1NtvdVR+U0
ABa0xp5TKi7+jTY/e3CJGiT69sZc7v2VXptoiGytlUl9GVr0SImD1ZJdaJSJCPZX
S+cEzfF6LVnnhlaq4puuv/vKjumNWDymv3zwZOy9D8nn/tMHqLKWSg==
-----END RSA PRIVATE KEY-----

39
bin/tests/system/nsupdate/CA/private/CA.key Normal file
View File

@@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC
aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D
lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm
PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy
VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy
nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH
EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp
Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL
wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc
bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI
r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC
GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9
DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x
E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB
wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8
V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC
SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke
s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx
HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx
r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp
tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk
AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx
LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa
IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn
RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf
ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv
NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao
ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev
dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr
q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj
bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw
HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3
nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9
r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c
j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn
HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd
B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw==
-----END RSA PRIVATE KEY-----

1
bin/tests/system/nsupdate/CA/serial Normal file
View File

@@ -0,0 +1 @@
70B9F4EB2FA1959C

11
bin/tests/system/nsupdate/dhparam3072.pem Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K
3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab
EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os
O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H
0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR
JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp
eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ
vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX
GKz9+uk5eS6jAgEC
-----END DH PARAMETERS-----

34
bin/tests/system/nsupdate/ns1/named.conf.in
View File

@@ -11,14 +11,48 @@
* information regarding copyright ownership.
*/
tls tls-forward-secrecy {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv01.crt01.example.nil.key";
cert-file "../CA/certs/srv01.crt01.example.nil.pem";
dhparam-file "../dhparam3072.pem";
};
tls tls-forward-secrecy-mutual-tls {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv01.crt01.example.nil.key";
cert-file "../CA/certs/srv01.crt01.example.nil.pem";
dhparam-file "../dhparam3072.pem";
ca-file "../CA/CA.pem";
};
tls tls-expired {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv01.crt02-expired.example.nil.key";
cert-file "../CA/certs/srv01.crt02-expired.example.nil.pem";
dhparam-file "../dhparam3072.pem";
};
options {
query-source address 10.53.0.1 dscp 1;
notify-source 10.53.0.1 dscp 22;
transfer-source 10.53.0.1 dscp 3;
port @PORT@;
tls-port @TLSPORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.1; 127.0.0.1; };
listen-on tls ephemeral { 10.53.0.1; };
listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.1; };
listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; };
listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;

2
bin/tests/system/nsupdate/ns10/named.conf.in
View File

@@ -16,9 +16,11 @@ options {
notify-source 10.53.0.10;
transfer-source 10.53.0.10;
port @PORT@;
tls-port @TLSPORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.10; };
listen-on tls ephemeral { 10.53.0.10; };
recursion no;
notify yes;
minimal-responses no;

359
bin/tests/system/nsupdate/tests.sh
View File

@@ -738,7 +738,7 @@ grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
n=$((n + 1))
ret=0
echo_i "check 'grant' in deny name + grant subdomain ($n)"
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
key $DEFAULT_HMAC:subkey 1234abcd8765
server 10.53.0.9 ${PORT}
zone denyname.example
@@ -752,7 +752,7 @@ grep "added" dig.out.ns9.test$n > /dev/null || ret=1
n=$((n + 1))
ret=0
echo_i "check 'deny' in deny name + grant subdomain ($n)"
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
key $DEFAULT_HMAC:subkey 1234abcd8765
server 10.53.0.9 ${PORT}
zone denyname.example
@@ -838,6 +838,182 @@ if [ $ret -ne 0 ]; then
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (opportunistic-tls) ($n)"
$NSUPDATE -D -S -O -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.1 ${TLSPORT}
update add dot-non-auth-client-o.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client-o.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.1 ${EXTRAPORT1}
update add dot-non-auth-client.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.1 ${EXTRAPORT1}
update add dot-fs.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fs.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (strict-tls) with a correct hostname ($n)"
$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.nil -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.1 ${EXTRAPORT1}
update add dot-fs-h.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (strict-tls) with an incorrect hostname (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT1}
update add dot-fs-h-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (strict-tls) with a wrong authority (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA-other.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT1}
update add dot-fs-auth-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fs-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (mutual-tls) with a valid client certificate ($n)"
$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.1 ${EXTRAPORT2}
update add dot-fsmt.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (mutual-tls) with a valid client certificate but with an incorrect hostname (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT2}
update add dot-fsmt-h-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (mutual-tls) with a valid client certificate but with a wrong authority (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA-other.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/client01.crt01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT2}
update add dot-fsmt-auth-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (mutual-tls) with an expired client certificate (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client02-expired.example.nil.key -E CA/certs/srv01.client02-expired.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT2}
update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check DoT (mutual-tls) with a valid client certificate and an expired server certificate (failure expected) ($n)"
$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.1 ${EXTRAPORT3}
update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
send
END
sleep 2
$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
status=1
fi
n=$((n + 1))
ret=0
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@@ -1026,7 +1202,7 @@ grep "bad name" nsupdate.out4-$n > /dev/null && ret=1
n=$((n + 1))
echo_i "check adding of delegating NS records processing ($n)"
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.3 ${PORT}
zone delegation.test.
update add child.delegation.test. 3600 NS foo.example.net.
@@ -1041,7 +1217,7 @@ grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
n=$((n + 1))
echo_i "check deleting of delegating NS records processing ($n)"
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.3 ${PORT}
zone delegation.test.
update del child.delegation.test. 3600 NS foo.example.net.
@@ -1055,13 +1231,13 @@ grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
n=$((n + 1))
echo_i "check that adding too many records is blocked ($n)"
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone too-big.test.
update add r1.too-big.test 3600 IN TXT r1.too-big.test
send
EOF
grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: SERVFAIL" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n
grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
@@ -1070,14 +1246,14 @@ grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null ||
n=$((n + 1))
ret=0
echo_i "check whether valid addresses are used for primary failover ($n)"
$NSUPDATE -t 1 <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -t 1 <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.4 ${PORT}
zone unreachable.
update add unreachable. 600 A 192.0.2.1
send
END
grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1
grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1
grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
@@ -1141,39 +1317,39 @@ grep "syntax error" nsupdate.out > /dev/null && ret=1
n=$((n + 1))
ret=0
echo_i "check nsupdate -4 -6 ($n)"
$NSUPDATE -4 -6 <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -4 -6 <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone delegation.test.
update del child.delegation.test. 3600 NS foo.example.net.
update del child.delegation.test. 3600 NS bar.example.net.
send
END
grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1
grep "only one of -4 and -6 allowed" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
ret=0
echo_i "check nsupdate -4 with an IPv6 server address ($n)"
$NSUPDATE -4 <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -4 <<END > nsupdate.out.test$n 2>&1 && ret=1
server fd92:7065:b8e:ffff::2 ${PORT}
zone delegation.test.
update del child.delegation.test. 3600 NS foo.example.net.
update del child.delegation.test. 3600 NS bar.example.net.
send
END
grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1
grep "address family not supported" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
ret=0
echo_i "check that TKEY in a update is rejected ($n)"
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==
send
END
grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
grep "UPDATE, status: NOERROR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
grep "UPDATE, status: FORMERR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
@@ -1243,7 +1419,7 @@ grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
nextpart ns3/named.run > /dev/null
# specify zone to override the default of adding to parent zone
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.3 ${PORT}
zone example
update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1262,7 +1438,7 @@ echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is n
$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone multisigner.test
update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1282,7 +1458,7 @@ $DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
nextpart ns3/named.run > /dev/null
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone multisigner.test
update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
@@ -1301,7 +1477,7 @@ echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.3 ${PORT}
zone multisigner.test
update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1316,7 +1492,7 @@ echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
server 10.53.0.3 ${PORT}
zone multisigner.test
update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
@@ -1328,12 +1504,12 @@ retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
n=$((n + 1))
ret=0
echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone example
update add example 0 in NSEC3PARAM 1 0 151 -
END
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
@@ -1344,13 +1520,13 @@ echo_i "check nsupdate retries with another server on REFUSED response ($n)"
# that's what we're testing for. (failure is still expected, however,
# because the address lookup for the primary doesn't use the overridden
# resolv.conf file).
$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out.test$n 2>&1 && ret=1
zone example
update add a 3600 IN A 1.2.3.4
send
EOF
grep '10.53.0.1.*REFUSED' nsupdate.out-$n > /dev/null || ret=1
grep 'Reply from SOA query' nsupdate.out-$n > /dev/null || ret=1
grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1
grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
if ! $FEATURETEST --gssapi ; then
@@ -1361,7 +1537,7 @@ else
echo_i "check krb5-self match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1379,7 +1555,7 @@ EOF
echo_i "check krb5-self no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1387,7 +1563,7 @@ EOF
update add foo.example.com 3600 IN A 10.53.0.7
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1397,7 +1573,7 @@ EOF
echo_i "check krb5-subdomain match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1415,7 +1591,7 @@ EOF
echo_i "check krb5-subdomain no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1423,7 +1599,7 @@ EOF
update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1433,7 +1609,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs match PTR ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1451,7 +1627,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1459,7 +1635,7 @@ EOF
update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n
grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1469,7 +1645,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs match SRV ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1487,7 +1663,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1507,7 +1683,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1515,7 +1691,7 @@ EOF
update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV > dig.out.ns7.test$n
grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1525,7 +1701,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1533,7 +1709,7 @@ EOF
update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT > dig.out.ns7.test$n
grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1546,7 +1722,7 @@ EOF
grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1563,7 +1739,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1571,7 +1747,7 @@ EOF
update delete many.ptr.self-ptr.in-addr.arpa PTR
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n
grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1585,7 +1761,7 @@ EOF
grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1602,7 +1778,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1610,7 +1786,7 @@ EOF
update delete many.any.self-ptr.in-addr.arpa
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n
grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1624,7 +1800,7 @@ EOF
grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1641,7 +1817,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1649,7 +1825,7 @@ EOF
update delete many.srv.self-srv.example.com SRV
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV > dig.out.ns7.test$n
grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1663,7 +1839,7 @@ EOF
grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1680,7 +1856,7 @@ EOF
echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
@@ -1688,7 +1864,7 @@ EOF
update delete many.any.self-srv.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV > dig.out.ns7.test$n
grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1699,7 +1875,7 @@ EOF
echo_i "check krb5-selfsub match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.8 ${PORT}
@@ -1717,7 +1893,7 @@ EOF
echo_i "check krb5-selfsub no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.8 ${PORT}
@@ -1725,7 +1901,7 @@ EOF
update add foo.example.com 3600 IN A 10.53.0.8
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1735,7 +1911,7 @@ EOF
echo_i "check ms-self match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.9 ${PORT}
@@ -1753,7 +1929,7 @@ EOF
echo_i "check ms-self no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.9 ${PORT}
@@ -1761,7 +1937,7 @@ EOF
update add foo.example.com 3600 IN A 10.53.0.9
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1771,7 +1947,7 @@ EOF
echo_i "check ms-subdomain match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.9 ${PORT}
@@ -1789,7 +1965,7 @@ EOF
echo_i "check ms-subdomain no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.9 ${PORT}
@@ -1797,7 +1973,7 @@ EOF
update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1807,7 +1983,7 @@ EOF
echo_i "check ms-subdomain-self-rhs match (PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1825,7 +2001,7 @@ EOF
echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1833,7 +2009,7 @@ EOF
update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n
grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1843,7 +2019,7 @@ EOF
echo_i "check ms-subdomain-self-rhs match (SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1861,7 +2037,7 @@ EOF
echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1869,7 +2045,7 @@ EOF
update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV > dig.out.ns10.test$n
grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1882,7 +2058,7 @@ EOF
grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1899,7 +2075,7 @@ EOF
echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1907,7 +2083,7 @@ EOF
update delete many.srv.self-srv.example.com SRV
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV > dig.out.ns10.test$n
grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1921,7 +2097,7 @@ EOF
grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1938,7 +2114,7 @@ EOF
echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1946,7 +2122,7 @@ EOF
update delete many.ptr.self-ptr.in-addr.arpa PTR
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n
grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1960,7 +2136,7 @@ EOF
grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1977,7 +2153,7 @@ EOF
echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -1985,7 +2161,7 @@ EOF
update delete many.any.self-ptr.in-addr.arpa
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n
grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1999,7 +2175,7 @@ EOF
grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -2016,7 +2192,7 @@ EOF
echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -2024,7 +2200,7 @@ EOF
update delete many.any.self-srv.example.com
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV > dig.out.ns10.test$n
grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -2035,7 +2211,7 @@ EOF
echo_i "check ms-selfsub match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
$NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -2053,7 +2229,7 @@ EOF
echo_i "check ms-selfsub no-match ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${PORT}
@@ -2061,11 +2237,28 @@ EOF
update add foo.example.com 3600 IN A 10.53.0.10
send
EOF
grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=$((n + 1))
ret=0
echo_i "check ms-selfsub match using DoT (opportunistic-tls) ($n)"
KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
export KRB5CCNAME
$NSUPDATE -d -S -O << EOF > nsupdate.out.test$n 2>&1 || ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.10 ${TLSPORT}
zone example.com
update add dot.machine.example.com 3600 IN A 10.53.0.10
send
EOF
$DIG $DIGOPTS +tcp @10.53.0.10 dot.machine.example.com A > dig.out.ns10.test$n
grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
grep "dot.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
fi
echo_i "exit status: $status"

54
doc/man/nsupdate.1in
View File

@@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
nsupdate \- dynamic DNS update utility
.SH SYNOPSIS
.sp
\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [ [\fB\-S\fP] [\fB\-K\fP tlskeyfile] [\fB\-E\fP tlscertfile] [\fB\-A\fP tlscafile] [\fB\-H\fP tlshostname] [\-O] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
.SH DESCRIPTION
.sp
\fBnsupdate\fP is used to submit Dynamic DNS Update requests, as defined in
@@ -83,6 +83,16 @@ This option sets use of IPv6 only.
.UNINDENT
.INDENT 0.0
.TP
.B \-A tlscafile
This option specifies the file of the certificate authorities (CA) certificates
(in PEM format) in order to verify the remote server TLS certificate when
using DNS\-over\-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
override the certificates from the global certificates store, which are
otherwise used by default when \fI\%\-S\fP is enabled. This option can not
be used in conjuction with \fI\%\-O\fP, and it implies \fI\%\-S\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-C
Overrides the default \fIresolv.conf\fP file. This is only intended for testing.
.UNINDENT
@@ -99,11 +109,26 @@ This option sets extra debug mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-E tlscertfile
This option sets the certificate(s) file for authentication for the
DNS\-over\-TLS (DoT) transport to the remote server. The certificate
chain file is expected to be in PEM format. This option implies \fI\%\-S\fP,
and can only be used with \fI\%\-K\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-g
This option enables standard GSS\-TSIG mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-H tlshostname
This option makes \fBnsupdate\fP use the provided hostname during remote
server TLS certificate verification. Otherwise, the DNS server name
is used. This option implies \fI\%\-S\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-i
This option forces interactive mode, even when standard input is not a terminal.
.UNINDENT
@@ -122,6 +147,14 @@ the key specified is not an HMAC\-MD5 key.
.UNINDENT
.INDENT 0.0
.TP
.B \-K tlskeyfile
This option sets the key file for authenticated encryption for the
DNS\-over\-TLS (DoT) transport with the remote server. The private key file is
expected to be in PEM format. This option implies \fI\%\-S\fP, and can only
be used with \fI\%\-E\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-l
This option sets local\-host only mode, which sets the server address to localhost
(disabling the \fBserver\fP so that the server address cannot be
@@ -144,6 +177,15 @@ used by Windows 2000.
.UNINDENT
.INDENT 0.0
.TP
.B \-O
This option enables Opportunistic TLS. When used, the remote peer\(aqs TLS
certificate will not be verified. This option should be used for debugging
purposes only, and it is not recommended to use it in production. This
option can not be used in conjuction with \fI\%\-A\fP, and it implies
\fI\%\-S\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-p port
This option sets the port to use for connections to a name server. The default is
53.
@@ -162,6 +204,16 @@ request is made.
.UNINDENT
.INDENT 0.0
.TP
.B \-S
This option indicates whether to use DNS\-over\-TLS (DoT) when querying
name servers specified by \fBserver servername port\fP syntax in the input
file, and the primary server discovered through a SOA request. When the
\fI\%\-K\fP and \fI\%\-E\fP options are used, then the specified TLS
client certificate and private key pair are used for authentication
(Mutual TLS). This option implies \fI\%\-v\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-t timeout
This option sets the maximum time an update request can take before it is aborted. The
default is 300 seconds. If zero, the timeout is disabled.

2
doc/notes/notes-current.rst
View File

@@ -38,6 +38,8 @@ New Features
fully started before starting other services that depend on name resolution.
:gl:`#1176`
- The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781`
Removed Features
~~~~~~~~~~~~~~~~

20
lib/dns/include/dns/transport.h
View File

@@ -62,9 +62,13 @@ dns_transport_get_tls_versions(const dns_transport_t *transport);
bool
dns_transport_get_prefer_server_ciphers(const dns_transport_t *transport,
bool *preferp);
bool
dns_transport_get_always_verify_remote(dns_transport_t *transport);
/*%<
* Getter functions: return the type, cert file, key file, CA file,
* hostname, HTTP endpoint, or HTTP mode (GET or POST) for 'transport'.
* hostname, HTTP endpoint, HTTP mode (GET or POST), ciphers, TLS name,
* TLS version, server ciphers preference mode, and always enabling
* authentication mode for 'transport'.
*
* dns_transport_get_prefer_server_ciphers() returns 'true' is value
* was set, 'false' otherwise. The actual value is returned via
@@ -80,6 +84,13 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
* Get the transport's TLS Context and the TLS Client Session Cache associated
* with it.
*
* When neither the TLS hostname, nor the TLS certificates authorities (CA)
* file are set for the 'transport', then Opportunistic TLS (no authentication
* of the remote peer) will be used, unless the 'always_verify_remote' mode is
* enabled on the 'transport', in which case the remote peer will be
* authenticated by its IP address using the system's default certificates
* authorities store.
*
* Requires:
*\li 'transport' is a valid, 'DNS_TRANSPORT_TLS' type transport.
*\li 'peer' is not NULL.
@@ -113,9 +124,14 @@ dns_transport_set_tls_versions(dns_transport_t *transport,
void
dns_transport_set_prefer_server_ciphers(dns_transport_t *transport,
const bool prefer);
void
dns_transport_set_always_verify_remote(dns_transport_t *transport,
const bool always_verify_remote);
/*%<
* Setter functions: set the type, cert file, key file, CA file,
* hostname, HTTP endpoint, or HTTP mode (GET or POST) for 'transport'.
* hostname, HTTP endpoint, HTTP mode (GET or POST), ciphers, TLS name,
* TLS version, server ciphers preference mode, and always enabling
* authentication mode for 'transport'.
*
* Requires:
*\li 'transport' is valid.

32
lib/dns/transport.c
View File

@@ -56,6 +56,7 @@ struct dns_transport {
char *ciphers;
uint32_t protocol_versions;
ternary_t prefer_server_ciphers;
bool always_verify_remote;
} tls;
struct {
char *endpoint;
@@ -334,6 +335,25 @@ dns_transport_get_prefer_server_ciphers(const dns_transport_t *transport,
return false;
}
void
dns_transport_set_always_verify_remote(dns_transport_t *transport,
const bool always_verify_remote) {
REQUIRE(VALID_TRANSPORT(transport));
REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
transport->type == DNS_TRANSPORT_HTTP);
transport->tls.always_verify_remote = always_verify_remote;
}
bool
dns_transport_get_always_verify_remote(dns_transport_t *transport) {
REQUIRE(VALID_TRANSPORT(transport));
REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
transport->type == DNS_TRANSPORT_HTTP);
return transport->tls.always_verify_remote;
}
isc_result_t
dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
isc_tlsctx_cache_t *tlsctx_cache, isc_mem_t *mctx,
@@ -378,6 +398,8 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
const char *ca_file = dns_transport_get_cafile(transport);
const char *cert_file = dns_transport_get_certfile(transport);
const char *key_file = dns_transport_get_keyfile(transport);
const bool always_verify_remote =
dns_transport_get_always_verify_remote(transport);
char peer_addr_str[INET6_ADDRSTRLEN] = { 0 };
isc_netaddr_t peer_netaddr = { 0 };
bool hostname_ignore_subject;
@@ -406,7 +428,8 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
prefer_server_ciphers);
}
if (hostname != NULL || ca_file != NULL) {
if (always_verify_remote || hostname != NULL || ca_file != NULL)
{
/*
* The situation when 'found_store != NULL' while
* 'found == NULL' may occur as there is a one-to-many
@@ -433,12 +456,9 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
INSIST(store != NULL);
if (hostname == NULL) {
/*
* If CA bundle file is specified, but
* hostname is not, then use the peer
* IP address for validation, just like
* dig does.
* If hostname is not specified, then use the
* peer IP address for validation.
*/
INSIST(ca_file != NULL);
isc_netaddr_fromsockaddr(&peer_netaddr, peer);
isc_netaddr_format(&peer_netaddr, peer_addr_str,
sizeof(peer_addr_str));