Merge branch '511-add-ms-selfsub-and-krb5-selfsub' into 'master'

Resolve "add ms-selfsub and krb5-selfsub"

Closes #511

See merge request isc-projects/bind9!732

CHANGES

@@ -1,3 +1,6 @@
+5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
+			[GL #511]
+
 5031.	[cleanup]	Various defines in platform.h has been either dropped
 			if always or never triggered on supported platforms
 			or replaced with config.h equivalents if the defines

bin/tests/system/checkconf/bad-update-policy10.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-selfsub TXT;
+	};
+};

bin/tests/system/checkconf/bad-update-policy11.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-selfsub TXT;
+	};
+};

bin/tests/system/checkconf/bad-update-policy12.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * external TXT;
+	};
+};

bin/tests/system/checkconf/bad-update-policy13.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name name TXT;
+	};
+};

bin/tests/system/checkconf/bad-update-policy14.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name subdomain TXT;
+	};
+};

bin/tests/system/checkconf/bad-update-policy15.conf

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name wildcard TXT;
+	};
+};

bin/tests/system/checkconf/tests.sh

@@ -54,10 +54,14 @@ do
 	pat="identity and name fields are not the same"
 	grep "$pat" checkconf.out > /dev/null || ret=1
 	;;
-    bad-update-policy*.conf)
+    bad-update-policy[4589].conf|bad-update-policy1[01].conf)
 	pat="name field not set to placeholder value"
 	grep "$pat" checkconf.out > /dev/null || ret=1
 	;;
+    bad-update-policy[67].conf|bad-update-policy1[2345].conf)
+	pat="missing name field type '.*' found"
+	grep "$pat" checkconf.out > /dev/null || ret=1
+	;;
     esac
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $ret`

bin/tests/system/nsupdate/clean.sh

@@ -40,6 +40,18 @@ rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db
+rm -f ns7/in-addr.db
+rm -f ns7/example.com.db
+rm -f ns7/_default.tsigkeys
+rm -f ns8/in-addr.db
+rm -f ns8/example.com.db
+rm -f ns8/_default.tsigkeys
+rm -f ns9/in-addr.db
+rm -f ns9/example.com.db
+rm -f ns9/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
+rm -f ns10/_default.tsigkeys
 rm -f nsupdate.out*
 rm -f typelist.out.*
 rm -f ns1/sample.db

bin/tests/system/nsupdate/krb/setup.sh

@@ -0,0 +1,113 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -x
+
+PWD=`pwd`
+
+KRB5_CONFIG="${PWD}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KDC_PROFILE=${PWD}/krb5kdc
+export KRB5_KDC_PROFILE
+
+now=`date +%s`
+lifetime=`expr 2147483647 - $now`
+lifetime=`expr $lifetime / 3600 / 24 - 30`
+
+cat << EOF > "${KRB5_CONFIG}"
+[libdefaults]
+   default_realm = EXAMPLE.COM
+   dns_lookup_kdc = false
+   # Depending on what you are testing, you may want something like:
+   # default_keytab_name = FILE:/usr/local/var/keytab
+[realms]
+   EXAMPLE.COM = {
+     admin_server = 127.0.0.1:50001
+     kdc = 127.0.0.1:50000
+     database_module = DB2
+     kdc_ports = 50000
+     kadmind_port = 50001
+   }
+[dbmodules]
+   DB2 = {
+     db_library = db2
+   }
+[logging]
+   # Use any pathnames you want here.
+   kdc = FILE:${PWD}/kdc.log
+   admin_server = FILE:${PWD}/kadmin.log
+# Depending on what you are testing, you may want:
+# [domain_realm]
+#   your.domain = EXAMPLE.COM
+EOF
+
+rm -rf ${KRB5_KDC_PROFILE}
+mkdir -p ${KRB5_KDC_PROFILE}
+chmod 700 ${KRB5_KDC_PROFILE}
+
+cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf
+[kdcdefaults]
+  kdc_ports = 50000
+  kdc_tcp_ports = 50000
+
+[realms]
+  EXAMPLE.COM = {
+    key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM
+    database_module = EXAMPLE.COM
+    max_life = ${lifetime}d
+}
+
+[dbmodules]
+  EXAMPLE.COM = {
+    db_library = db2
+    database_name = ${KRB5_KDC_PROFILE}/principal
+  }
+EOF
+
+kdb5_util create -s <<EOF
+master
+master
+EOF
+
+krb5kdc -n &
+krb5kdcpid=$!
+#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
+
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM
+
+kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM'
+
+kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM'
+
+kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM
+kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
+
+cp ns7-server.keytab ../ns7/dns.keytab
+cp ns8-server.keytab ../ns8/dns.keytab
+cp ns9-server.keytab ../ns9/dns.keytab
+cp ns10-server.keytab ../ns10/dns.keytab
+
+cp krb5-machine.ccache ../ns7/machine.ccache
+cp krb5-machine.ccache ../ns8/machine.ccache
+cp ms-machine.ccache ../ns9/machine.ccache
+cp ms-machine.ccache ../ns10/machine.ccache
+
+echo krb5kdc pid:$krb5kdcpid

bin/tests/system/nsupdate/ns10/example.com.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10

bin/tests/system/nsupdate/ns10/in-addr.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10

bin/tests/system/nsupdate/ns10/named.conf.in

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.10; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-selfsub . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};

bin/tests/system/nsupdate/ns7/example.com.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7

bin/tests/system/nsupdate/ns7/in-addr.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7

bin/tests/system/nsupdate/ns7/named.conf.in

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.7; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-self . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};

bin/tests/system/nsupdate/ns8/example.com.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8

bin/tests/system/nsupdate/ns8/in-addr.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8

bin/tests/system/nsupdate/ns8/named.conf.in

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-selfsub . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};

bin/tests/system/nsupdate/ns9/example.com.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9

bin/tests/system/nsupdate/ns9/in-addr.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9

bin/tests/system/nsupdate/ns9/named.conf.in

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.9; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-self . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};

bin/tests/system/nsupdate/setup.sh

@@ -18,6 +18,10 @@ copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
 
 copy_setports verylarge.in verylarge
 
@@ -77,3 +81,11 @@ rm -f ns1/maxjournal.db.jnl
 
 cp -f ns5/local.db.in ns5/local.db
 cp -f ns6/in-addr.db.in ns6/in-addr.db
+cp -f ns7/in-addr.db.in ns7/in-addr.db
+cp -f ns7/example.com.db.in ns7/example.com.db
+cp -f ns8/in-addr.db.in ns8/in-addr.db
+cp -f ns8/example.com.db.in ns8/example.com.db
+cp -f ns9/in-addr.db.in ns9/in-addr.db
+cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns10/in-addr.db.in ns10/in-addr.db
+cp -f ns10/example.com.db.in ns10/example.com.db

bin/tests/system/nsupdate/tests.sh

@@ -15,6 +15,21 @@ SYSTEMTESTTOP=..
 DIGOPTS="-p ${PORT}"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 
+#
+# Uncomment when creating credential cache files.
+#
+# KRB5_CONFIG=`pwd`/krb/krb5.conf
+#
+# Cd krb and run krb/setup.sh to create new keys.
+# Run nsupdate system test.
+# Kill the krb5kdc server started by krb/setup.sh.
+# Check the expiry date on the cached machine.ccache with klist is in 2038.
+# Comment out KRB5_CONFIG.
+# Re-run nsupdate system test to confirm everything still works.
+# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
+# Clean up krb.
+#
+
 status=0
 n=0
 
@@ -322,7 +337,7 @@ $KILL -KILL `cat named.pid`
 rm named.pid
 cd ..
 sleep 10
-if 
+if
 	$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1
 then
 	echo_i "restarted server ns1"
@@ -615,7 +630,7 @@ $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
         @10.53.0.3 dnskey | \
 	sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
 	(echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
-$NSUPDATE 
+$NSUPDATE
 
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
 	@10.53.0.3 any > dig.out.ns3.$n
@@ -663,7 +678,7 @@ n=`expr $n + 1`
 ret=0
 echo_i "check command list ($n)"
 (
-while read cmd 
+while read cmd
 do
     echo "$cmd" | $NSUPDATE  > /dev/null 2>&1
     if test $? -gt 1 ; then
@@ -1002,6 +1017,225 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+if $FEATURETEST --gssapi ; then
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-self match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-self no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-subdomain match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-selfsub match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n
+  grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
+  grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+
+  echo_i "check ms-self match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-self no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-subdomain match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-selfsub match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n
+  grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
+  grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+fi
 #
 #  Add client library tests here
 #

doc/arm/Bv9ARM-book.xml

@@ -12719,12 +12719,13 @@ example.com. NS ns2.example.net.
 	      the rules are checked for each existing record type.
 	    </para>
 	    <para>
-	      The <replaceable>ruletype</replaceable> field has 13
+	      The <replaceable>ruletype</replaceable> field has 16
 	      values:
 	      <varname>name</varname>, <varname>subdomain</varname>,
 	      <varname>wildcard</varname>, <varname>self</varname>,
 	      <varname>selfsub</varname>, <varname>selfwild</varname>,
 	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
+	      <varname>krb5-selfsub</varname>, <varname>ms-selfsub</varname>,
 	      <varname>krb5-subdomain</varname>,
 	      <varname>ms-subdomain</varname>,
 	      <varname>tcp-self</varname>, <varname>6to4-self</varname>,
@@ -12883,6 +12884,20 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry>
 		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>ms-selfsub</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This is similar to <command>ms-self</command>
+			except it also allows updates to any subdomain of
+			the name specified in the Windows machine
+			principal, not just to the name itself.
+		      </para>
+		    </entry>
+		  </row>
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
@@ -12954,6 +12969,20 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry>
 		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>krb5-selfsub</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This is similar to <command>krb5-self</command>
+			except it also allows updates to any subdomain of
+			the name specified in the 'machine' part of the
+			Kerberos principal, not just to the name itself.
+		      </para>
+		    </entry>
+		  </row>
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>

doc/arm/notes.xml

@@ -198,6 +198,15 @@
 	  them. [GL #237]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Two new update policy rule types have been added
+	  <command>krb5-selfsub</command> and <command>ms-selfsub</command>
+	  which allow machines with Kerberos principals to update
+	  the name space at or below the machine names identified
+	  in the respective principals.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>
 

lib/bind9/check.c

@@ -1745,6 +1745,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 	dns_fixedname_t fixed_id, fixed_name;
 	dns_name_t *id, *name;
 	const char *str;
+	isc_textregion_t r;
+	dns_rdatatype_t type;
 
 	/* Check for "update-policy local;" */
 	if (cfg_obj_isstring(policy) &&
@@ -1782,12 +1784,16 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		}
 
 		/*
-		 * There is no name field for subzone.
+		 * There is no name field for subzone and dname is void
 		 */
-		if (tresult == ISC_R_SUCCESS &&
-		    mtype != dns_ssumatchtype_subdomain)
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    cfg_obj_isvoid(dname))
 		{
+			str = ".";	/* Use "." as a replacement. */
+		} else {
 			str = cfg_obj_asstring(dname);
+		}
+		if (tresult == ISC_R_SUCCESS) {
 			tresult = dns_name_fromstring(name, str, 0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
@@ -1824,8 +1830,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 			break;
 		case dns_ssumatchtype_selfkrb5:
 		case dns_ssumatchtype_selfms:
-		case dns_ssumatchtype_subdomainms:
-		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
 		case dns_ssumatchtype_tcpself:
 		case dns_ssumatchtype_6to4self:
 			if (tresult == ISC_R_SUCCESS &&
@@ -1837,10 +1843,24 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 			}
 			break;
 		case dns_ssumatchtype_name:
-		case dns_ssumatchtype_subdomain:
+		case dns_ssumatchtype_subdomain: /* also zonesub */
+		case dns_ssumatchtype_subdomainms:
+		case dns_ssumatchtype_subdomainkrb5:
 		case dns_ssumatchtype_wildcard:
 		case dns_ssumatchtype_external:
 		case dns_ssumatchtype_local:
+			if (tresult == ISC_R_SUCCESS) {
+				DE_CONST(str, r.base);
+				r.length = strlen(str);
+				tresult = dns_rdatatype_fromtext(&type, &r);
+			}
+			if (tresult == ISC_R_SUCCESS) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "missing name field type '%s' "
+					    "found", str);
+				result = ISC_R_FAILURE;
+				break;
+			}
 			break;
 		default:
 			INSIST(0);
@@ -1851,8 +1871,6 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		     element2 = cfg_list_next(element2))
 		{
 			const cfg_obj_t *typeobj;
-			isc_textregion_t r;
-			dns_rdatatype_t type;
 
 			typeobj = cfg_listelt_value(element2);
 			DE_CONST(cfg_obj_asstring(typeobj), r.base);

lib/dns/gssapictx.c

@@ -347,11 +347,11 @@ cleanup:
 bool
 dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 				    const dns_name_t *name,
-				    const dns_name_t *realm)
+				    const dns_name_t *realm,
+				    bool subdomain)
 {
 #ifdef GSSAPI
 	char sbuf[DNS_NAME_FORMATSIZE];
-	char nbuf[DNS_NAME_FORMATSIZE];
 	char rbuf[DNS_NAME_FORMATSIZE];
 	char *sname;
 	char *rname;
@@ -366,8 +366,6 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 	result = dns_name_toprincipal(signer, &buffer);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	isc_buffer_putuint8(&buffer, 0);
-	if (name != NULL)
-		dns_name_format(name, nbuf, sizeof(nbuf));
 	dns_name_format(realm, rbuf, sizeof(rbuf));
 
 	/*
@@ -382,6 +380,10 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 	*rname = '\0';
 	rname++;
 
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
 	/*
 	 * Find the host portion of the signer's name.	We do this by
 	 * searching for the first / character.  We then check to make
@@ -401,24 +403,30 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 	}
 
 	/*
-	 * Now, we do a simple comparison between the name and the realm.
+	 * If name is non NULL check that it matches against the
+	 * machine name as expected.
 	 */
 	if (name != NULL) {
-		if ((strcasecmp(sname, nbuf) == 0)
-		    && (strcmp(rname, rbuf) == 0)) {
-			return (true);
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring(machine, sname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
 		}
-	} else {
-		if (strcmp(rname, rbuf) == 0) {
-			return (true);
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
 		}
+		return (dns_name_equal(name, machine));
 	}
 
-	return (false);
+	return (true);
 #else
 	UNUSED(signer);
 	UNUSED(name);
 	UNUSED(realm);
+	UNUSED(subdomain);
 	return (false);
 #endif
 }
@@ -426,14 +434,13 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 bool
 dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 				  const dns_name_t *name,
-				  const dns_name_t *realm)
+				  const dns_name_t *realm,
+				  bool subdomain)
 {
 #ifdef GSSAPI
 	char sbuf[DNS_NAME_FORMATSIZE];
-	char nbuf[DNS_NAME_FORMATSIZE];
 	char rbuf[DNS_NAME_FORMATSIZE];
 	char *sname;
-	char *nname;
 	char *rname;
 	isc_buffer_t buffer;
 	isc_result_t result;
@@ -446,8 +453,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 	result = dns_name_toprincipal(signer, &buffer);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	isc_buffer_putuint8(&buffer, 0);
-	if (name != NULL)
-		dns_name_format(name, nbuf, sizeof(nbuf));
 	dns_name_format(realm, rbuf, sizeof(rbuf));
 
 	/*
@@ -484,39 +489,35 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 	*sname = '\0';
 	sname = sbuf;
 
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
 	/*
-	 * Find the first . in the target name, and make it the end of
-	 * the string.	 The rest of the name has to match the realm.
+	 * Now, we check that the realm matches (case sensitive) and that
+	 * 'name' matches against 'machinename' qualified with 'realm'.
 	 */
 	if (name != NULL) {
-		nname = strchr(nbuf, '.');
-		if (nname == NULL) {
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring2(machine, sbuf, realm, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
 			return (false);
 		}
-		*nname++ = '\0';
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
+		}
+		return (dns_name_equal(name, machine));
 	}
 
-	/*
-	 * Now, we do a simple comparison between the name and the realm.
-	 */
-	if (name != NULL) {
-		if ((strcasecmp(sname, nbuf) == 0)
-		    && (strcmp(rname, rbuf) == 0)
-		    && (strcasecmp(nname, rbuf) == 0)) {
-			return (true);
-		}
-	} else {
-		if (strcmp(rname, rbuf) == 0) {
-			return (true);
-		}
-	}
-
-
-	return (false);
+	return (true);
 #else
 	UNUSED(signer);
 	UNUSED(name);
 	UNUSED(realm);
+	UNUSED(subdomain);
 	return (false);
 #endif
 }

lib/dns/include/dns/ssu.h

@@ -39,9 +39,11 @@ typedef enum {
 	dns_ssumatchtype_6to4self = 11,
 	dns_ssumatchtype_external = 12,
 	dns_ssumatchtype_local = 13,
-	dns_ssumatchtype_max = 13,	/* max value */
+	dns_ssumatchtype_selfsubms = 14,
+	dns_ssumatchtype_selfsubkrb5 = 15,
+	dns_ssumatchtype_max = 15,	/* max value */
 
-	dns_ssumatchtype_dlz = 14	/* intentionally higher than _max */
+	dns_ssumatchtype_dlz = 16	/* intentionally higher than _max */
 } dns_ssumatchtype_t;
 
 isc_result_t

lib/dns/include/dst/gssapi.h

@@ -189,7 +189,8 @@ gss_error_tostring(uint32_t major, uint32_t minor,
 bool
 dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 				    const dns_name_t *name,
-				    const dns_name_t *realm);
+				    const dns_name_t *realm,
+				    bool subdomain);
 /*
  *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
  *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
@@ -200,7 +201,8 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 bool
 dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 				  const dns_name_t *name,
-				  const dns_name_t *realm);
+				  const dns_name_t *realm,
+				  bool subdomain);
 /*
  *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
  *	principal: host/example.com@EXAMPLE.COM) to the realm name stored

lib/dns/ssu.c

@@ -388,6 +388,8 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 			break;
 		case dns_ssumatchtype_selfkrb5:
 		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
 		case dns_ssumatchtype_subdomainkrb5:
 		case dns_ssumatchtype_subdomainms:
 			if (signer == NULL)
@@ -457,29 +459,55 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 				continue;
 			break;
 		case dns_ssumatchtype_selfkrb5:
-			if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
-							       rule->identity))
-				continue;
-			break;
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
+								rule->identity,
+								false))
+			{
+				break;
+			}
+			continue;
 		case dns_ssumatchtype_selfms:
-			if (!dst_gssapi_identitymatchesrealmms(signer, name,
-							       rule->identity))
-				continue;
-			break;
+			if (dst_gssapi_identitymatchesrealmms(signer, name,
+							      rule->identity,
+							      false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubkrb5:
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
+								rule->identity,
+								true))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubms:
+			if (dst_gssapi_identitymatchesrealmms(signer, name,
+							      rule->identity,
+							      true))
+				break;
+			continue;
 		case dns_ssumatchtype_subdomainkrb5:
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
-			if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
-							       rule->identity))
-				continue;
-			break;
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
+								rule->identity,
+								false))
+			{
+				break;
+			}
+			continue;
 		case dns_ssumatchtype_subdomainms:
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
-			if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
-							       rule->identity))
-				continue;
-			break;
+			if (dst_gssapi_identitymatchesrealmms(signer, NULL,
+							      rule->identity,
+							      false))
+			{
+				break;
+			}
+			continue;
 		case dns_ssumatchtype_tcpself:
 			tcpself = dns_fixedname_initname(&fixed);
 			reverse_from_address(tcpself, addr);
@@ -652,8 +680,12 @@ dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
 		*mtype = dns_ssumatchtype_selfwild;
 	} else if (strcasecmp(str, "ms-self") == 0) {
 		*mtype = dns_ssumatchtype_selfms;
+	} else if (strcasecmp(str, "ms-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubms;
 	} else if (strcasecmp(str, "krb5-self") == 0) {
 		*mtype = dns_ssumatchtype_selfkrb5;
+	} else if (strcasecmp(str, "krb5-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubkrb5;
 	} else if (strcasecmp(str, "ms-subdomain") == 0) {
 		*mtype = dns_ssumatchtype_subdomainms;
 	} else if (strcasecmp(str, "krb5-subdomain") == 0) {

lib/isccfg/namedconf.c

@@ -323,9 +323,10 @@ doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 static const char *matchtype_enums[] = {
-	"6to4-self", "external", "krb5-self", "krb5-subdomain", "ms-self",
-	"ms-subdomain", "name", "self", "selfsub", "selfwild", "subdomain",
-	"tcp-self", "wildcard", "zonesub", NULL
+	"6to4-self", "external", "krb5-self", "krb5-selfsub",
+	"krb5-subdomain", "ms-self", "ms-selfsub", "ms-subdomain",
+	"name", "self", "selfsub", "selfwild", "subdomain", "tcp-self",
+	"wildcard", "zonesub", NULL
 };
 
 static cfg_type_t cfg_type_matchtype = {

util/copyrights

@@ -620,6 +620,12 @@
 ./bin/tests/system/checkconf/bad-sig-validity.conf	CONF-C	2018
 ./bin/tests/system/checkconf/bad-tsig.conf	CONF-C	2012,2013,2016,2018
 ./bin/tests/system/checkconf/bad-update-policy1.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy10.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy11.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy12.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy13.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy14.conf	CONF-C	2018
+./bin/tests/system/checkconf/bad-update-policy15.conf	CONF-C	2018
 ./bin/tests/system/checkconf/bad-update-policy2.conf	CONF-C	2018
 ./bin/tests/system/checkconf/bad-update-policy3.conf	CONF-C	2018
 ./bin/tests/system/checkconf/bad-update-policy4.conf	CONF-C	2018
@@ -1587,12 +1593,18 @@
 ./bin/tests/system/nsupdate/knowngood.ns1.after	X	2000,2001,2003,2004,2009,2018
 ./bin/tests/system/nsupdate/knowngood.ns1.afterstop	X	2001,2004,2018
 ./bin/tests/system/nsupdate/knowngood.ns1.before	X	2000,2001,2003,2004,2009,2018
+./bin/tests/system/nsupdate/krb/setup.sh	SH	2018
 ./bin/tests/system/nsupdate/ns1/example1.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018
 ./bin/tests/system/nsupdate/ns1/many.test.db.in	ZONE	2014,2016,2017,2018
 ./bin/tests/system/nsupdate/ns1/max-ttl.db	ZONE	2014,2016,2018
 ./bin/tests/system/nsupdate/ns1/maxjournal.db.in	ZONE	2017,2018
 ./bin/tests/system/nsupdate/ns1/named.conf.in	CONF-C	2000,2001,2004,2005,2007,2009,2011,2012,2013,2014,2016,2017,2018
 ./bin/tests/system/nsupdate/ns1/sample.db.in	ZONE	2016,2018
+./bin/tests/system/nsupdate/ns10/dns.keytab	X	2018
+./bin/tests/system/nsupdate/ns10/example.com.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns10/in-addr.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns10/machine.ccache	X	2018
+./bin/tests/system/nsupdate/ns10/named.conf.in	CONF-C	2018
 ./bin/tests/system/nsupdate/ns2/named.conf.in	CONF-C	2000,2001,2004,2007,2011,2013,2016,2017,2018
 ./bin/tests/system/nsupdate/ns2/sample.db.in	ZONE	2016,2018
 ./bin/tests/system/nsupdate/ns3/delegation.test.db.in	ZONE	2016,2018
@@ -1608,6 +1620,21 @@
 ./bin/tests/system/nsupdate/ns6/in-addr.db.in	ZONE	2018
 ./bin/tests/system/nsupdate/ns6/named.args	X	2018
 ./bin/tests/system/nsupdate/ns6/named.conf.in	CONF-C	2018
+./bin/tests/system/nsupdate/ns7/dns.keytab	X	2018
+./bin/tests/system/nsupdate/ns7/example.com.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns7/in-addr.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns7/machine.ccache	X	2018
+./bin/tests/system/nsupdate/ns7/named.conf.in	CONF-C	2018
+./bin/tests/system/nsupdate/ns8/dns.keytab	X	2018
+./bin/tests/system/nsupdate/ns8/example.com.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns8/in-addr.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns8/machine.ccache	X	2018
+./bin/tests/system/nsupdate/ns8/named.conf.in	CONF-C	2018
+./bin/tests/system/nsupdate/ns9/dns.keytab	X	2018
+./bin/tests/system/nsupdate/ns9/example.com.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns9/in-addr.db.in	ZONE	2018
+./bin/tests/system/nsupdate/ns9/machine.ccache	X	2018
+./bin/tests/system/nsupdate/ns9/named.conf.in	CONF-C	2018
 ./bin/tests/system/nsupdate/prereq.sh		SH	2014,2015,2016,2018
 ./bin/tests/system/nsupdate/setup.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2014,2016,2017,2018
 ./bin/tests/system/nsupdate/tests.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018