rpms / bind

Clone
Source Code
GIT

Blame bind-9.11-fips-tests.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta c9s-sig-hyperscale
  1.   411463dad7d7b4fbc53a2c473714bb78a8d828bf
  2.   bind-9.11-fips-tests.patch
Blob History Raw
8a47aa 
From 8bbfacc1a90301a71a487e776db071fa2ef6c8dd Mon Sep 17 00:00:00 2001
899014 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
899014 
Date: Thu, 2 Aug 2018 23:46:45 +0200
ad7b3b 
Subject: [PATCH] FIPS tests changes
899014 
MIME-Version: 1.0
899014 
Content-Type: text/plain; charset=UTF-8
899014 
Content-Transfer-Encoding: 8bit
899014
ad7b3b 
Squashed commit of the following:
ad7b3b
899014 
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 20:35:13 2018 +0100
899014
899014 
    Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
899014
899014 
commit ab303db70082db76ecf36493d0b82ef3e8750cad
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 18:11:10 2018 +0100
899014
899014 
    Changed root key to be RSASHA256
899014
899014 
    Change bad trusted key to be the same algorithm.
899014
899014 
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 16:56:17 2018 +0100
899014
899014 
    Change used key to not use hmac-md5
899014
899014 
    Fix upforwd test, do not use hmac-md5
899014
899014 
commit aec891571626f053acfb4d0a247240cbc21a84e9
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 15:54:11 2018 +0100
899014
899014 
    Increase bitsize of DSA key to pass FIPS 140-2 mode.
899014
899014 
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 15:41:08 2018 +0100
899014
899014 
    Fix tsig and rndc tests for disabled md5
899014
899014 
    Use hmac-sha256 instead of hmac-md5.
899014
899014 
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 13:21:00 2018 +0100
899014
899014 
    Add md5 availability detection to featuretest
899014
899014 
commit f389a918803e2853e4b55fed62765dc4a492e34f
899014 
Author: Petr Menšík <pemensik@redhat.com>
899014 
Date:   Wed Mar 7 10:44:23 2018 +0100
899014
899014 
    Change tests to not use hmac-md5 algorithms if not required
899014
899014 
    Use hmac-sha256 instead of default hmac-md5 for allow-query
899014 
---
1e4169 
 bin/tests/system/acl/ns2/named1.conf.in       |  4 +-
1e4169 
 bin/tests/system/acl/ns2/named2.conf.in       |  4 +-
1e4169 
 bin/tests/system/acl/ns2/named3.conf.in       |  6 +-
1e4169 
 bin/tests/system/acl/ns2/named4.conf.in       |  4 +-
1e4169 
 bin/tests/system/acl/ns2/named5.conf.in       |  4 +-
1e4169 
 bin/tests/system/acl/tests.sh                 | 32 ++++-----
1e4169 
 .../system/allow-query/ns2/named10.conf.in    |  2 +-
1e4169 
 .../system/allow-query/ns2/named11.conf.in    |  4 +-
1e4169 
 .../system/allow-query/ns2/named12.conf.in    |  2 +-
1e4169 
 .../system/allow-query/ns2/named30.conf.in    |  2 +-
1e4169 
 .../system/allow-query/ns2/named31.conf.in    |  4 +-
1e4169 
 .../system/allow-query/ns2/named32.conf.in    |  2 +-
1e4169 
 .../system/allow-query/ns2/named40.conf.in    |  4 +-
1e4169 
 bin/tests/system/allow-query/tests.sh         | 18 ++---
1e4169 
 bin/tests/system/catz/ns1/named.conf.in       |  2 +-
1e4169 
 bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
1e4169 
 bin/tests/system/checkconf/good.conf          |  2 +-
aaee84 
 bin/tests/system/feature-test.c               | 14 ++++
1e4169 
 bin/tests/system/notify/ns5/named.conf.in     |  6 +-
1e4169 
 bin/tests/system/notify/tests.sh              |  6 +-
1e4169 
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
1e4169 
 bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
0b18b1 
 bin/tests/system/nsupdate/setup.sh            |  6 +-
8a47aa 
 bin/tests/system/nsupdate/tests.sh            | 11 ++-
1e4169 
 bin/tests/system/rndc/setup.sh                |  2 +-
8a47aa 
 bin/tests/system/rndc/tests.sh                | 22 +++---
1e4169 
 bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
1e4169 
 bin/tests/system/tsig/setup.sh                |  5 ++
8a47aa 
 bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
1e4169 
 bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
1e4169 
 bin/tests/system/upforwd/tests.sh             |  2 +-
8a47aa 
 31 files changed, 149 insertions(+), 106 deletions(-)
899014
899014 
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
8a47aa 
index 745048a..93cb411 100644
899014 
--- a/bin/tests/system/acl/ns2/named1.conf.in
899014 
+++ b/bin/tests/system/acl/ns2/named1.conf.in
8a47aa 
@@ -35,12 +35,12 @@ options {
899014 
 };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
8a47aa 
index 21aa991..78e71cc 100644
899014 
--- a/bin/tests/system/acl/ns2/named2.conf.in
899014 
+++ b/bin/tests/system/acl/ns2/named2.conf.in
8a47aa 
@@ -35,12 +35,12 @@ options {
899014 
 };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
8a47aa 
index 3208c92..bed6325 100644
899014 
--- a/bin/tests/system/acl/ns2/named3.conf.in
899014 
+++ b/bin/tests/system/acl/ns2/named3.conf.in
8a47aa 
@@ -35,17 +35,17 @@ options {
899014 
 };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key three {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
8a47aa 
index 14e82ed..a22cafe 100644
899014 
--- a/bin/tests/system/acl/ns2/named4.conf.in
899014 
+++ b/bin/tests/system/acl/ns2/named4.conf.in
8a47aa 
@@ -35,12 +35,12 @@ options {
899014 
 };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
8a47aa 
index f43f33c..f4a865a 100644
899014 
--- a/bin/tests/system/acl/ns2/named5.conf.in
899014 
+++ b/bin/tests/system/acl/ns2/named5.conf.in
8a47aa 
@@ -37,12 +37,12 @@ options {
899014 
 };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
8a47aa 
index 9ee3984..f7d4388 100644
899014 
--- a/bin/tests/system/acl/tests.sh
899014 
+++ b/bin/tests/system/acl/tests.sh
8a47aa 
@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
899014 
 # key "one" should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014
899014 
 # any other key should be fine
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 copy_setports ns2/named2.conf.in ns2/named.conf
8a47aa 
@@ -40,18 +40,18 @@ sleep 5
899014 
 # prefix 10/8 should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 # any other address should work, as long as it sends key "one"
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 echo_i "testing nested ACL processing"
8a47aa 
@@ -63,31 +63,31 @@ sleep 5
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # but only one or the other should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 t=`expr $t + 1`
8a47aa 
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
899014 
 # and other values? right out
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
8a47aa 
@@ -109,31 +109,31 @@ sleep 5
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should succeed
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 # should fail
899014 
 t=`expr $t + 1`
899014 
 $DIG $DIGOPTS tsigzone. \
899014 
-	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
899014 
+	@10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
899014 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
899014
899014 
 echo_i "testing allow-query-on ACL processing"
899014 
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
8a47aa 
index b91d19a..7d777c2 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
8a47aa 
@@ -12,7 +12,7 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
8a47aa 
index 308c4ca..00f6f40 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
8a47aa 
@@ -12,12 +12,12 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234efgh8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
8a47aa 
index 6b0fe55..491e514 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
8a47aa 
@@ -12,7 +12,7 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
8a47aa 
index aefc474..7c06596 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
8a47aa 
@@ -12,7 +12,7 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
8a47aa 
index 27eccc2..eecb990 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
8a47aa 
@@ -12,12 +12,12 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234efgh8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
8a47aa 
index adbb203..744d122 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
8a47aa 
@@ -12,7 +12,7 @@
0b18b1 
  */
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
8a47aa 
index 364f94b..9518f82 100644
899014 
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
899014 
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
8a47aa 
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
899014 
 acl badaccept { 10.53.0.1; };
899014
899014 
 key one {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
 key two {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "1234efgh8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
8a47aa 
index bbffe07..80da0fe 100644
899014 
--- a/bin/tests/system/allow-query/tests.sh
899014 
+++ b/bin/tests/system/allow-query/tests.sh
8a47aa 
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: key allowed - query allowed"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
899014 
 if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: key not allowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
8a47aa 
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: key disallowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
8a47aa 
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: views key allowed - query allowed"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
899014 
 if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: views key not allowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
8a47aa 
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
899014
899014 
 echo_i "test $n: views key disallowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
8a47aa 
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
899014 
 n=`expr $n + 1`
899014 
 echo_i "test $n: zone key allowed - query allowed"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
899014 
 if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
899014 
 n=`expr $n + 1`
899014 
 echo_i "test $n: zone key not allowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
8a47aa 
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
899014 
 n=`expr $n + 1`
899014 
 echo_i "test $n: zone key disallowed - query refused"
899014 
 ret=0
899014 
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
899014 
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
899014 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
8a47aa 
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
899014 
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
899014 
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
8a47aa 
index 5a46d39..fc1bd07 100644
899014 
--- a/bin/tests/system/catz/ns1/named.conf.in
899014 
+++ b/bin/tests/system/catz/ns1/named.conf.in
8a47aa 
@@ -63,5 +63,5 @@ zone "catalog4.example" {
25b398
25b398 
 key tsig_key. {
25b398 
 	secret "LSAnCU+Z";
25b398 
-	algorithm hmac-md5;
25b398 
+	algorithm hmac-sha256;
25b398 
 };
899014 
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
8a47aa 
index 4af25b0..9f202d5 100644
899014 
--- a/bin/tests/system/checkconf/bad-tsig.conf
899014 
+++ b/bin/tests/system/checkconf/bad-tsig.conf
8a47aa 
@@ -13,7 +13,7 @@
899014
899014 
 /* Bad secret */
899014 
 key "badtsig" {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha256;
899014 
 	secret "jEdD+BPKg==";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
8a47aa 
index 897dc86..e4b6dc1 100644
899014 
--- a/bin/tests/system/checkconf/good.conf
899014 
+++ b/bin/tests/system/checkconf/good.conf
8a47aa 
@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
899014 
 	system;
899014 
 };
899014 
 key "mykey" {
899014 
-	algorithm "hmac-md5";
899014 
+	algorithm "hmac-sha256";
899014 
 	secret "qwertyuiopasdfgh";
899014 
 };
899014 
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
8a47aa 
index 30e6e14..ba7f98e 100644
899014 
--- a/bin/tests/system/feature-test.c
899014 
+++ b/bin/tests/system/feature-test.c
8a47aa 
@@ -16,6 +16,7 @@
b626a2 
 #include <string.h>
b626a2 
 #include <unistd.h>
b626a2
b626a2 
+#include <isc/md.h>
b626a2 
 #include <isc/net.h>
899014 
 #include <isc/print.h>
899014 
 #include <isc/util.h>
8a47aa 
@@ -140,6 +141,19 @@ main(int argc, char **argv) {
8a47aa 
 #endif
899014 
 	}
899014
899014 
+	if (strcmp(argv[1], "--md5") == 0) {
0b18b1 
+		unsigned char digest[ISC_MAX_MD_SIZE];
aaee84 
+		const unsigned char test[] = "test";
aaee84 
+		unsigned int size = sizeof(digest);
0b18b1 
+
0b18b1 
+		if (isc_md(ISC_MD_MD5, test, sizeof(test),
aaee84 
+		           digest, &size) == ISC_R_SUCCESS) {
899014 
+			return (0);
899014 
+		} else {
899014 
+			return (1);
899014 
+		}
899014 
+	}
899014 
+
8a47aa 
 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
8a47aa 
 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
8a47aa 
 		int s;
899014 
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
8a47aa 
index 5cab276..d4a7bf3 100644
899014 
--- a/bin/tests/system/notify/ns5/named.conf.in
899014 
+++ b/bin/tests/system/notify/ns5/named.conf.in
8a47aa 
@@ -12,17 +12,17 @@
899014 
  */
899014
899014 
 key "a" {
899014 
-	algorithm "hmac-md5";
899014 
+	algorithm "hmac-sha256";
899014 
 	secret "aaaaaaaaaaaaaaaaaaaa";
899014 
 };
899014
899014 
 key "b" {
899014 
-	algorithm "hmac-md5";
899014 
+	algorithm "hmac-sha256";
899014 
 	secret "bbbbbbbbbbbbbbbbbbbb";
899014 
 };
899014
899014 
 key "c" {
899014 
-	algorithm "hmac-md5";
899014 
+	algorithm "hmac-sha256";
899014 
 	secret "cccccccccccccccccccc";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
8a47aa 
index 52d2f81..1fd02d4 100644
899014 
--- a/bin/tests/system/notify/tests.sh
899014 
+++ b/bin/tests/system/notify/tests.sh
8a47aa 
@@ -187,7 +187,7 @@ test_start "checking notify to multiple views using tsig"
899014 
 $NSUPDATE << EOF
899014 
 server 10.53.0.5 ${PORT}
899014 
 zone x21
899014 
-key a aaaaaaaaaaaaaaaaaaaa
899014 
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
899014 
 update add added.x21 0 in txt "test string"
899014 
 send
899014 
 EOF
8a47aa 
@@ -195,9 +195,9 @@ fnb="dig.out.b.ns5.test$n"
8a47aa 
 fnc="dig.out.c.ns5.test$n"
899014 
 for i in 1 2 3 4 5 6 7 8 9
899014 
 do
8a47aa 
-	dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
8a47aa 
+	dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
8a47aa 
 		txt > "$fnb" || ret=1
8a47aa 
-	dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
8a47aa 
+	dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
8a47aa 
 		txt > "$fnc" || ret=1
8a47aa 
 	grep "test string" "$fnb" > /dev/null &&
8a47aa 
 	grep "test string" "$fnc" > /dev/null &&
899014 
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
8a47aa 
index 81d0c99..effbe2e 100644
899014 
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
899014 
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
8a47aa 
@@ -39,7 +39,7 @@ controls {
899014 
 };
899014
899014 
 key altkey {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha512;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
8a47aa 
index f1a1735..da2b3d1 100644
899014 
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
899014 
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
8a47aa 
@@ -34,7 +34,7 @@ controls {
899014 
 };
899014
899014 
 key altkey {
899014 
-	algorithm hmac-md5;
899014 
+	algorithm hmac-sha512;
899014 
 	secret "1234abcd8765";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
8a47aa 
index 50056dc..a4a1a3f 100644
899014 
--- a/bin/tests/system/nsupdate/setup.sh
899014 
+++ b/bin/tests/system/nsupdate/setup.sh
8a47aa 
@@ -72,7 +72,11 @@ EOF
899014
8a47aa 
 $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
899014
8a47aa 
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
899014 
+if $FEATURETEST --md5; then
8a47aa 
+	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
899014 
+else
899014 
+	echo -n > ns1/md5.key
899014 
+fi
8a47aa 
 $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
8a47aa 
 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
8a47aa 
 $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
899014 
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
8a47aa 
index 0863d0a..559def7 100755
899014 
--- a/bin/tests/system/nsupdate/tests.sh
899014 
+++ b/bin/tests/system/nsupdate/tests.sh
8a47aa 
@@ -841,7 +841,14 @@ fi
899014 
 n=`expr $n + 1`
899014 
 ret=0
76074c 
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
899014 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
899014 
+if $FEATURETEST --md5
899014 
+then
899014 
+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
899014 
+else
899014 
+	ALGS="sha1 sha224 sha256 sha384 sha512"
899014 
+	echo_i "skipping disabled md5 algorithm"
899014 
+fi
899014 
+for alg in $ALGS; do
899014 
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
899014 
 server 10.53.0.1 ${PORT}
899014 
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
8a47aa 
@@ -849,7 +856,7 @@ send
899014 
 END
899014 
 done
899014 
 sleep 2
899014 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
899014 
+for alg in $ALGS; do
899014 
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
899014 
 done
899014 
 if [ $ret -ne 0 ]; then
899014 
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
8a47aa 
index 4dd6fa7..1b79263 100644
899014 
--- a/bin/tests/system/rndc/setup.sh
899014 
+++ b/bin/tests/system/rndc/setup.sh
8a47aa 
@@ -47,7 +47,7 @@ make_key () {
899014 
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
899014 
 }
899014
899014 
-make_key 1 ${EXTRAPORT1} hmac-md5
899014 
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
899014 
 make_key 2 ${EXTRAPORT2} hmac-sha1
899014 
 make_key 3 ${EXTRAPORT3} hmac-sha224
899014 
 make_key 4 ${EXTRAPORT4} hmac-sha256
899014 
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
8a47aa 
index 85c271b..ac69f32 100644
899014 
--- a/bin/tests/system/rndc/tests.sh
899014 
+++ b/bin/tests/system/rndc/tests.sh
8a47aa 
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
 status=$((status+ret))
899014
8a47aa 
 n=$((n+1))
899014 
-echo_i "testing rndc with hmac-md5 ($n)"
899014 
-ret=0
899014 
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
899014 
-for i in 2 3 4 5 6
899014 
-do
899014 
-        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
899014 
-done
899014 
-if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
-status=$((status+ret))
899014 
+if $FEATURETEST --md5
899014 
+	echo_i "testing rndc with hmac-md5 ($n)"
899014 
+	ret=0
899014 
+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
899014 
+	for i in 2 3 4 5 6
899014 
+	do
8a47aa 
+	        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
899014 
+	done
899014 
+	if [ $ret != 0 ]; then echo_i "failed"; fi
8a47aa 
+	status=$((status+ret))
899014 
+else
899014 
+	echo_i "skipping rndc with hmac-md5 ($n)"
899014 
+fi
899014
8a47aa 
 n=$((n+1))
899014 
 echo_i "testing rndc with hmac-sha1 ($n)"
899014 
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
8a47aa 
index 76cf970..22637af 100644
899014 
--- a/bin/tests/system/tsig/ns1/named.conf.in
899014 
+++ b/bin/tests/system/tsig/ns1/named.conf.in
8a47aa 
@@ -23,10 +23,7 @@ options {
899014 
 	notify no;
899014 
 };
899014
899014 
-key "md5" {
899014 
-	secret "97rnFx24Tfna4mHPfgnerA==";
899014 
-	algorithm hmac-md5;
899014 
-};
899014 
+# md5 key appended by setup.sh at the end
899014
899014 
 key "sha1" {
899014 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
8a47aa 
@@ -53,10 +50,7 @@ key "sha512" {
899014 
 	algorithm hmac-sha512;
899014 
 };
899014
899014 
-key "md5-trunc" {
899014 
-	secret "97rnFx24Tfna4mHPfgnerA==";
899014 
-	algorithm hmac-md5-80;
899014 
-};
899014 
+# md5-trunc key appended by setup.sh at the end
899014
899014 
 key "sha1-trunc" {
899014 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
899014 
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
8a47aa 
index 34cc73b..d51ff21 100644
899014 
--- a/bin/tests/system/tsig/setup.sh
899014 
+++ b/bin/tests/system/tsig/setup.sh
8a47aa 
@@ -16,3 +16,8 @@
0b18b1 
 $SHELL clean.sh
899014
0b18b1 
 copy_setports ns1/named.conf.in ns1/named.conf
1e4169 
+
899014 
+if $FEATURETEST --md5
899014 
+then
899014 
+	cat ns1/rndc5.conf.in >> ns1/named.conf
899014 
+fi
899014 
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
8a47aa 
index 1067227..ee05e83 100644
899014 
--- a/bin/tests/system/tsig/tests.sh
899014 
+++ b/bin/tests/system/tsig/tests.sh
8a47aa 
@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
899014
899014 
 status=0
899014
899014 
-echo_i "fetching using hmac-md5 (old form)"
899014 
-ret=0
899014 
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
899014 
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
899014 
-if [ $ret -eq 1 ] ; then
899014 
-	echo_i "failed"; status=1
899014 
-fi
8a47aa 
-
8a47aa 
-echo_i "fetching using hmac-md5 (new form)"
8a47aa 
-ret=0
8a47aa 
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
8a47aa 
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
8a47aa 
-if [ $ret -eq 1 ] ; then
8a47aa 
-	echo_i "failed"; status=1
899014 
+if $FEATURETEST --md5
899014 
+then
899014 
+	echo_i "fetching using hmac-md5 (old form)"
899014 
+	ret=0
899014 
+	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
899014 
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
899014 
+	if [ $ret -eq 1 ] ; then
899014 
+		echo_i "failed"; status=1
899014 
+	fi
8a47aa 
+
899014 
+	echo_i "fetching using hmac-md5 (new form)"
899014 
+	ret=0
899014 
+	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
899014 
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
899014 
+	if [ $ret -eq 1 ] ; then
899014 
+		echo_i "failed"; status=1
899014 
+	fi
899014 
+else
899014 
+	echo_i "skipping using hmac-md5"
899014 
 fi
899014
899014 
 echo_i "fetching using hmac-sha1"
8a47aa 
@@ -88,12 +93,17 @@ fi
899014 
 #	Truncated TSIG
899014 
 #
899014 
 #
899014 
-echo_i "fetching using hmac-md5 (trunc)"
899014 
-ret=0
899014 
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
899014 
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
899014 
-if [ $ret -eq 1 ] ; then
899014 
-	echo_i "failed"; status=1
899014 
+if $FEATURETEST --md5
899014 
+then
899014 
+	echo_i "fetching using hmac-md5 (trunc)"
899014 
+	ret=0
899014 
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
899014 
+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
899014 
+	if [ $ret -eq 1 ] ; then
899014 
+		echo_i "failed"; status=1
899014 
+	fi
899014 
+else
899014 
+	echo_i "skipping using hmac-md5 (trunc)"
899014 
 fi
899014
899014 
 echo_i "fetching using hmac-sha1 (trunc)"
8a47aa 
@@ -142,12 +152,17 @@ fi
899014 
 #	Check for bad truncation.
899014 
 #
899014 
 #
899014 
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
899014 
-ret=0
899014 
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
899014 
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
899014 
-if [ $ret -eq 1 ] ; then
899014 
-	echo_i "failed"; status=1
899014 
+if $FEATURETEST --md5
899014 
+then
899014 
+	echo_i "fetching using hmac-md5-80 (BADTRUNC)"
899014 
+	ret=0
899014 
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
899014 
+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
899014 
+	if [ $ret -eq 1 ] ; then
899014 
+		echo_i "failed"; status=1
899014 
+	fi
899014 
+else
899014 
+	echo_i "skipping using hmac-md5-80 (BADTRUNC)"
899014 
 fi
899014
899014 
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
899014 
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
8a47aa 
index c2b57dd..cb13aa1 100644
899014 
--- a/bin/tests/system/upforwd/ns1/named.conf.in
899014 
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
8a47aa 
@@ -12,7 +12,7 @@
899014 
  */
899014
899014 
 key "update.example." {
899014 
-	algorithm "hmac-md5";
899014 
+	algorithm "hmac-sha256";
899014 
 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
899014 
 };
899014
899014 
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
8a47aa 
index a6de312..ebcadb1 100644
899014 
--- a/bin/tests/system/upforwd/tests.sh
899014 
+++ b/bin/tests/system/upforwd/tests.sh
8a47aa 
@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
899014
899014 
 echo_i "updating zone (signed) ($n)"
899014 
 ret=0
899014 
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
899014 
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
899014 
 server 10.53.0.3 ${PORT}
899014 
 update add updated.example. 600 A 10.10.10.1
899014 
 update add updated.example. 600 TXT Foo
899014 
--
8a47aa 
2.34.1
899014

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation