From 022397a2c76a7aa3d61a25a814973e1e69c6793b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 17:08:34 +1000 Subject: [PATCH] Check GSS-API TKEY against non configured server Check for the expected error message which includes rcode REFUSED then reload the server to specify the keytab for the rest of the GSSAPI tests. (cherry picked from commit 3a2a24903c0ab3a5a04b6d69e88d3948ff0df95a) --- bin/tests/system/nsupdate/ns7/named1.conf.in | 52 +++++++++++++++++++ .../ns7/{named.conf.in => named2.conf.in} | 0 bin/tests/system/nsupdate/setup.sh | 2 +- bin/tests/system/nsupdate/tests.sh | 18 +++++++ 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/nsupdate/ns7/named1.conf.in rename bin/tests/system/nsupdate/ns7/{named.conf.in => named2.conf.in} (100%) diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in new file mode 100644 index 0000000000..28d2aeafd5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/named1.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + recursion no; + notify yes; + minimal-responses no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain-self-rhs . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-self . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv-no-type.example.com; + }; +}; diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in similarity index 100% rename from bin/tests/system/nsupdate/ns7/named.conf.in rename to bin/tests/system/nsupdate/ns7/named2.conf.in diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index b12c79789e..7f8c27f349 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -23,7 +23,7 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf # If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 6e257ae914..50dadce747 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1506,6 +1506,24 @@ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 if ! $FEATURETEST --gssapi ; then echo_i "SKIPPED: GSSAPI tests" else + n=$((n + 1)) + ret=0 + echo_i "check GSS-API TKEY request rcode against a non configured server ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + send +EOF + grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + copy_setports ns7/named2.conf.in ns7/named.conf + rndc_reload ns7 10.53.0.7 + n=$((n + 1)) ret=0 echo_i "check krb5-self match ($n)"