rm -f ns3/too-big.test.db
rm -f ns5/local.db
rm -f ns6/in-addr.db
+rm -f ns7/in-addr.db
+rm -f ns7/example.com.db
+rm -f ns7/_default.tsigkeys
+rm -f ns8/in-addr.db
+rm -f ns8/example.com.db
+rm -f ns8/_default.tsigkeys
+rm -f ns9/in-addr.db
+rm -f ns9/example.com.db
+rm -f ns9/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
+rm -f ns10/_default.tsigkeys
rm -f nsupdate.out*
rm -f typelist.out.*
rm -f ns1/sample.db
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -x
+
+PWD=`pwd`
+
+KRB5_CONFIG="${PWD}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KDC_PROFILE=${PWD}/krb5kdc
+export KRB5_KDC_PROFILE
+
+now=`date +%s`
+lifetime=`expr 2147483647 - $now`
+lifetime=`expr $lifetime / 3600 / 24 - 30`
+
+cat << EOF > "${KRB5_CONFIG}"
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_kdc = false
+ # Depending on what you are testing, you may want something like:
+ # default_keytab_name = FILE:/usr/local/var/keytab
+[realms]
+ EXAMPLE.COM = {
+ admin_server = 127.0.0.1:50001
+ kdc = 127.0.0.1:50000
+ database_module = DB2
+ kdc_ports = 50000
+ kadmind_port = 50001
+ }
+[dbmodules]
+ DB2 = {
+ db_library = db2
+ }
+[logging]
+ # Use any pathnames you want here.
+ kdc = FILE:${PWD}/kdc.log
+ admin_server = FILE:${PWD}/kadmin.log
+# Depending on what you are testing, you may want:
+# [domain_realm]
+# your.domain = EXAMPLE.COM
+EOF
+
+rm -rf ${KRB5_KDC_PROFILE}
+mkdir -p ${KRB5_KDC_PROFILE}
+chmod 700 ${KRB5_KDC_PROFILE}
+
+cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf
+[kdcdefaults]
+ kdc_ports = 50000
+ kdc_tcp_ports = 50000
+
+[realms]
+ EXAMPLE.COM = {
+ key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM
+ database_module = EXAMPLE.COM
+ max_life = ${lifetime}d
+}
+
+[dbmodules]
+ EXAMPLE.COM = {
+ db_library = db2
+ database_name = ${KRB5_KDC_PROFILE}/principal
+ }
+EOF
+
+kdb5_util create -s <<EOF
+master
+master
+EOF
+
+krb5kdc -n &
+krb5kdcpid=$!
+#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
+
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM
+
+kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM'
+
+kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM'
+
+kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM
+kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
+
+cp ns7-server.keytab ../ns7/dns.keytab
+cp ns8-server.keytab ../ns8/dns.keytab
+cp ns9-server.keytab ../ns9/dns.keytab
+cp ns10-server.keytab ../ns10/dns.keytab
+
+cp krb5-machine.ccache ../ns7/machine.ccache
+cp krb5-machine.ccache ../ns8/machine.ccache
+cp ms-machine.ccache ../ns9/machine.ccache
+cp ms-machine.ccache ../ns10/machine.ccache
+
+echo krb5kdc pid:$krb5kdcpid
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns10.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns10
+ns10 A 10.53.0.10
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns10.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns10
+ns10 A 10.53.0.10
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.10;
+ notify-source 10.53.0.10;
+ transfer-source 10.53.0.10;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.10; };
+ recursion no;
+ notify yes;
+ minimal-responses no;
+ tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+ type master;
+ file "in-addr.db";
+ update-policy { grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+ type master;
+ file "example.com.db";
+ update-policy {
+ grant EXAMPLE.COM ms-selfsub . ANY;
+ grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+ };
+};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns7.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns7
+ns7 A 10.53.0.7
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns7.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns7
+ns7 A 10.53.0.7
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.7; };
+ recursion no;
+ notify yes;
+ minimal-responses no;
+ tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+ type master;
+ file "in-addr.db";
+ update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+ type master;
+ file "example.com.db";
+ update-policy {
+ grant EXAMPLE.COM krb5-self . ANY;
+ grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+ };
+};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns8.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns8
+ns8 A 10.53.0.8
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns8.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns8
+ns8 A 10.53.0.8
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.8; };
+ recursion no;
+ notify yes;
+ minimal-responses no;
+ tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+ type master;
+ file "in-addr.db";
+ update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+ type master;
+ file "example.com.db";
+ update-policy {
+ grant EXAMPLE.COM krb5-selfsub . ANY;
+ grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+ };
+};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns9.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns9
+ns9 A 10.53.0.9
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns9.example.com. hostmaster.example.com. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns9
+ns9 A 10.53.0.9
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.9;
+ notify-source 10.53.0.9;
+ transfer-source 10.53.0.9;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.9; };
+ recursion no;
+ notify yes;
+ minimal-responses no;
+ tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+ type master;
+ file "in-addr.db";
+ update-policy { grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+ type master;
+ file "example.com.db";
+ update-policy {
+ grant EXAMPLE.COM ms-self . ANY;
+ grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+ };
+};
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
copy_setports verylarge.in verylarge
cp -f ns5/local.db.in ns5/local.db
cp -f ns6/in-addr.db.in ns6/in-addr.db
+cp -f ns7/in-addr.db.in ns7/in-addr.db
+cp -f ns7/example.com.db.in ns7/example.com.db
+cp -f ns8/in-addr.db.in ns8/in-addr.db
+cp -f ns8/example.com.db.in ns8/example.com.db
+cp -f ns9/in-addr.db.in ns9/in-addr.db
+cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns10/in-addr.db.in ns10/in-addr.db
+cp -f ns10/example.com.db.in ns10/example.com.db
DIGOPTS="-p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+#
+# Uncomment when creating credential cache files.
+#
+# KRB5_CONFIG=`pwd`/krb/krb5.conf
+#
+# Cd krb and run krb/setup.sh to create new keys.
+# Run nsupdate system test.
+# Kill the krb5kdc server started by krb/setup.sh.
+# Check the expiry date on the cached machine.ccache with klist is in 2038.
+# Comment out KRB5_CONFIG.
+# Re-run nsupdate system test to confirm everything still works.
+# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
+# Clean up krb.
+#
+
status=0
n=0
rm named.pid
cd ..
sleep 10
-if
+if
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1
then
echo_i "restarted server ns1"
@10.53.0.3 dnskey | \
sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
(echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
-$NSUPDATE
+$NSUPDATE
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 any > dig.out.ns3.$n
ret=0
echo_i "check command list ($n)"
(
-while read cmd
+while read cmd
do
echo "$cmd" | $NSUPDATE > /dev/null 2>&1
if test $? -gt 1 ; then
grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
+if $FEATURETEST --gssapi ; then
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-self match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add machine.example.com 3600 IN A 10.53.0.7
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n
+ grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+ grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-self no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.7
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
+ grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-subdomain match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n
+ grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+ grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-subdomain no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
+ grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-selfsub match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.8 ${PORT}
+ zone example.com
+ update add xxx.machine.example.com 3600 IN A 10.53.0.8
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n
+ grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1
+ grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check krb5-selfsub no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.8 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.8
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
+ grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+
+ echo_i "check ms-self match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add machine.example.com 3600 IN A 10.53.0.9
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n
+ grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+ grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check ms-self no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.9
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
+ grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check ms-subdomain match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n
+ grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+ grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check ms-subdomain no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
+ grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check ms-selfsub match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.10 ${PORT}
+ zone example.com
+ update add xxx.machine.example.com 3600 IN A 10.53.0.10
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n
+ grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+ grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check ms-selfsub no-match ($n)"
+ KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.10 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.10
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
+ grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+fi
#
# Add client library tests here
#
projects / thirdparty / bind9.git / commitdiff
