From 156d86e6737f6fbe77cd6d2a76209297822dc39c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Sep 2018 13:51:24 +1000 Subject: [PATCH 1/8] fix dns_ssumatchtype_subdomainms dns_ssumatchtype_subdomainkrb5 as they don't require the name field to be '.' --- lib/bind9/check.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind9/check.c b/lib/bind9/check.c index ec3bb85089..9f059dc17a 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1824,8 +1824,6 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { break; case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfms: - case dns_ssumatchtype_subdomainms: - case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_tcpself: case dns_ssumatchtype_6to4self: if (tresult == ISC_R_SUCCESS && @@ -1838,6 +1836,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { break; case dns_ssumatchtype_name: case dns_ssumatchtype_subdomain: + case dns_ssumatchtype_subdomainms: + case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_wildcard: case dns_ssumatchtype_external: case dns_ssumatchtype_local: From 5fb75a3d75946fbdb3cd1ed3229b81724a1d40f3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Sep 2018 19:36:17 +1000 Subject: [PATCH 2/8] check that name field is not a valid type --- bin/tests/system/checkconf/tests.sh | 6 +++++- lib/bind9/check.c | 28 ++++++++++++++++++++++------ 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 1b099f1041..e245f9e2e5 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -54,10 +54,14 @@ do pat="identity and name fields are not the same" grep "$pat" checkconf.out > /dev/null || ret=1 ;; - bad-update-policy*.conf) + bad-update-policy[4589].conf) pat="name field not set to placeholder value" grep "$pat" checkconf.out > /dev/null || ret=1 ;; + bad-update-policy[67].conf) + pat="missing name field type '.*' found" + grep "$pat" checkconf.out > /dev/null || ret=1 + ;; esac if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 9f059dc17a..2e5de8e1e9 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1745,6 +1745,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { dns_fixedname_t fixed_id, fixed_name; dns_name_t *id, *name; const char *str; + isc_textregion_t r; + dns_rdatatype_t type; /* Check for "update-policy local;" */ if (cfg_obj_isstring(policy) && @@ -1782,12 +1784,16 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { } /* - * There is no name field for subzone. + * There is no name field for subzone and dname is void */ - if (tresult == ISC_R_SUCCESS && - mtype != dns_ssumatchtype_subdomain) + if (mtype == dns_ssumatchtype_subdomain && + cfg_obj_isvoid(dname)) { + str = "."; /* Use "." as a replacement. */ + } else { str = cfg_obj_asstring(dname); + } + if (tresult == ISC_R_SUCCESS) { tresult = dns_name_fromstring(name, str, 0, NULL); if (tresult != ISC_R_SUCCESS) { cfg_obj_log(dname, logctx, ISC_LOG_ERROR, @@ -1835,12 +1841,24 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { } break; case dns_ssumatchtype_name: - case dns_ssumatchtype_subdomain: + case dns_ssumatchtype_subdomain: /* also zonesub */ case dns_ssumatchtype_subdomainms: case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_wildcard: case dns_ssumatchtype_external: case dns_ssumatchtype_local: + if (tresult == ISC_R_SUCCESS) { + DE_CONST(str, r.base); + r.length = strlen(str); + tresult = dns_rdatatype_fromtext(&type, &r); + } + if (tresult == ISC_R_SUCCESS) { + cfg_obj_log(identity, logctx, ISC_LOG_ERROR, + "missing name field type '%s' " + "found", str); + result = ISC_R_FAILURE; + break; + } break; default: INSIST(0); @@ -1851,8 +1869,6 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { element2 = cfg_list_next(element2)) { const cfg_obj_t *typeobj; - isc_textregion_t r; - dns_rdatatype_t type; typeobj = cfg_listelt_value(element2); DE_CONST(cfg_obj_asstring(typeobj), r.base); From fbeefd4990a53daabcbbc2130b39f0e7e1e6dd50 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 30 Aug 2018 18:31:17 +1000 Subject: [PATCH 3/8] add krb5-selfsub and ms-selfsub --- doc/arm/Bv9ARM-book.xml | 31 +++++++++++++- lib/bind9/check.c | 2 + lib/dns/gssapictx.c | 79 ++++++++++++++++++------------------ lib/dns/include/dns/ssu.h | 6 ++- lib/dns/include/dst/gssapi.h | 6 ++- lib/dns/ssu.c | 64 +++++++++++++++++++++-------- lib/isccfg/namedconf.c | 7 ++-- 7 files changed, 132 insertions(+), 63 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 453b7a43bd..af15b64982 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -12719,12 +12719,13 @@ example.com. NS ns2.example.net. the rules are checked for each existing record type. - The ruletype field has 13 + The ruletype field has 16 values: name, subdomain, wildcard, self, selfsub, selfwild, krb5-self, ms-self, + krb5-selfsub, ms-selfsub, krb5-subdomain, ms-subdomain, tcp-self, 6to4-self, @@ -12883,6 +12884,20 @@ example.com. NS ns2.example.net. + + + + ms-selfsub + + + + This is similar to ms-self + except it also allows updates to any subdomain of + the name specified in the Windows machine + principal, not just to the name itself. + + + @@ -12954,6 +12969,20 @@ example.com. NS ns2.example.net. + + + + krb5-selfsub + + + + This is similar to krb5-self + except it also allows updates to any subdomain of + the name specified in the 'machine' part of the + Kerberos principal, not just to the name itself. + + + diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 2e5de8e1e9..451bfbeeac 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1830,6 +1830,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { break; case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfms: + case dns_ssumatchtype_selfsubkrb5: + case dns_ssumatchtype_selfsubms: case dns_ssumatchtype_tcpself: case dns_ssumatchtype_6to4self: if (tresult == ISC_R_SUCCESS && diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index bca9d3646b..6a6b2e3ab5 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -347,11 +347,11 @@ cleanup: bool dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, const dns_name_t *name, - const dns_name_t *realm) + const dns_name_t *realm, + bool subdomain) { #ifdef GSSAPI char sbuf[DNS_NAME_FORMATSIZE]; - char nbuf[DNS_NAME_FORMATSIZE]; char rbuf[DNS_NAME_FORMATSIZE]; char *sname; char *rname; @@ -366,8 +366,6 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, result = dns_name_toprincipal(signer, &buffer); RUNTIME_CHECK(result == ISC_R_SUCCESS); isc_buffer_putuint8(&buffer, 0); - if (name != NULL) - dns_name_format(name, nbuf, sizeof(nbuf)); dns_name_format(realm, rbuf, sizeof(rbuf)); /* @@ -382,6 +380,10 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, *rname = '\0'; rname++; + if (strcmp(rname, rbuf) != 0) { + return (false); + } + /* * Find the host portion of the signer's name. We do this by * searching for the first / character. We then check to make @@ -401,24 +403,30 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, } /* - * Now, we do a simple comparison between the name and the realm. + * If name is non NULL check that it matches against the + * machine name as expected. */ if (name != NULL) { - if ((strcasecmp(sname, nbuf) == 0) - && (strcmp(rname, rbuf) == 0)) { - return (true); + dns_fixedname_t fixed; + dns_name_t *machine; + + machine = dns_fixedname_initname(&fixed); + result = dns_name_fromstring(machine, sname, 0, NULL); + if (result != ISC_R_SUCCESS) { + return (false); } - } else { - if (strcmp(rname, rbuf) == 0) { - return (true); + if (subdomain) { + return (dns_name_issubdomain(name, machine)); } + return (dns_name_equal(name, machine)); } - return (false); + return (true); #else UNUSED(signer); UNUSED(name); UNUSED(realm); + UNUSED(subdomain); return (false); #endif } @@ -426,14 +434,13 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, bool dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, const dns_name_t *name, - const dns_name_t *realm) + const dns_name_t *realm, + bool subdomain) { #ifdef GSSAPI char sbuf[DNS_NAME_FORMATSIZE]; - char nbuf[DNS_NAME_FORMATSIZE]; char rbuf[DNS_NAME_FORMATSIZE]; char *sname; - char *nname; char *rname; isc_buffer_t buffer; isc_result_t result; @@ -446,8 +453,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, result = dns_name_toprincipal(signer, &buffer); RUNTIME_CHECK(result == ISC_R_SUCCESS); isc_buffer_putuint8(&buffer, 0); - if (name != NULL) - dns_name_format(name, nbuf, sizeof(nbuf)); dns_name_format(realm, rbuf, sizeof(rbuf)); /* @@ -484,39 +489,35 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, *sname = '\0'; sname = sbuf; + if (strcmp(rname, rbuf) != 0) { + return (false); + } + /* - * Find the first . in the target name, and make it the end of - * the string. The rest of the name has to match the realm. + * Now, we check that the realm matches (case sensitive) and that + * 'name' matches against 'machinename' qualified with 'realm'. */ if (name != NULL) { - nname = strchr(nbuf, '.'); - if (nname == NULL) { + dns_fixedname_t fixed; + dns_name_t *machine; + + machine = dns_fixedname_initname(&fixed); + result = dns_name_fromstring2(machine, sbuf, realm, 0, NULL); + if (result != ISC_R_SUCCESS) { return (false); } - *nname++ = '\0'; + if (subdomain) { + return (dns_name_issubdomain(name, machine)); + } + return (dns_name_equal(name, machine)); } - /* - * Now, we do a simple comparison between the name and the realm. - */ - if (name != NULL) { - if ((strcasecmp(sname, nbuf) == 0) - && (strcmp(rname, rbuf) == 0) - && (strcasecmp(nname, rbuf) == 0)) { - return (true); - } - } else { - if (strcmp(rname, rbuf) == 0) { - return (true); - } - } - - - return (false); + return (true); #else UNUSED(signer); UNUSED(name); UNUSED(realm); + UNUSED(subdomain); return (false); #endif } diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h index 6bb15ede0f..a4167c0900 100644 --- a/lib/dns/include/dns/ssu.h +++ b/lib/dns/include/dns/ssu.h @@ -39,9 +39,11 @@ typedef enum { dns_ssumatchtype_6to4self = 11, dns_ssumatchtype_external = 12, dns_ssumatchtype_local = 13, - dns_ssumatchtype_max = 13, /* max value */ + dns_ssumatchtype_selfsubms = 14, + dns_ssumatchtype_selfsubkrb5 = 15, + dns_ssumatchtype_max = 15, /* max value */ - dns_ssumatchtype_dlz = 14 /* intentionally higher than _max */ + dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */ } dns_ssumatchtype_t; isc_result_t diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h index e08dee2801..8ce6c30459 100644 --- a/lib/dns/include/dst/gssapi.h +++ b/lib/dns/include/dst/gssapi.h @@ -189,7 +189,8 @@ gss_error_tostring(uint32_t major, uint32_t minor, bool dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, const dns_name_t *name, - const dns_name_t *realm); + const dns_name_t *realm, + bool subdomain); /* * Compare a "signer" (in the format of a Kerberos-format Kerberos5 * principal: host/example.com@EXAMPLE.COM) to the realm name stored @@ -200,7 +201,8 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, bool dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, const dns_name_t *name, - const dns_name_t *realm); + const dns_name_t *realm, + bool subdomain); /* * Compare a "signer" (in the format of a Kerberos-format Kerberos5 * principal: host/example.com@EXAMPLE.COM) to the realm name stored diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c index 7cd664c75e..8767e0ab1a 100644 --- a/lib/dns/ssu.c +++ b/lib/dns/ssu.c @@ -388,6 +388,8 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, break; case dns_ssumatchtype_selfkrb5: case dns_ssumatchtype_selfms: + case dns_ssumatchtype_selfsubkrb5: + case dns_ssumatchtype_selfsubms: case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_subdomainms: if (signer == NULL) @@ -457,29 +459,55 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, continue; break; case dns_ssumatchtype_selfkrb5: - if (!dst_gssapi_identitymatchesrealmkrb5(signer, name, - rule->identity)) - continue; - break; + if (dst_gssapi_identitymatchesrealmkrb5(signer, name, + rule->identity, + false)) + { + break; + } + continue; case dns_ssumatchtype_selfms: - if (!dst_gssapi_identitymatchesrealmms(signer, name, - rule->identity)) - continue; - break; + if (dst_gssapi_identitymatchesrealmms(signer, name, + rule->identity, + false)) + { + break; + } + continue; + case dns_ssumatchtype_selfsubkrb5: + if (dst_gssapi_identitymatchesrealmkrb5(signer, name, + rule->identity, + true)) + { + break; + } + continue; + case dns_ssumatchtype_selfsubms: + if (dst_gssapi_identitymatchesrealmms(signer, name, + rule->identity, + true)) + break; + continue; case dns_ssumatchtype_subdomainkrb5: if (!dns_name_issubdomain(name, rule->name)) continue; - if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL, - rule->identity)) - continue; - break; + if (dst_gssapi_identitymatchesrealmkrb5(signer, NULL, + rule->identity, + false)) + { + break; + } + continue; case dns_ssumatchtype_subdomainms: if (!dns_name_issubdomain(name, rule->name)) continue; - if (!dst_gssapi_identitymatchesrealmms(signer, NULL, - rule->identity)) - continue; - break; + if (dst_gssapi_identitymatchesrealmms(signer, NULL, + rule->identity, + false)) + { + break; + } + continue; case dns_ssumatchtype_tcpself: tcpself = dns_fixedname_initname(&fixed); reverse_from_address(tcpself, addr); @@ -652,8 +680,12 @@ dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) { *mtype = dns_ssumatchtype_selfwild; } else if (strcasecmp(str, "ms-self") == 0) { *mtype = dns_ssumatchtype_selfms; + } else if (strcasecmp(str, "ms-selfsub") == 0) { + *mtype = dns_ssumatchtype_selfsubms; } else if (strcasecmp(str, "krb5-self") == 0) { *mtype = dns_ssumatchtype_selfkrb5; + } else if (strcasecmp(str, "krb5-selfsub") == 0) { + *mtype = dns_ssumatchtype_selfsubkrb5; } else if (strcasecmp(str, "ms-subdomain") == 0) { *mtype = dns_ssumatchtype_subdomainms; } else if (strcasecmp(str, "krb5-subdomain") == 0) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 3f6336d898..c6b1072d88 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -323,9 +323,10 @@ doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) { } static const char *matchtype_enums[] = { - "6to4-self", "external", "krb5-self", "krb5-subdomain", "ms-self", - "ms-subdomain", "name", "self", "selfsub", "selfwild", "subdomain", - "tcp-self", "wildcard", "zonesub", NULL + "6to4-self", "external", "krb5-self", "krb5-selfsub", + "krb5-subdomain", "ms-self", "ms-selfsub", "ms-subdomain", + "name", "self", "selfsub", "selfwild", "subdomain", "tcp-self", + "wildcard", "zonesub", NULL }; static cfg_type_t cfg_type_matchtype = { From 54c4db569b4243981dc95b67ecf6db624bc04cf1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Sep 2018 13:53:30 +1000 Subject: [PATCH 4/8] add krb5-* tests to nsupdate system test. --- bin/tests/system/nsupdate/clean.sh | 12 + bin/tests/system/nsupdate/krb/setup.sh | 113 +++++++++ bin/tests/system/nsupdate/ns10/dns.keytab | Bin 0 -> 168 bytes .../system/nsupdate/ns10/example.com.db.in | 19 ++ bin/tests/system/nsupdate/ns10/in-addr.db.in | 19 ++ bin/tests/system/nsupdate/ns10/machine.ccache | Bin 0 -> 1217 bytes bin/tests/system/nsupdate/ns10/named.conf.in | 48 ++++ bin/tests/system/nsupdate/ns7/dns.keytab | Bin 0 -> 166 bytes .../system/nsupdate/ns7/example.com.db.in | 19 ++ bin/tests/system/nsupdate/ns7/in-addr.db.in | 19 ++ bin/tests/system/nsupdate/ns7/machine.ccache | Bin 0 -> 1327 bytes bin/tests/system/nsupdate/ns7/named.conf.in | 48 ++++ bin/tests/system/nsupdate/ns8/dns.keytab | Bin 0 -> 166 bytes .../system/nsupdate/ns8/example.com.db.in | 19 ++ bin/tests/system/nsupdate/ns8/in-addr.db.in | 19 ++ bin/tests/system/nsupdate/ns8/machine.ccache | Bin 0 -> 1327 bytes bin/tests/system/nsupdate/ns8/named.conf.in | 48 ++++ bin/tests/system/nsupdate/ns9/dns.keytab | Bin 0 -> 166 bytes .../system/nsupdate/ns9/example.com.db.in | 19 ++ bin/tests/system/nsupdate/ns9/in-addr.db.in | 19 ++ bin/tests/system/nsupdate/ns9/machine.ccache | Bin 0 -> 1215 bytes bin/tests/system/nsupdate/ns9/named.conf.in | 48 ++++ bin/tests/system/nsupdate/setup.sh | 12 + bin/tests/system/nsupdate/tests.sh | 240 +++++++++++++++++- 24 files changed, 718 insertions(+), 3 deletions(-) create mode 100644 bin/tests/system/nsupdate/krb/setup.sh create mode 100644 bin/tests/system/nsupdate/ns10/dns.keytab create mode 100644 bin/tests/system/nsupdate/ns10/example.com.db.in create mode 100644 bin/tests/system/nsupdate/ns10/in-addr.db.in create mode 100644 bin/tests/system/nsupdate/ns10/machine.ccache create mode 100644 bin/tests/system/nsupdate/ns10/named.conf.in create mode 100644 bin/tests/system/nsupdate/ns7/dns.keytab create mode 100644 bin/tests/system/nsupdate/ns7/example.com.db.in create mode 100644 bin/tests/system/nsupdate/ns7/in-addr.db.in create mode 100644 bin/tests/system/nsupdate/ns7/machine.ccache create mode 100644 bin/tests/system/nsupdate/ns7/named.conf.in create mode 100644 bin/tests/system/nsupdate/ns8/dns.keytab create mode 100644 bin/tests/system/nsupdate/ns8/example.com.db.in create mode 100644 bin/tests/system/nsupdate/ns8/in-addr.db.in create mode 100644 bin/tests/system/nsupdate/ns8/machine.ccache create mode 100644 bin/tests/system/nsupdate/ns8/named.conf.in create mode 100644 bin/tests/system/nsupdate/ns9/dns.keytab create mode 100644 bin/tests/system/nsupdate/ns9/example.com.db.in create mode 100644 bin/tests/system/nsupdate/ns9/in-addr.db.in create mode 100644 bin/tests/system/nsupdate/ns9/machine.ccache create mode 100644 bin/tests/system/nsupdate/ns9/named.conf.in diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index b8245df457..ef5ec56e65 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -40,6 +40,18 @@ rm -f ns3/nsec3param.test.db rm -f ns3/too-big.test.db rm -f ns5/local.db rm -f ns6/in-addr.db +rm -f ns7/in-addr.db +rm -f ns7/example.com.db +rm -f ns7/_default.tsigkeys +rm -f ns8/in-addr.db +rm -f ns8/example.com.db +rm -f ns8/_default.tsigkeys +rm -f ns9/in-addr.db +rm -f ns9/example.com.db +rm -f ns9/_default.tsigkeys +rm -f ns10/example.com.db +rm -f ns10/in-addr.db +rm -f ns10/_default.tsigkeys rm -f nsupdate.out* rm -f typelist.out.* rm -f ns1/sample.db diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh new file mode 100644 index 0000000000..3c37777dc2 --- /dev/null +++ b/bin/tests/system/nsupdate/krb/setup.sh @@ -0,0 +1,113 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -x + +PWD=`pwd` + +KRB5_CONFIG="${PWD}/krb5.conf" +export KRB5_CONFIG + +KRB5_KDC_PROFILE=${PWD}/krb5kdc +export KRB5_KDC_PROFILE + +now=`date +%s` +lifetime=`expr 2147483647 - $now` +lifetime=`expr $lifetime / 3600 / 24 - 30` + +cat << EOF > "${KRB5_CONFIG}" +[libdefaults] + default_realm = EXAMPLE.COM + dns_lookup_kdc = false + # Depending on what you are testing, you may want something like: + # default_keytab_name = FILE:/usr/local/var/keytab +[realms] + EXAMPLE.COM = { + admin_server = 127.0.0.1:50001 + kdc = 127.0.0.1:50000 + database_module = DB2 + kdc_ports = 50000 + kadmind_port = 50001 + } +[dbmodules] + DB2 = { + db_library = db2 + } +[logging] + # Use any pathnames you want here. + kdc = FILE:${PWD}/kdc.log + admin_server = FILE:${PWD}/kadmin.log +# Depending on what you are testing, you may want: +# [domain_realm] +# your.domain = EXAMPLE.COM +EOF + +rm -rf ${KRB5_KDC_PROFILE} +mkdir -p ${KRB5_KDC_PROFILE} +chmod 700 ${KRB5_KDC_PROFILE} + +cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf +[kdcdefaults] + kdc_ports = 50000 + kdc_tcp_ports = 50000 + +[realms] + EXAMPLE.COM = { + key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM + database_module = EXAMPLE.COM + max_life = ${lifetime}d +} + +[dbmodules] + EXAMPLE.COM = { + db_library = db2 + database_name = ${KRB5_KDC_PROFILE}/principal + } +EOF + +kdb5_util create -s <O5N5%(>Y|AuI@VWi<=l3 z4I2M}6bUT^5{!!)Ke9BwJN)>8Ya&lXO>ke(`sHmUk6U)P%Fhh!o#|L`t1`gs`Q#=c z&58w5?Sk`X?^K&JV-vS<#prNS(>aPgN$Z3BzM=5?%UTp6z( zu5~-w`PcEZ+v*EvvStg!)y}r>(2Bmf@#fkWLcJL_9ma`M0z`7GKP@?W_2lmZzY7_C zSJ(WU6a3G0>#XIWrH`Gt?#cPdM}=Sg#`5&mTmuQe`%5DhnyGH*kUDd}K+e-K^39W# zJEq#tt}L&8u>5C!GH=_TN7hCQCUN&Am-T5#eJb02XMNy4PN|BO4S7};#%qn%o&3H+ zi^o3X`SHKd03{*~fK)OAF;9f9v!k7_yq%H1oDav z4fIkg5_1c3QuUJaa~Z&ivfj+8=XRp?1B06B&Sl%8wEymljeZo{+gtr}-rN8I^L9w0 z6n}w8l$^*8XN(3W%5Y$!491!$l?)U>;*1L=4aB8E4w1%i1~6HQ1N95T(DUsU!uYT2*#pJd4`R(yy zYpZ-$!uRc3x}$UG!!_=FK6Y9c9fajWmX`k&dY7sAgMU`{^?enye*F#kSN8YWgJlo7 zMVGQN3mBcdc6MXmy1=%@tUl6hd0#?qtNYI{3qIz$_xLH53xYfvDestE&)&+3chi#QwwmUc?v%}n!Jj;W(n*ULVENgk7*=n|`@|T+T>s>(;=bth1DLvy6 RX(5*T%$cpCM?MY|&;V&TiLn3x literal 0 HcmV?d00001 diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in new file mode 100644 index 0000000000..44b207a077 --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; + recursion no; + notify yes; + minimal-responses no; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type master; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM ms-subdomain . PTR; }; +}; + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM ms-selfsub . ANY; + grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV; + }; +}; diff --git a/bin/tests/system/nsupdate/ns7/dns.keytab b/bin/tests/system/nsupdate/ns7/dns.keytab new file mode 100644 index 0000000000000000000000000000000000000000..08d5ef46f287d6ef7ef96ff7d29372ff1c652930 GIT binary patch literal 166 zcmZQ&VqjnhV_;(7c8zfK4e)W*bN2UTV0Q5fX5h~&HrGq7NX#wBN!3fv&jl)EjGiRA zpNT<;K_O(l<-vbKKlSKD}aQ$^Jd!TwCaD-40k})i?i808aiP3KXGZQ20LSAWPD;6mj z$brO}7K$5)N<*E2qGE9qqXb3ty!-YPuWrS4b~E!t z(E$53YTu84duYn_qNBcdNyw?2_m*;NnEw2E)I{Kl^2@l2psSinw-kgAdKadZ+?6_- zF5Sbm+UwMv>f>1^RrZ=CUz2`*zR0cpOONyaSE)PYtFJBHxb>r%YaaI=w@s_q&tJc~ zEBD=nkN+0L2)=x{tZU|+rri--!C}158&<@>=9(^e`MgZm38!;QnT-D-4{mJ9tiR#WzU4xDZP^>IzYlkb+&mDa{RtYzA*BTIT@JZQsa~J^U~r|5=#<+5?pDC#U=5HWr>+N zK%N{Vx#%M$SO+9FPz4cyxiYmFs*F5O;LyeF;uj1wmp`xA93{(u6Z7<2e2*fS_I!Kh zEA!S!=P1V;^VIg@6CM61-g>Mldt*=oNzCHU5s8@-*(;3Mz{H#mOpeJ|6SJa$JV=~z zp@e~$G{_y&=&k^!W(}Zr6?kf90;Xm$mL^7_3;Q!FYA>#PT=YiakH+iE47)i`pN`0@ zd;j(NyzhyN47zG3$4rvll~pxADC-v+h(v=Au=sX}7j&Ut08b{=TNSHzfspeG^Py^zFIS zz4-maA7z;;D!-MF{@(xWt;38tmrNfo)aMbEf3=+{;QoahRX0|f9h}T?=yrGDZN^<8 zuQrH&e|C}Mfys$A5AX4A%1O@sc-Lggl3$NSYd6MsmDQg9aqH7tW98jvCpb-cG2ypl z)9t$}zujH`b}8ot{rS2J4w&riZ|^vka^i0B|L5Ctx3WAvS@qJp?vL1=Gbz&N4wb0> QS$*a8+Zh3x)u4a}0L~5ADgXcg literal 0 HcmV?d00001 diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named.conf.in new file mode 100644 index 0000000000..f0ef6d3655 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + recursion no; + notify yes; + minimal-responses no; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type master; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; }; +}; + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-self . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + }; +}; diff --git a/bin/tests/system/nsupdate/ns8/dns.keytab b/bin/tests/system/nsupdate/ns8/dns.keytab new file mode 100644 index 0000000000000000000000000000000000000000..33400498c9354a521ca2a5e2e4e45a17a761dcd8 GIT binary patch literal 166 zcmZQ&VqjnhV_;(7c8zfK4e)W*bN2UTV0Q5fX5h~&w$MwhNX#wBN!3fv&jl)EjGiRA zpNT<;K|%aQswz{(P6r*8pVqS$%-z-+JFjD2+Z3ghaTjdLDzcP-ia{p3k!Z3YgTR|< VML*B+q&nOUVBT7vaC{TUBmhV3FCqW{ literal 0 HcmV?d00001 diff --git a/bin/tests/system/nsupdate/ns8/example.com.db.in b/bin/tests/system/nsupdate/ns8/example.com.db.in new file mode 100644 index 0000000000..eb24766f68 --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/example.com.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/nsupdate/ns8/in-addr.db.in b/bin/tests/system/nsupdate/ns8/in-addr.db.in new file mode 100644 index 0000000000..eb24766f68 --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/in-addr.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/nsupdate/ns8/machine.ccache b/bin/tests/system/nsupdate/ns8/machine.ccache new file mode 100644 index 0000000000000000000000000000000000000000..6e75afff54be327f5f210fac629d84927715a73b GIT binary patch literal 1327 zcmZQ&Vc=n4WZ+;x07f8_35dB}BOHALd|dUM{e6L4mW=%35+E&{o0y!DnU|`UT9KGr zkdvyHoSzF6CQld09xQgTWfvutq=RfjafA?1KtZy$P4BW8&k4rnOZqa2vZC3V+i$*B z(`%mI`TY><-vbKKlSKD}aQ$^Jd!TwCaD-40k})i?i808aiP3KXGZQ20LSAWPD;6mj z$brO}7K$5)N<*E2qGE9qqXb3ty!-YPuWrS4b~E!t z(E$53YTu84duYn_qNBcdNyw?2_m*;NnEw2E)I{Kl^2@l2psSinw-kgAdKadZ+?6_- zF5Sbm+UwMv>f>1^RrZ=CUz2`*zR0cpOONyaSE)PYtFJBHxb>r%YaaI=w@s_q&tJc~ zEBD=nkN+0L2)=x{tZU|+rri--!C}158&<@>=9(^e`MgZm38!;QnT-D-4{mJ9tiR#WzU4xDZP^>IzYlkb+&mDa{RtYzA*BTIT@JZQsa~J^U~r|5=#<+5?pDC#U=5HWr>+N zK%N{Vx#%M$SO+9FPz4cyxiYmFs*F5O;LyeF;uj1wmp`xA0wv3U6SF{xy_UX2-rt#F z(W~W;*<8-t{Zr;<`{PfFx<)>N1#F)JF#gTxsZ zN*IVqgWMsF?h0UP)&Oc(fv09BU}_d)X<`%#oNg>`ucgqEo$i%u{bcvrvPF0I+y2$A zWRaUApWXGaxr*7$%=z{949c{f;YdUaPif(#n!cD}qAB z(lS{O5N5%(>Y|AuI@VWi<=l3 z4I2M}6bUT^5{!!)Ke9BwJN)>8Ya&lXO>ke(`sHmUk6U)P%Fhh!o#|L`t1`gs`Q#=c z&58w5?Sk`X?^K&JV-vS<#prNS(>aPgN$Z3BzM=5?%UTp6z( zu5~-w`PcEZ+v*EvvStg!)y}r>(2Bmf@#fkWLcJL_9ma`M0z`7GKP@?W_2lmZzY7_C zSJ(WU6a3G0>#XIWrH`Gt?#cPdM}=Sg#`5&mTmuQe`%5DhnyGH*kUDd}K+e-K^39W# zJEq#tt}L&8u>5C!GH=_TN7hCQCUN&Am-T5#eJb02XMNy4PN|BO4S7};#%qn%o&3H+ zi^o3X`SHKd03{*~fK)OAF;9f9v!k7_yq%H`16V_ z^-?Pma|?1(^^)^*8Ng{W8HEDW~@3V)C5VB z;x71U>0BkF$vS&Uj+Ov561nGG$(U z+dD7M*jdtL-nz3Z7VP|~%e%qP_@u`CUmMi!y-yOVFkSll4ujd=p8q@Q6_wsNRXNn{ z-_m~5^XG;B8%I0~wtX*U3Ttp#@NLzuzb5a?*Nd)dlvLI;m|OABO#Y;)$)0Y5%@QAX zavZ-pRcFOrndxh1#ywj#;oq&mnS~1R5 zH)_Rvk|Rx*IvzJEVS9LN(Toi&kAljN@XhYa`(*U}$or6o#}2*UD&w^)KGP%N-`u38 VuR^Pj3p-{$W6e}rZzu~2X8 dig.out.ns3.$n @@ -663,7 +678,7 @@ n=`expr $n + 1` ret=0 echo_i "check command list ($n)" ( -while read cmd +while read cmd do echo "$cmd" | $NSUPDATE > /dev/null 2>&1 if test $? -gt 1 ; then @@ -1002,6 +1017,225 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +if $FEATURETEST --gssapi ; then + n=`expr $n + 1` + ret=0 + echo_i "check krb5-self match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add machine.example.com 3600 IN A 10.53.0.7 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check krb5-self no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.7 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check krb5-subdomain match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check krb5-subdomain no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check krb5-selfsub match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.8 ${PORT} + zone example.com + update add xxx.machine.example.com 3600 IN A 10.53.0.8 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n + grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check krb5-selfsub no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.8 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.8 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n + grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + + echo_i "check ms-self match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add machine.example.com 3600 IN A 10.53.0.9 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check ms-self no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.9 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check ms-subdomain match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check ms-subdomain no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check ms-selfsub match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.10 ${PORT} + zone example.com + update add xxx.machine.example.com 3600 IN A 10.53.0.10 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=`expr $n + 1` + ret=0 + echo_i "check ms-selfsub no-match ($n)" + KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.10 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.10 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + +fi # # Add client library tests here # From d1f8e116dbd4a4c627883be07e5c8a65967ae2dc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Sep 2018 09:52:36 +1000 Subject: [PATCH 5/8] add more missing name in update rule checks --- .../system/checkconf/bad-update-policy10.conf | 18 ++++++++++++++++++ .../system/checkconf/bad-update-policy11.conf | 18 ++++++++++++++++++ .../system/checkconf/bad-update-policy12.conf | 18 ++++++++++++++++++ .../system/checkconf/bad-update-policy13.conf | 18 ++++++++++++++++++ .../system/checkconf/bad-update-policy14.conf | 18 ++++++++++++++++++ .../system/checkconf/bad-update-policy15.conf | 18 ++++++++++++++++++ bin/tests/system/checkconf/tests.sh | 4 ++-- 7 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-update-policy10.conf create mode 100644 bin/tests/system/checkconf/bad-update-policy11.conf create mode 100644 bin/tests/system/checkconf/bad-update-policy12.conf create mode 100644 bin/tests/system/checkconf/bad-update-policy13.conf create mode 100644 bin/tests/system/checkconf/bad-update-policy14.conf create mode 100644 bin/tests/system/checkconf/bad-update-policy15.conf diff --git a/bin/tests/system/checkconf/bad-update-policy10.conf b/bin/tests/system/checkconf/bad-update-policy10.conf new file mode 100644 index 0000000000..8c9a4adebf --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy10.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-selfsub TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy11.conf b/bin/tests/system/checkconf/bad-update-policy11.conf new file mode 100644 index 0000000000..6f81c31017 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy11.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-selfsub TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy12.conf b/bin/tests/system/checkconf/bad-update-policy12.conf new file mode 100644 index 0000000000..c636f1bf65 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy12.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * external TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy13.conf b/bin/tests/system/checkconf/bad-update-policy13.conf new file mode 100644 index 0000000000..4fb16f204a --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy13.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name name TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy14.conf b/bin/tests/system/checkconf/bad-update-policy14.conf new file mode 100644 index 0000000000..1498180d45 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy14.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name subdomain TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy15.conf b/bin/tests/system/checkconf/bad-update-policy15.conf new file mode 100644 index 0000000000..7591b0b36c --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy15.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name wildcard TXT; + }; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index e245f9e2e5..e54bbc3892 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -54,11 +54,11 @@ do pat="identity and name fields are not the same" grep "$pat" checkconf.out > /dev/null || ret=1 ;; - bad-update-policy[4589].conf) + bad-update-policy[4589].conf|bad-update-policy1[01].conf) pat="name field not set to placeholder value" grep "$pat" checkconf.out > /dev/null || ret=1 ;; - bad-update-policy[67].conf) + bad-update-policy[67].conf|bad-update-policy1[2345].conf) pat="missing name field type '.*' found" grep "$pat" checkconf.out > /dev/null || ret=1 ;; From 4aa6a118de2d80bd0494fb8194fbd5a860f76ead Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Sep 2018 19:40:01 +1000 Subject: [PATCH 6/8] update util/copyrights --- util/copyrights | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/util/copyrights b/util/copyrights index af34305ccb..db49160399 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1587,12 +1587,18 @@ ./bin/tests/system/nsupdate/knowngood.ns1.after X 2000,2001,2003,2004,2009,2018 ./bin/tests/system/nsupdate/knowngood.ns1.afterstop X 2001,2004,2018 ./bin/tests/system/nsupdate/knowngood.ns1.before X 2000,2001,2003,2004,2009,2018 +./bin/tests/system/nsupdate/krb/setup.sh SH 2018 ./bin/tests/system/nsupdate/ns1/example1.db ZONE 2000,2001,2002,2004,2007,2009,2016,2018 ./bin/tests/system/nsupdate/ns1/many.test.db.in ZONE 2014,2016,2017,2018 ./bin/tests/system/nsupdate/ns1/max-ttl.db ZONE 2014,2016,2018 ./bin/tests/system/nsupdate/ns1/maxjournal.db.in ZONE 2017,2018 ./bin/tests/system/nsupdate/ns1/named.conf.in CONF-C 2000,2001,2004,2005,2007,2009,2011,2012,2013,2014,2016,2017,2018 ./bin/tests/system/nsupdate/ns1/sample.db.in ZONE 2016,2018 +./bin/tests/system/nsupdate/ns10/dns.keytab X 2018 +./bin/tests/system/nsupdate/ns10/example.com.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns10/in-addr.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns10/machine.ccache X 2018 +./bin/tests/system/nsupdate/ns10/named.conf.in CONF-C 2018 ./bin/tests/system/nsupdate/ns2/named.conf.in CONF-C 2000,2001,2004,2007,2011,2013,2016,2017,2018 ./bin/tests/system/nsupdate/ns2/sample.db.in ZONE 2016,2018 ./bin/tests/system/nsupdate/ns3/delegation.test.db.in ZONE 2016,2018 @@ -1608,6 +1614,21 @@ ./bin/tests/system/nsupdate/ns6/in-addr.db.in ZONE 2018 ./bin/tests/system/nsupdate/ns6/named.args X 2018 ./bin/tests/system/nsupdate/ns6/named.conf.in CONF-C 2018 +./bin/tests/system/nsupdate/ns7/dns.keytab X 2018 +./bin/tests/system/nsupdate/ns7/example.com.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns7/in-addr.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns7/machine.ccache X 2018 +./bin/tests/system/nsupdate/ns7/named.conf.in CONF-C 2018 +./bin/tests/system/nsupdate/ns8/dns.keytab X 2018 +./bin/tests/system/nsupdate/ns8/example.com.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns8/in-addr.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns8/machine.ccache X 2018 +./bin/tests/system/nsupdate/ns8/named.conf.in CONF-C 2018 +./bin/tests/system/nsupdate/ns9/dns.keytab X 2018 +./bin/tests/system/nsupdate/ns9/example.com.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns9/in-addr.db.in ZONE 2018 +./bin/tests/system/nsupdate/ns9/machine.ccache X 2018 +./bin/tests/system/nsupdate/ns9/named.conf.in CONF-C 2018 ./bin/tests/system/nsupdate/prereq.sh SH 2014,2015,2016,2018 ./bin/tests/system/nsupdate/setup.sh SH 2000,2001,2004,2007,2009,2010,2011,2012,2014,2016,2017,2018 ./bin/tests/system/nsupdate/tests.sh SH 2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018 From 77a0fadfce41dc3eaccb31ffe02330c4fa8afca0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Sep 2018 09:54:26 +1000 Subject: [PATCH 7/8] fixup --- util/copyrights | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/util/copyrights b/util/copyrights index db49160399..489c688e9e 100644 --- a/util/copyrights +++ b/util/copyrights @@ -620,6 +620,12 @@ ./bin/tests/system/checkconf/bad-sig-validity.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-tsig.conf CONF-C 2012,2013,2016,2018 ./bin/tests/system/checkconf/bad-update-policy1.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy10.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy11.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy12.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy13.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy14.conf CONF-C 2018 +./bin/tests/system/checkconf/bad-update-policy15.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-update-policy2.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-update-policy3.conf CONF-C 2018 ./bin/tests/system/checkconf/bad-update-policy4.conf CONF-C 2018 From f924c89f97ab819f7b6ba455db1a1d89596a66f9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Sep 2018 09:09:47 +1000 Subject: [PATCH 8/8] add CHANGES and release notes documentation --- CHANGES | 3 +++ doc/arm/notes.xml | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGES b/CHANGES index 9c714bd809..d34243d064 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5032. [func] Add krb5-selfsub and ms-selfsub update policy rules. + [GL #511] + 5031. [cleanup] Various defines in platform.h has been either dropped if always or never triggered on supported platforms or replaced with config.h equivalents if the defines diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 3e7fdc40e8..96d6c2a900 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -198,6 +198,15 @@ them. [GL #237] + + + Two new update policy rule types have been added + krb5-selfsub and ms-selfsub + which allow machines with Kerberos principals to update + the name space at or below the machine names identified + in the respective principals. + +