|
 |
2a4663 |
From 230ca0ddbc95a043933c36c1d182f85cf0dcc971 Mon Sep 17 00:00:00 2001
|
|
|
899014 |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
899014 |
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
|
|
ad7b3b |
Subject: [PATCH] FIPS tests changes
|
|
|
899014 |
MIME-Version: 1.0
|
|
|
899014 |
Content-Type: text/plain; charset=UTF-8
|
|
|
899014 |
Content-Transfer-Encoding: 8bit
|
|
|
899014 |
|
|
|
ad7b3b |
Squashed commit of the following:
|
|
|
ad7b3b |
|
|
|
899014 |
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 20:35:13 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
|
|
|
899014 |
|
|
|
899014 |
commit ab303db70082db76ecf36493d0b82ef3e8750cad
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 18:11:10 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Changed root key to be RSASHA256
|
|
|
899014 |
|
|
|
899014 |
Change bad trusted key to be the same algorithm.
|
|
|
899014 |
|
|
|
899014 |
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 16:56:17 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Change used key to not use hmac-md5
|
|
|
899014 |
|
|
|
899014 |
Fix upforwd test, do not use hmac-md5
|
|
|
899014 |
|
|
|
899014 |
commit aec891571626f053acfb4d0a247240cbc21a84e9
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 15:54:11 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Increase bitsize of DSA key to pass FIPS 140-2 mode.
|
|
|
899014 |
|
|
|
899014 |
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 15:41:08 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Fix tsig and rndc tests for disabled md5
|
|
|
899014 |
|
|
|
899014 |
Use hmac-sha256 instead of hmac-md5.
|
|
|
899014 |
|
|
|
899014 |
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 13:21:00 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Add md5 availability detection to featuretest
|
|
|
899014 |
|
|
|
899014 |
commit f389a918803e2853e4b55fed62765dc4a492e34f
|
|
|
899014 |
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
899014 |
Date: Wed Mar 7 10:44:23 2018 +0100
|
|
|
899014 |
|
|
|
899014 |
Change tests to not use hmac-md5 algorithms if not required
|
|
|
899014 |
|
|
|
899014 |
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
|
|
899014 |
---
|
|
|
1e4169 |
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
|
|
|
1e4169 |
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
|
|
|
1e4169 |
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
|
|
|
1e4169 |
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
|
|
|
1e4169 |
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
|
|
|
1e4169 |
bin/tests/system/acl/tests.sh | 32 ++++-----
|
|
|
1e4169 |
.../system/allow-query/ns2/named10.conf.in | 2 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named11.conf.in | 4 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named12.conf.in | 2 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named30.conf.in | 2 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named31.conf.in | 4 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named32.conf.in | 2 +-
|
|
|
1e4169 |
.../system/allow-query/ns2/named40.conf.in | 4 +-
|
|
|
1e4169 |
bin/tests/system/allow-query/tests.sh | 18 ++---
|
|
|
1e4169 |
bin/tests/system/catz/ns1/named.conf.in | 2 +-
|
|
|
1e4169 |
bin/tests/system/catz/ns2/named.conf.in | 2 +-
|
|
|
1e4169 |
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
|
|
1e4169 |
bin/tests/system/checkconf/good.conf | 2 +-
|
|
|
2a4663 |
bin/tests/system/digdelv/ns2/example.db | 15 +++--
|
|
|
1e4169 |
bin/tests/system/digdelv/tests.sh | 28 ++++----
|
|
|
1e4169 |
bin/tests/system/dlv/ns1/sign.sh | 4 +-
|
|
|
1e4169 |
bin/tests/system/dlv/ns2/sign.sh | 4 +-
|
|
|
1e4169 |
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
|
|
|
2a4663 |
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
|
|
|
1e4169 |
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
|
|
|
2a4663 |
bin/tests/system/dnssec/tests.sh | 4 +-
|
|
|
1e4169 |
bin/tests/system/feature-test.c | 14 ++++
|
|
|
1e4169 |
bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
|
|
|
1e4169 |
bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
|
|
|
1e4169 |
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
|
|
1e4169 |
bin/tests/system/notify/tests.sh | 6 +-
|
|
|
1e4169 |
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
|
|
1e4169 |
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
|
|
1e4169 |
bin/tests/system/nsupdate/setup.sh | 7 +-
|
|
|
1e4169 |
bin/tests/system/nsupdate/tests.sh | 11 ++-
|
|
|
1e4169 |
bin/tests/system/rndc/setup.sh | 2 +-
|
|
|
1e4169 |
bin/tests/system/rndc/tests.sh | 23 ++++---
|
|
|
1e4169 |
bin/tests/system/tsig/clean.sh | 1 +
|
|
|
1e4169 |
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
|
|
1e4169 |
bin/tests/system/tsig/setup.sh | 5 ++
|
|
|
2a4663 |
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
|
|
|
1e4169 |
bin/tests/system/tsiggss/setup.sh | 2 +-
|
|
|
1e4169 |
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
|
|
1e4169 |
bin/tests/system/upforwd/tests.sh | 2 +-
|
|
|
2a4663 |
44 files changed, 226 insertions(+), 175 deletions(-)
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
|
|
ad7b3b |
index 0ea6502..026db3f 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
|
|
899014 |
@@ -33,12 +33,12 @@ options {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
|
|
ad7b3b |
index b877880..d8f50be 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
|
|
899014 |
@@ -33,12 +33,12 @@ options {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
|
|
ad7b3b |
index 0a95062..aa54088 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
|
|
899014 |
@@ -33,17 +33,17 @@ options {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key three {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
|
|
ad7b3b |
index 7cdcb6e..606a345 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
|
|
899014 |
@@ -33,12 +33,12 @@ options {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
|
|
ad7b3b |
index 4b4e050..0e679a8 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
|
|
899014 |
@@ -34,12 +34,12 @@ options {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
|
|
ad7b3b |
index 09f31f2..f88f0d4 100644
|
|
|
899014 |
--- a/bin/tests/system/acl/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/acl/tests.sh
|
|
|
899014 |
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
|
|
899014 |
# key "one" should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
|
|
|
899014 |
# any other key should be fine
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
copy_setports ns2/named2.conf.in ns2/named.conf
|
|
|
899014 |
@@ -39,18 +39,18 @@ sleep 5
|
|
|
899014 |
# prefix 10/8 should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# any other address should work, as long as it sends key "one"
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
echo_i "testing nested ACL processing"
|
|
|
899014 |
@@ -62,31 +62,31 @@ sleep 5
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# but only one or the other should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
|
|
899014 |
# and other values? right out
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
|
|
899014 |
@@ -108,31 +108,31 @@ sleep 5
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should succeed
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
# should fail
|
|
|
899014 |
t=`expr $t + 1`
|
|
|
899014 |
$DIG $DIGOPTS tsigzone. \
|
|
|
899014 |
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
|
899014 |
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
899014 |
|
|
|
899014 |
echo_i "testing allow-query-on ACL processing"
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
|
ad7b3b |
index 1569913..e9c5c2d 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
|
899014 |
@@ -12,7 +12,7 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
|
ad7b3b |
index 18ac91c..2b1c873 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
|
899014 |
@@ -12,12 +12,12 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234efgh8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
|
ad7b3b |
index b824844..dd48945 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
|
899014 |
@@ -12,7 +12,7 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
|
ad7b3b |
index aeb1540..bfce58b 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
|
899014 |
@@ -12,7 +12,7 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
|
ad7b3b |
index d4b7432..e0f5252 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
|
899014 |
@@ -12,12 +12,12 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234efgh8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
|
ad7b3b |
index c025938..87afb3f 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
|
899014 |
@@ -12,7 +12,7 @@
|
|
|
899014 |
controls { /* empty */ };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
|
ad7b3b |
index d83b376..d726b94 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
|
899014 |
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
|
|
899014 |
acl badaccept { 10.53.0.1; };
|
|
|
899014 |
|
|
|
899014 |
key one {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key two {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "1234efgh8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
|
|
ad7b3b |
index fb6059d..f960156 100644
|
|
|
899014 |
--- a/bin/tests/system/allow-query/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/allow-query/tests.sh
|
|
|
899014 |
@@ -190,7 +190,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: key allowed - query allowed"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -203,7 +203,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: key not allowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -216,7 +216,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: key disallowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -349,7 +349,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: views key allowed - query allowed"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -362,7 +362,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: views key not allowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -375,7 +375,7 @@ rndc_reload
|
|
|
899014 |
|
|
|
899014 |
echo_i "test $n: views key disallowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -508,7 +508,7 @@ status=`expr $status + $ret`
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
echo_i "test $n: zone key allowed - query allowed"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -518,7 +518,7 @@ status=`expr $status + $ret`
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
echo_i "test $n: zone key not allowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
@@ -528,7 +528,7 @@ status=`expr $status + $ret`
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
echo_i "test $n: zone key disallowed - query refused"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
|
|
899014 |
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
|
899014 |
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
|
|
ad7b3b |
index 74b7d37..c353766 100644
|
|
|
899014 |
--- a/bin/tests/system/catz/ns1/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
|
|
899014 |
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
|
|
899014 |
|
|
|
899014 |
key tsig_key. {
|
|
|
899014 |
secret "LSAnCU+Z";
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
};
|
|
|
899014 |
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
|
|
ad7b3b |
index ee83efb..35ced08 100644
|
|
|
899014 |
--- a/bin/tests/system/catz/ns2/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
|
|
899014 |
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
|
|
899014 |
|
|
|
899014 |
key tsig_key. {
|
|
|
899014 |
secret "LSAnCU+Z";
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
};
|
|
|
899014 |
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
|
|
ad7b3b |
index 21be03e..e57c308 100644
|
|
|
899014 |
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
|
|
899014 |
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
|
|
899014 |
@@ -11,7 +11,7 @@
|
|
|
899014 |
|
|
|
899014 |
/* Bad secret */
|
|
|
899014 |
key "badtsig" {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha256;
|
|
|
899014 |
secret "jEdD+BPKg==";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
|
|
ad7b3b |
index 9ab35b3..486551a 100644
|
|
|
899014 |
--- a/bin/tests/system/checkconf/good.conf
|
|
|
899014 |
+++ b/bin/tests/system/checkconf/good.conf
|
|
|
899014 |
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
|
|
|
899014 |
system;
|
|
|
899014 |
};
|
|
|
899014 |
key "mykey" {
|
|
|
899014 |
- algorithm "hmac-md5";
|
|
|
899014 |
+ algorithm "hmac-sha256";
|
|
|
899014 |
secret "qwertyuiopasdfgh";
|
|
|
899014 |
};
|
|
|
899014 |
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
|
|
|
ad7b3b |
index f4e30f5..9f53e31 100644
|
|
|
899014 |
--- a/bin/tests/system/digdelv/ns2/example.db
|
|
|
899014 |
+++ b/bin/tests/system/digdelv/ns2/example.db
|
|
|
899014 |
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
|
|
|
899014 |
;;
|
|
|
899014 |
;; we are not testing DNSSEC behavior, so we don't care about the semantics
|
|
|
899014 |
;; of the following records.
|
|
|
899014 |
-dnskey 300 DNSKEY 256 3 1 (
|
|
|
899014 |
- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
|
|
|
899014 |
- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
|
|
|
899014 |
- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
|
|
|
899014 |
- b9VIE5x7KNHAYTvTO5d4S8M=
|
|
|
899014 |
- )
|
|
|
899014 |
+dnskey 300 DNSKEY 256 3 8 (
|
|
|
899014 |
+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
|
|
|
899014 |
+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
|
|
|
899014 |
+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
|
|
|
899014 |
+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
|
|
|
899014 |
+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
|
|
|
899014 |
+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
|
|
|
899014 |
+ /idCeeQlaLU=
|
|
|
899014 |
+ )
|
|
|
899014 |
|
|
|
899014 |
; TTL of 3 weeks
|
|
|
899014 |
weeks 1814400 A 10.53.0.2
|
|
|
899014 |
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
|
|
2a4663 |
index 1657dfd..299ba94 100644
|
|
|
899014 |
--- a/bin/tests/system/digdelv/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/digdelv/tests.sh
|
|
|
2a4663 |
@@ -88,7 +88,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1
|
|
|
2a4663 |
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -97,7 +97,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1
|
|
|
2a4663 |
check_ttl_range dig.out.test$n "SOA" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
|
|
2a4663 |
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +short +nosplit works($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +short +rrcomments works($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
|
|
|
899014 |
echo_i "checking dig +short +rrcomments works($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
|
|
899014 |
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -661,7 +661,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1
|
|
|
2a4663 |
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -670,7 +670,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1
|
|
|
2a4663 |
check_ttl_range delv.out.test$n "SOA" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -679,7 +679,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
|
|
|
2a4663 |
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
2a4663 |
@@ -688,7 +688,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -696,7 +696,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +short +rrcomments works ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
2a4663 |
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +short +nosplit works ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
|
|
899014 |
f=`awk '{print NF}' < delv.out.test$n`
|
|
|
899014 |
test "${f:-0}" -eq 14 || ret=1
|
|
|
2a4663 |
@@ -715,7 +715,7 @@ if [ -x ${DELV} ] ; then
|
|
|
899014 |
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
|
|
899014 |
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1
|
|
|
899014 |
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
|
|
899014 |
f=`awk '{print NF}' < delv.out.test$n`
|
|
|
899014 |
test "${f:-0}" -eq 4 || ret=1
|
|
|
899014 |
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
|
|
|
2a4663 |
index 606e7cc..a3a0d60 100755
|
|
|
899014 |
--- a/bin/tests/system/dlv/ns1/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/dlv/ns1/sign.sh
|
|
|
899014 |
@@ -23,8 +23,8 @@ infile=root.db.in
|
|
|
899014 |
zonefile=root.db
|
|
|
899014 |
outfile=root.signed
|
|
|
899014 |
|
|
|
2a4663 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
2a4663 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
|
|
|
2a4663 |
index 9825c57..202c978 100755
|
|
|
899014 |
--- a/bin/tests/system/dlv/ns2/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/dlv/ns2/sign.sh
|
|
|
899014 |
@@ -24,8 +24,8 @@ zonefile=druz.db
|
|
|
899014 |
outfile=druz.pre
|
|
|
899014 |
dlvzone=utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
|
|
|
ad7b3b |
index 1e39862..4ed19ac 100755
|
|
|
899014 |
--- a/bin/tests/system/dlv/ns6/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/dlv/ns6/sign.sh
|
|
|
899014 |
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
|
|
|
899014 |
|
|
|
899014 |
echo_i "dlv/ns6/sign.sh"
|
|
|
899014 |
|
|
|
899014 |
+bits=1024
|
|
|
899014 |
+
|
|
|
899014 |
zone=grand.child1.utld.
|
|
|
899014 |
infile=child.db.in
|
|
|
899014 |
zonefile=grand.child1.utld.db
|
|
|
899014 |
outfile=grand.child1.signed
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db
|
|
|
899014 |
outfile=grand.child3.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db
|
|
|
899014 |
outfile=grand.child4.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db
|
|
|
899014 |
outfile=grand.child5.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db
|
|
|
899014 |
outfile=grand.child7.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db
|
|
|
899014 |
outfile=grand.child8.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db
|
|
|
899014 |
outfile=grand.child9.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db
|
|
|
899014 |
outfile=grand.child10.signed
|
|
|
899014 |
dlvzone=dlv.utld.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -138,8 +140,8 @@ infile=child.db.in
|
|
|
899014 |
zonefile=grand.child1.druz.db
|
|
|
899014 |
outfile=grand.child1.druz.signed
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db
|
|
|
899014 |
outfile=grand.child3.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db
|
|
|
899014 |
outfile=grand.child4.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db
|
|
|
899014 |
outfile=grand.child5.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db
|
|
|
899014 |
outfile=grand.child7.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db
|
|
|
899014 |
outfile=grand.child8.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db
|
|
|
899014 |
outfile=grand.child9.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db
|
|
|
899014 |
outfile=grand.child10.druz.signed
|
|
|
899014 |
dlvzone=dlv.druz.
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
|
|
2a4663 |
index b93651a..09b12ba 100644
|
|
|
899014 |
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
|
|
2a4663 |
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
|
|
899014 |
infile=in-addr.arpa.db.in
|
|
|
899014 |
zonefile=in-addr.arpa.db
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
|
|
899014 |
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
|
|
899014 |
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
|
|
|
899014 |
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
|
|
|
2a4663 |
@@ -138,7 +138,7 @@ privzone=private.secure.example
|
|
|
899014 |
privinfile=private.secure.example.db.in
|
|
|
899014 |
privzonefile=private.secure.example.db
|
|
|
899014 |
|
|
|
899014 |
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
|
|
|
899014 |
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone`
|
|
|
899014 |
|
|
|
899014 |
cat $privinfile $privkeyname.key >$privzonefile
|
|
|
899014 |
|
|
|
2a4663 |
@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in
|
|
|
899014 |
dlvzonefile=dlv.db
|
|
|
2a4663 |
dlvsetfile=dlvset-${privzone}${TP}
|
|
|
899014 |
|
|
|
899014 |
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
|
|
|
899014 |
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone`
|
|
|
899014 |
|
|
|
899014 |
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
|
|
ad7b3b |
index ed30460..e6b1126 100644
|
|
|
899014 |
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
|
|
899014 |
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
|
|
899014 |
@@ -10,5 +10,5 @@
|
|
|
899014 |
*/
|
|
|
899014 |
|
|
|
899014 |
trusted-keys {
|
|
|
899014 |
- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
|
|
|
899014 |
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
|
|
899014 |
};
|
|
|
899014 |
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
|
|
2a4663 |
index 51dc117..48cb34b 100644
|
|
|
899014 |
--- a/bin/tests/system/dnssec/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/dnssec/tests.sh
|
|
|
2a4663 |
@@ -3227,8 +3227,8 @@ do
|
|
|
899014 |
alg=`expr $alg + 1`
|
|
|
899014 |
continue;;
|
|
|
899014 |
3) size="-b 512";;
|
|
|
899014 |
- 5) size="-b 512";;
|
|
|
899014 |
- 6) size="-b 512";;
|
|
|
899014 |
+ 5) size="-b 1024";;
|
|
|
899014 |
+ 6) size="-b 1024";;
|
|
|
899014 |
7) size="-b 512";;
|
|
|
899014 |
8) size="-b 512";;
|
|
|
899014 |
10) size="-b 1024";;
|
|
|
899014 |
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
|
|
2a4663 |
index 3ac34e8..428d107 100644
|
|
|
899014 |
--- a/bin/tests/system/feature-test.c
|
|
|
899014 |
+++ b/bin/tests/system/feature-test.c
|
|
|
899014 |
@@ -19,6 +19,7 @@
|
|
|
899014 |
#include <isc/print.h>
|
|
|
899014 |
#include <isc/util.h>
|
|
|
899014 |
#include <isc/net.h>
|
|
|
899014 |
+#include <isc/md5.h>
|
|
|
899014 |
#include <dns/edns.h>
|
|
|
899014 |
|
|
|
899014 |
#ifdef WIN32
|
|
|
899014 |
@@ -45,6 +46,7 @@ usage() {
|
|
|
899014 |
fprintf(stderr, " --have-geoip\n");
|
|
|
899014 |
fprintf(stderr, " --have-libxml2\n");
|
|
|
899014 |
fprintf(stderr, " --ipv6only=no\n");
|
|
|
899014 |
+ fprintf(stderr, " --md5\n");
|
|
|
899014 |
fprintf(stderr, " --rpz-nsdname\n");
|
|
|
899014 |
fprintf(stderr, " --rpz-nsip\n");
|
|
|
899014 |
fprintf(stderr, " --with-idn\n");
|
|
|
2a4663 |
@@ -137,6 +139,18 @@ main(int argc, char **argv) {
|
|
|
899014 |
#endif
|
|
|
899014 |
}
|
|
|
899014 |
|
|
|
899014 |
+ if (strcmp(argv[1], "--md5") == 0) {
|
|
|
899014 |
+#ifdef PK11_MD5_DISABLE
|
|
|
899014 |
+ return (1);
|
|
|
899014 |
+#else
|
|
|
899014 |
+ if (isc_md5_available()) {
|
|
|
899014 |
+ return (0);
|
|
|
899014 |
+ } else {
|
|
|
899014 |
+ return (1);
|
|
|
899014 |
+ }
|
|
|
899014 |
+#endif
|
|
|
899014 |
+ }
|
|
|
899014 |
+
|
|
|
899014 |
if (strcmp(argv[1], "--rpz-nsip") == 0) {
|
|
|
899014 |
#ifdef ENABLE_RPZ_NSIP
|
|
|
899014 |
return (0);
|
|
|
899014 |
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
|
|
ad7b3b |
index f755581..4a7d890 100755
|
|
|
899014 |
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
|
|
899014 |
@@ -21,8 +21,8 @@ infile=signed.db.in
|
|
|
899014 |
zonefile=signed.db.signed
|
|
|
899014 |
outfile=signed.db.signed
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
|
|
ad7b3b |
index f755581..4a7d890 100755
|
|
|
899014 |
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
|
|
|
899014 |
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
|
|
899014 |
@@ -21,8 +21,8 @@ infile=signed.db.in
|
|
|
899014 |
zonefile=signed.db.signed
|
|
|
899014 |
outfile=signed.db.signed
|
|
|
899014 |
|
|
|
899014 |
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
|
|
899014 |
|
|
|
899014 |
cat $infile $keyname1.key $keyname2.key >$zonefile
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
|
|
ad7b3b |
index cfcfe8f..0a1614d 100644
|
|
|
899014 |
--- a/bin/tests/system/notify/ns5/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
|
|
899014 |
@@ -10,17 +10,17 @@
|
|
|
899014 |
*/
|
|
|
899014 |
|
|
|
899014 |
key "a" {
|
|
|
899014 |
- algorithm "hmac-md5";
|
|
|
899014 |
+ algorithm "hmac-sha256";
|
|
|
899014 |
secret "aaaaaaaaaaaaaaaaaaaa";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key "b" {
|
|
|
899014 |
- algorithm "hmac-md5";
|
|
|
899014 |
+ algorithm "hmac-sha256";
|
|
|
899014 |
secret "bbbbbbbbbbbbbbbbbbbb";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key "c" {
|
|
|
899014 |
- algorithm "hmac-md5";
|
|
|
899014 |
+ algorithm "hmac-sha256";
|
|
|
899014 |
secret "cccccccccccccccccccc";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
|
|
1e4169 |
index 1f6e6d0..c08bd25 100644
|
|
|
899014 |
--- a/bin/tests/system/notify/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/notify/tests.sh
|
|
|
1e4169 |
@@ -212,16 +212,16 @@ ret=0
|
|
|
899014 |
$NSUPDATE << EOF
|
|
|
899014 |
server 10.53.0.5 ${PORT}
|
|
|
899014 |
zone x21
|
|
|
899014 |
-key a aaaaaaaaaaaaaaaaaaaa
|
|
|
899014 |
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
|
|
|
899014 |
update add added.x21 0 in txt "test string"
|
|
|
899014 |
send
|
|
|
899014 |
EOF
|
|
|
899014 |
|
|
|
899014 |
for i in 1 2 3 4 5 6 7 8 9
|
|
|
899014 |
do
|
|
|
899014 |
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
|
|
899014 |
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
|
|
899014 |
txt > dig.out.b.ns5.test$n || ret=1
|
|
|
899014 |
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
|
|
899014 |
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
|
|
|
899014 |
txt > dig.out.c.ns5.test$n || ret=1
|
|
|
899014 |
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
|
|
899014 |
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
|
|
899014 |
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
ad7b3b |
index 1d999ad..26b6b7c 100644
|
|
|
899014 |
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
899014 |
@@ -32,7 +32,7 @@ controls {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key altkey {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha512;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
|
1e4169 |
index 4549184..cb7dccd 100644
|
|
|
899014 |
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
|
1e4169 |
@@ -33,7 +33,7 @@ controls {
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
key altkey {
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
+ algorithm hmac-sha512;
|
|
|
899014 |
secret "1234abcd8765";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
|
|
2a4663 |
index 21805c5..0d3d85c 100644
|
|
|
899014 |
--- a/bin/tests/system/nsupdate/setup.sh
|
|
|
899014 |
+++ b/bin/tests/system/nsupdate/setup.sh
|
|
|
2a4663 |
@@ -58,7 +58,12 @@ EOF
|
|
|
899014 |
|
|
|
899014 |
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
|
|
899014 |
|
|
|
899014 |
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
|
|
899014 |
+if $FEATURETEST --md5; then
|
|
|
899014 |
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
|
|
899014 |
+else
|
|
|
899014 |
+ echo -n > ns1/md5.key
|
|
|
899014 |
+fi
|
|
|
899014 |
+
|
|
|
899014 |
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
|
|
899014 |
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
|
|
899014 |
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
|
|
899014 |
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
|
|
2a4663 |
index 4da4849..b3bc807 100755
|
|
|
899014 |
--- a/bin/tests/system/nsupdate/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/nsupdate/tests.sh
|
|
|
2a4663 |
@@ -708,7 +708,14 @@ fi
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
ret=0
|
|
|
899014 |
echo_i "check TSIG key algorithms ($n)"
|
|
|
899014 |
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
|
|
899014 |
+else
|
|
|
899014 |
+ ALGS="sha1 sha224 sha256 sha384 sha512"
|
|
|
899014 |
+ echo_i "skipping disabled md5 algorithm"
|
|
|
899014 |
+fi
|
|
|
899014 |
+for alg in $ALGS; do
|
|
|
899014 |
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
|
|
899014 |
server 10.53.0.1 ${PORT}
|
|
|
899014 |
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
|
|
2a4663 |
@@ -716,7 +723,7 @@ send
|
|
|
899014 |
END
|
|
|
899014 |
done
|
|
|
899014 |
sleep 2
|
|
|
899014 |
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
|
899014 |
+for alg in $ALGS; do
|
|
|
899014 |
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
|
|
899014 |
done
|
|
|
899014 |
if [ $ret -ne 0 ]; then
|
|
|
899014 |
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
|
|
1e4169 |
index 343869e..c30efb0 100644
|
|
|
899014 |
--- a/bin/tests/system/rndc/setup.sh
|
|
|
899014 |
+++ b/bin/tests/system/rndc/setup.sh
|
|
|
899014 |
@@ -37,7 +37,7 @@ make_key () {
|
|
|
899014 |
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
|
|
899014 |
}
|
|
|
899014 |
|
|
|
899014 |
-make_key 1 ${EXTRAPORT1} hmac-md5
|
|
|
899014 |
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
|
|
899014 |
make_key 2 ${EXTRAPORT2} hmac-sha1
|
|
|
899014 |
make_key 3 ${EXTRAPORT3} hmac-sha224
|
|
|
899014 |
make_key 4 ${EXTRAPORT4} hmac-sha256
|
|
|
899014 |
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
|
|
1e4169 |
index b00056c..f7fad91 100644
|
|
|
899014 |
--- a/bin/tests/system/rndc/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/rndc/tests.sh
|
|
|
899014 |
@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
status=`expr $status + $ret`
|
|
|
899014 |
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
-echo_i "testing rndc with hmac-md5 ($n)"
|
|
|
899014 |
-ret=0
|
|
|
899014 |
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
|
|
899014 |
-for i in 2 3 4 5 6
|
|
|
899014 |
-do
|
|
|
899014 |
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
899014 |
-done
|
|
|
899014 |
-if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
-status=`expr $status + $ret`
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ echo_i "testing rndc with hmac-md5 ($n)"
|
|
|
899014 |
+ ret=0
|
|
|
899014 |
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
|
|
899014 |
+ for i in 2 3 4 5 6
|
|
|
899014 |
+ do
|
|
|
899014 |
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
899014 |
+ done
|
|
|
899014 |
+ if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
899014 |
+ status=`expr $status + $ret`
|
|
|
899014 |
+else
|
|
|
899014 |
+ echo_i "skipping rndc with hmac-md5 ($n)"
|
|
|
899014 |
+fi
|
|
|
899014 |
|
|
|
899014 |
n=`expr $n + 1`
|
|
|
899014 |
echo_i "testing rndc with hmac-sha1 ($n)"
|
|
|
899014 |
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
|
|
|
ad7b3b |
index 576ec70..cb7a852 100644
|
|
|
899014 |
--- a/bin/tests/system/tsig/clean.sh
|
|
|
899014 |
+++ b/bin/tests/system/tsig/clean.sh
|
|
|
899014 |
@@ -20,3 +20,4 @@ rm -f */named.run
|
|
|
899014 |
rm -f ns*/named.lock
|
|
|
899014 |
rm -f Kexample.net.+163+*
|
|
|
899014 |
rm -f keygen.out?
|
|
|
899014 |
+rm -f ns1/named.conf
|
|
|
899014 |
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
|
|
ad7b3b |
index fbf30c6..f61657d 100644
|
|
|
899014 |
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
|
|
899014 |
@@ -21,10 +21,7 @@ options {
|
|
|
899014 |
notify no;
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
-key "md5" {
|
|
|
899014 |
- secret "97rnFx24Tfna4mHPfgnerA==";
|
|
|
899014 |
- algorithm hmac-md5;
|
|
|
899014 |
-};
|
|
|
899014 |
+# md5 key appended by setup.sh at the end
|
|
|
899014 |
|
|
|
899014 |
key "sha1" {
|
|
|
899014 |
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
|
|
899014 |
@@ -51,10 +48,7 @@ key "sha512" {
|
|
|
899014 |
algorithm hmac-sha512;
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
-key "md5-trunc" {
|
|
|
899014 |
- secret "97rnFx24Tfna4mHPfgnerA==";
|
|
|
899014 |
- algorithm hmac-md5-80;
|
|
|
899014 |
-};
|
|
|
899014 |
+# md5-trunc key appended by setup.sh at the end
|
|
|
899014 |
|
|
|
899014 |
key "sha1-trunc" {
|
|
|
899014 |
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
|
|
899014 |
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
|
|
1e4169 |
index 4dd4a25..aa0f966 100644
|
|
|
899014 |
--- a/bin/tests/system/tsig/setup.sh
|
|
|
899014 |
+++ b/bin/tests/system/tsig/setup.sh
|
|
|
1e4169 |
@@ -17,3 +17,8 @@ $SHELL clean.sh
|
|
|
899014 |
copy_setports ns1/named.conf.in ns1/named.conf
|
|
|
899014 |
|
|
|
1e4169 |
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
|
|
1e4169 |
+
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
|
|
899014 |
+fi
|
|
|
899014 |
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
|
|
ad7b3b |
index f731fa6..cade35b 100644
|
|
|
899014 |
--- a/bin/tests/system/tsig/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/tsig/tests.sh
|
|
|
899014 |
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
|
|
899014 |
|
|
|
899014 |
status=0
|
|
|
899014 |
|
|
|
899014 |
-echo_i "fetching using hmac-md5 (old form)"
|
|
|
899014 |
-ret=0
|
|
|
899014 |
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
|
|
899014 |
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
|
|
899014 |
-if [ $ret -eq 1 ] ; then
|
|
|
899014 |
- echo_i "failed"; status=1
|
|
|
899014 |
-fi
|
|
|
899014 |
-
|
|
|
899014 |
-echo_i "fetching using hmac-md5 (new form)"
|
|
|
899014 |
-ret=0
|
|
|
899014 |
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
|
|
899014 |
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
|
|
899014 |
-if [ $ret -eq 1 ] ; then
|
|
|
899014 |
- echo_i "failed"; status=1
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ echo_i "fetching using hmac-md5 (old form)"
|
|
|
899014 |
+ ret=0
|
|
|
899014 |
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
|
|
899014 |
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
|
|
899014 |
+ if [ $ret -eq 1 ] ; then
|
|
|
899014 |
+ echo_i "failed"; status=1
|
|
|
899014 |
+ fi
|
|
|
899014 |
+
|
|
|
899014 |
+ echo_i "fetching using hmac-md5 (new form)"
|
|
|
899014 |
+ ret=0
|
|
|
899014 |
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
|
|
899014 |
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
|
|
899014 |
+ if [ $ret -eq 1 ] ; then
|
|
|
899014 |
+ echo_i "failed"; status=1
|
|
|
899014 |
+ fi
|
|
|
899014 |
+else
|
|
|
899014 |
+ echo_i "skipping using hmac-md5"
|
|
|
899014 |
fi
|
|
|
899014 |
|
|
|
899014 |
echo_i "fetching using hmac-sha1"
|
|
|
899014 |
@@ -87,12 +92,17 @@ fi
|
|
|
899014 |
# Truncated TSIG
|
|
|
899014 |
#
|
|
|
899014 |
#
|
|
|
899014 |
-echo_i "fetching using hmac-md5 (trunc)"
|
|
|
899014 |
-ret=0
|
|
|
899014 |
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
|
|
899014 |
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
|
|
899014 |
-if [ $ret -eq 1 ] ; then
|
|
|
899014 |
- echo_i "failed"; status=1
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ echo_i "fetching using hmac-md5 (trunc)"
|
|
|
899014 |
+ ret=0
|
|
|
899014 |
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
|
|
899014 |
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
|
|
899014 |
+ if [ $ret -eq 1 ] ; then
|
|
|
899014 |
+ echo_i "failed"; status=1
|
|
|
899014 |
+ fi
|
|
|
899014 |
+else
|
|
|
899014 |
+ echo_i "skipping using hmac-md5 (trunc)"
|
|
|
899014 |
fi
|
|
|
899014 |
|
|
|
899014 |
echo_i "fetching using hmac-sha1 (trunc)"
|
|
|
899014 |
@@ -141,12 +151,17 @@ fi
|
|
|
899014 |
# Check for bad truncation.
|
|
|
899014 |
#
|
|
|
899014 |
#
|
|
|
899014 |
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
|
|
899014 |
-ret=0
|
|
|
899014 |
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
|
|
899014 |
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
|
|
899014 |
-if [ $ret -eq 1 ] ; then
|
|
|
899014 |
- echo_i "failed"; status=1
|
|
|
899014 |
+if $FEATURETEST --md5
|
|
|
899014 |
+then
|
|
|
899014 |
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
|
|
899014 |
+ ret=0
|
|
|
899014 |
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
|
|
899014 |
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
|
|
899014 |
+ if [ $ret -eq 1 ] ; then
|
|
|
899014 |
+ echo_i "failed"; status=1
|
|
|
899014 |
+ fi
|
|
|
899014 |
+else
|
|
|
899014 |
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
|
|
899014 |
fi
|
|
|
899014 |
|
|
|
899014 |
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
|
|
899014 |
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
|
|
|
1e4169 |
index 0d21c7b..dbcb7b4 100644
|
|
|
899014 |
--- a/bin/tests/system/tsiggss/setup.sh
|
|
|
899014 |
+++ b/bin/tests/system/tsiggss/setup.sh
|
|
|
1e4169 |
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
|
|
899014 |
|
|
|
899014 |
copy_setports ns1/named.conf.in ns1/named.conf
|
|
|
899014 |
|
|
|
899014 |
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
|
|
899014 |
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
|
|
899014 |
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
|
|
|
899014 |
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
|
|
ad7b3b |
index e0a30cd..6a77b1c 100644
|
|
|
899014 |
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
|
|
899014 |
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
|
|
899014 |
@@ -10,7 +10,7 @@
|
|
|
899014 |
*/
|
|
|
899014 |
|
|
|
899014 |
key "update.example." {
|
|
|
899014 |
- algorithm "hmac-md5";
|
|
|
899014 |
+ algorithm "hmac-sha256";
|
|
|
899014 |
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
|
|
899014 |
};
|
|
|
899014 |
|
|
|
899014 |
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
|
|
ad7b3b |
index b0694bb..9adae82 100644
|
|
|
899014 |
--- a/bin/tests/system/upforwd/tests.sh
|
|
|
899014 |
+++ b/bin/tests/system/upforwd/tests.sh
|
|
|
899014 |
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
|
|
899014 |
|
|
|
899014 |
echo_i "updating zone (signed) ($n)"
|
|
|
899014 |
ret=0
|
|
|
899014 |
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
|
|
|
899014 |
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
|
|
|
899014 |
server 10.53.0.3 ${PORT}
|
|
|
899014 |
update add updated.example. 600 A 10.10.10.1
|
|
|
899014 |
update add updated.example. 600 TXT Foo
|
|
|
899014 |
--
|
|
|
1e4169 |
2.20.1
|
|
|
899014 |
|