};
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
};
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
};
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key three {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
};
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
};
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
# key "one" should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# any other key should be fine
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
copy_setports ns2/named2.conf.in ns2/named.conf
# prefix 10/8 should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# any other address should work, as long as it sends key "one"
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
echo_i "testing nested ACL processing"
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# but only one or the other should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
echo_i "testing allow-query-on ACL processing"
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
*/
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
acl badaccept { 10.53.0.1; };
key one {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
echo_i "test $n: key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
echo_i "test $n: key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
echo_i "test $n: key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
echo_i "test $n: views key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
echo_i "test $n: views key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
echo_i "test $n: views key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
n=`expr $n + 1`
echo_i "test $n: zone key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
n=`expr $n + 1`
echo_i "test $n: zone key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
n=`expr $n + 1`
echo_i "test $n: zone key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if (!$mainport) { $mainport = 5300; }
my $ctrlport = int($ENV{'EXTRAPORT1'});
if (!$ctrlport) { $ctrlport = 5301; }
+my $hmac_algorithm = $ENV{'DEFAULT_HMAC'};
+if (!defined($hmac_algorithm)) { $hmac_algorithm = "hmac-sha256"; }
# XXX: we should also be able to set the port numbers to listen on.
my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
} else {
$tsig = Net::DNS::RR->new(
name => $key_name,
+ algorithm => $hmac_algorithm,
type => 'TSIG',
key => $key_data);
}
if ($Net::DNS::VERSION < 0.69) {
$tsig = Net::DNS::RR->new(
"$key_name TSIG $key_data");
+ $tsig->algorithm = $hmac_algorithm;
} elsif ($Net::DNS::VERSION >= 0.81 &&
$continuation) {
} elsif ($Net::DNS::VERSION >= 0.75 &&
} else {
$tsig = Net::DNS::RR->new(
name => $key_name,
+ algorithm => $hmac_algorithm,
type => 'TSIG',
key => $key_data);
}
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
/* Bad secret */
key "badtsig" {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "jEdD+BPKg==";
};
-
rm -f bad-kasp-keydir3.conf
rm -f bad-kasp-keydir4.conf
rm -f bad-kasp-keydir5.conf
+rm -f bad-tsig.conf
rm -f checkconf.out*
rm -f diff.out*
rm -f good-kasp.conf.in
rm -f good-server-christmas-tree.conf
-rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -f good.conf good.conf.raw good.conf.out badzero.conf *.out
rm -f ns*/named.lock
rm -rf test.keydir
system;
};
key "mykey" {
- algorithm "hmac-md5";
+ algorithm "@DEFAULT_HMAC@";
secret "qwertyuiopasdfgh";
};
copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
+copy_setports bad-tsig.conf.in bad-tsig.conf
+copy_setports good.conf.in good.conf
cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
n=`expr $n + 1`
echo_i "checking that named-checkconf prints a known good config ($n)"
ret=0
-awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
-[ -s good.conf.in ] || ret=1
-$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1
-grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
-cmp good.conf.in good.conf.out || ret=1
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw
+[ -s good.conf.raw ] || ret=1
+$CHECKCONF -p good.conf.raw > checkconf.out$n || ret=1
+grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+cmp good.conf.raw good.conf.out || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that named-checkconf -x removes secrets ($n)"
ret=0
# ensure there is a secret and that it is not the check string.
-grep 'secret "' good.conf.in > /dev/null || ret=1
-grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
-$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
-grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+grep 'secret "' good.conf.raw > /dev/null || ret=1
+grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1
+$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1
+grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
*/
key "a" {
- algorithm "hmac-md5";
+ algorithm @DEFAULT_HMAC@;
secret "aaaaaaaaaaaaaaaaaaaa";
};
key "b" {
- algorithm "hmac-md5";
+ algorithm @DEFAULT_HMAC@;
secret "bbbbbbbbbbbbbbbbbbbb";
};
key "c" {
- algorithm "hmac-md5";
+ algorithm @DEFAULT_HMAC@;
secret "cccccccccccccccccccc";
};
$NSUPDATE << EOF
server 10.53.0.5 ${PORT}
zone x21
-key a aaaaaaaaaaaaaaaaaaaa
+key $DEFAULT_HMAC:a aaaaaaaaaaaaaaaaaaaa
update add added.x21 0 in txt "test string"
send
EOF
fnc="dig.out.c.ns5.test$n"
for i in 1 2 3 4 5 6 7 8 9
do
- dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:b:bbbbbbbbbbbbbbbbbbbb" @10.53.0.5 \
txt > "$fnb" || ret=1
- dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+ dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:c:cccccccccccccccccccc" @10.53.0.5 \
txt > "$fnc" || ret=1
grep "test string" "$fnb" > /dev/null &&
grep "test string" "$fnc" > /dev/null &&
};
key altkey {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key restricted.example.nil {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key zonesub-key.example.nil {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234subk8765";
};
};
key altkey {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
# and thus this UPDATE should succeed.
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
-key restricted.example.nil 1234abcd8765
+key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
update add restricted.example.nil 0 IN TXT everywhere.
send
END
# thus this UPDATE should fail.
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
-key restricted.example.nil 1234abcd8765
+key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
update add example.nil 0 IN TXT everywhere.
send
END
# the A record update should be rejected as it is not in the type list
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
-key zonesub-key.example.nil 1234subk8765
+key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN A 1.2.3.4
send
END
# the TXT record update should be accepted as it is in the type list
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
-key zonesub-key.example.nil 1234subk8765
+key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN TXT everywhere.
send
END
*/
key "update.example." {
- algorithm "hmac-md5";
+ algorithm @DEFAULT_HMAC@;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
echo_i "updating zone (signed) ($n)"
ret=0
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
};
key tsigzone. {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
};
key tsigzone. {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key unused_key. {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
controls {
};
key key1. {
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
n=$((n+1))
echo_i "testing TSIG signed zone transfers ($n)"
tmp=0
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns2.test$n || tmp=1
grep "^;" dig.out.ns2.test$n | cat_i
#
# Spin to allow the zone to transfer.
#
wait_for_xfer_tsig () {
- $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
+ $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns3.test$n || return 1
grep "^;" dig.out.ns3.test$n > /dev/null && return 1
return 0
}
sendcmd < ans5/badmessageid
# Uncomment to see AXFR stream with mismatching IDs.
-# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
+# $DIG $DIGOPTS @10.53.0.5 -y "${DEFAULT_HMAC}:tsig_key:LSAnCU+Z" nil. AXFR +all
$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
n=$((n+1))
echo_i "test smaller transfer TCP message size ($n)"
$DIG $DIGOPTS example. @10.53.0.8 axfr \
- -y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1
+ -y "${DEFAULT_HMAC}:key1.:1234abcd8765" > dig.out.msgsize.test$n || status=1
bytes=`wc -c < dig.out.msgsize.test$n`
if [ $bytes -ne 459357 ]; then
projects / thirdparty / bind9.git / commitdiff
