From 54c4db569b4243981dc95b67ecf6db624bc04cf1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 6 Sep 2018 13:53:30 +1000
Subject: [PATCH] add krb5-* tests to nsupdate system test.

---
 bin/tests/system/nsupdate/clean.sh            |  12 +
 bin/tests/system/nsupdate/krb/setup.sh        | 113 +++++++++
 bin/tests/system/nsupdate/ns10/dns.keytab     | Bin 0 -> 168 bytes
 .../system/nsupdate/ns10/example.com.db.in    |  19 ++
 bin/tests/system/nsupdate/ns10/in-addr.db.in  |  19 ++
 bin/tests/system/nsupdate/ns10/machine.ccache | Bin 0 -> 1217 bytes
 bin/tests/system/nsupdate/ns10/named.conf.in  |  48 ++++
 bin/tests/system/nsupdate/ns7/dns.keytab      | Bin 0 -> 166 bytes
 .../system/nsupdate/ns7/example.com.db.in     |  19 ++
 bin/tests/system/nsupdate/ns7/in-addr.db.in   |  19 ++
 bin/tests/system/nsupdate/ns7/machine.ccache  | Bin 0 -> 1327 bytes
 bin/tests/system/nsupdate/ns7/named.conf.in   |  48 ++++
 bin/tests/system/nsupdate/ns8/dns.keytab      | Bin 0 -> 166 bytes
 .../system/nsupdate/ns8/example.com.db.in     |  19 ++
 bin/tests/system/nsupdate/ns8/in-addr.db.in   |  19 ++
 bin/tests/system/nsupdate/ns8/machine.ccache  | Bin 0 -> 1327 bytes
 bin/tests/system/nsupdate/ns8/named.conf.in   |  48 ++++
 bin/tests/system/nsupdate/ns9/dns.keytab      | Bin 0 -> 166 bytes
 .../system/nsupdate/ns9/example.com.db.in     |  19 ++
 bin/tests/system/nsupdate/ns9/in-addr.db.in   |  19 ++
 bin/tests/system/nsupdate/ns9/machine.ccache  | Bin 0 -> 1215 bytes
 bin/tests/system/nsupdate/ns9/named.conf.in   |  48 ++++
 bin/tests/system/nsupdate/setup.sh            |  12 +
 bin/tests/system/nsupdate/tests.sh            | 240 +++++++++++++++++-
 24 files changed, 718 insertions(+), 3 deletions(-)
 create mode 100644 bin/tests/system/nsupdate/krb/setup.sh
 create mode 100644 bin/tests/system/nsupdate/ns10/dns.keytab
 create mode 100644 bin/tests/system/nsupdate/ns10/example.com.db.in
 create mode 100644 bin/tests/system/nsupdate/ns10/in-addr.db.in
 create mode 100644 bin/tests/system/nsupdate/ns10/machine.ccache
 create mode 100644 bin/tests/system/nsupdate/ns10/named.conf.in
 create mode 100644 bin/tests/system/nsupdate/ns7/dns.keytab
 create mode 100644 bin/tests/system/nsupdate/ns7/example.com.db.in
 create mode 100644 bin/tests/system/nsupdate/ns7/in-addr.db.in
 create mode 100644 bin/tests/system/nsupdate/ns7/machine.ccache
 create mode 100644 bin/tests/system/nsupdate/ns7/named.conf.in
 create mode 100644 bin/tests/system/nsupdate/ns8/dns.keytab
 create mode 100644 bin/tests/system/nsupdate/ns8/example.com.db.in
 create mode 100644 bin/tests/system/nsupdate/ns8/in-addr.db.in
 create mode 100644 bin/tests/system/nsupdate/ns8/machine.ccache
 create mode 100644 bin/tests/system/nsupdate/ns8/named.conf.in
 create mode 100644 bin/tests/system/nsupdate/ns9/dns.keytab
 create mode 100644 bin/tests/system/nsupdate/ns9/example.com.db.in
 create mode 100644 bin/tests/system/nsupdate/ns9/in-addr.db.in
 create mode 100644 bin/tests/system/nsupdate/ns9/machine.ccache
 create mode 100644 bin/tests/system/nsupdate/ns9/named.conf.in

diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index b8245df457..ef5ec56e65 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -40,6 +40,18 @@ rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db
+rm -f ns7/in-addr.db
+rm -f ns7/example.com.db
+rm -f ns7/_default.tsigkeys
+rm -f ns8/in-addr.db
+rm -f ns8/example.com.db
+rm -f ns8/_default.tsigkeys
+rm -f ns9/in-addr.db
+rm -f ns9/example.com.db
+rm -f ns9/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
+rm -f ns10/_default.tsigkeys
 rm -f nsupdate.out*
 rm -f typelist.out.*
 rm -f ns1/sample.db
diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh
new file mode 100644
index 0000000000..3c37777dc2
--- /dev/null
+++ b/bin/tests/system/nsupdate/krb/setup.sh
@@ -0,0 +1,113 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -x
+
+PWD=`pwd`
+
+KRB5_CONFIG="${PWD}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KDC_PROFILE=${PWD}/krb5kdc
+export KRB5_KDC_PROFILE
+
+now=`date +%s`
+lifetime=`expr 2147483647 - $now`
+lifetime=`expr $lifetime / 3600 / 24 - 30`
+
+cat << EOF > "${KRB5_CONFIG}"
+[libdefaults]
+   default_realm = EXAMPLE.COM
+   dns_lookup_kdc = false
+   # Depending on what you are testing, you may want something like:
+   # default_keytab_name = FILE:/usr/local/var/keytab
+[realms]
+   EXAMPLE.COM = {
+     admin_server = 127.0.0.1:50001
+     kdc = 127.0.0.1:50000
+     database_module = DB2
+     kdc_ports = 50000
+     kadmind_port = 50001
+   }
+[dbmodules]
+   DB2 = {
+     db_library = db2
+   }
+[logging]
+   # Use any pathnames you want here.
+   kdc = FILE:${PWD}/kdc.log
+   admin_server = FILE:${PWD}/kadmin.log
+# Depending on what you are testing, you may want:
+# [domain_realm]
+#   your.domain = EXAMPLE.COM
+EOF
+
+rm -rf ${KRB5_KDC_PROFILE}
+mkdir -p ${KRB5_KDC_PROFILE}
+chmod 700 ${KRB5_KDC_PROFILE}
+
+cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf
+[kdcdefaults]
+  kdc_ports = 50000
+  kdc_tcp_ports = 50000
+
+[realms]
+  EXAMPLE.COM = {
+    key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM
+    database_module = EXAMPLE.COM
+    max_life = ${lifetime}d
+}
+
+[dbmodules]
+  EXAMPLE.COM = {
+    db_library = db2
+    database_name = ${KRB5_KDC_PROFILE}/principal
+  }
+EOF
+
+kdb5_util create -s <<EOF
+master
+master
+EOF
+
+krb5kdc -n &
+krb5kdcpid=$!
+#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
+
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM
+
+kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM'
+
+kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM'
+
+kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM
+kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
+
+cp ns7-server.keytab ../ns7/dns.keytab
+cp ns8-server.keytab ../ns8/dns.keytab
+cp ns9-server.keytab ../ns9/dns.keytab
+cp ns10-server.keytab ../ns10/dns.keytab
+
+cp krb5-machine.ccache ../ns7/machine.ccache
+cp krb5-machine.ccache ../ns8/machine.ccache
+cp ms-machine.ccache ../ns9/machine.ccache
+cp ms-machine.ccache ../ns10/machine.ccache
+
+echo krb5kdc pid:$krb5kdcpid
diff --git a/bin/tests/system/nsupdate/ns10/dns.keytab b/bin/tests/system/nsupdate/ns10/dns.keytab
new file mode 100644
index 0000000000000000000000000000000000000000..95eea9086ffd9ff4dbf3f46c43e45e14926130df
GIT binary patch
literal 168
zcmZQ&VqjnhXJBIBc8zfK4e)W*bN2UTV0Q5fW)R3LHZ;&ntw_u*$Vt^p&d&v^WQ?99
zx}S+bh(V!lb$`I*i_7f3H6<^f$SiSpro~Lgl_Jt#m!=mdPZvM(8K@X!v^%Lr3o-}<
Xo0M--Uc$Wb)+^EI<x6kIgNy<I1^qA(

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns10/example.com.db.in b/bin/tests/system/nsupdate/ns10/example.com.db.in
new file mode 100644
index 0000000000..984274b518
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10
diff --git a/bin/tests/system/nsupdate/ns10/in-addr.db.in b/bin/tests/system/nsupdate/ns10/in-addr.db.in
new file mode 100644
index 0000000000..984274b518
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/in-addr.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10
diff --git a/bin/tests/system/nsupdate/ns10/machine.ccache b/bin/tests/system/nsupdate/ns10/machine.ccache
new file mode 100644
index 0000000000000000000000000000000000000000..ced26bd8d4eae87a27c41ab66e32033a7f3fbe84
GIT binary patch
literal 1217
zcmZQ&Vc=n4WZ+;x07f7agt=WK9DM_PT=ks&eSut#+{EOJ%)C?;s5Aj3Oh9EIjAja3
zc2QDEdI`FO5Kurt$zSuKW>O5N5%(>Y|Au<HE*Fd3UL2lwm?dZ5?90bqEsmZfx*vq=
zuY1`8)dPVego2Qa&WTNo_6ALi)(e=K7+DwcN+a97NWnl3B+j%@+(1+s>I@VWi<=l3
z4I2M}6bUT^5{!!)Ke9BwJN)>8Ya&lXO>ke(`sHmUk6U)P%Fhh!o#|L`t1`gs`Q#=c
z&58w5?Sk`X?^K&JV-vS<#<eB49kk!qtt#Abugr>prNS(>aPgN$Z3BzM=5?%UTp6z(
zu5~-w`PcEZ+v*EvvStg!)y}r>(2Bmf@#fkWLcJL_9ma`M0z`7GKP@?W_2lmZzY7_C
zSJ(WU6a3G0>#XIWrH`Gt?#cPdM}=Sg#`5&mTmuQe`%5DhnyGH*kUDd}K+e-K^39W#
zJEq#tt}L&8u>5C!GH=_TN7hCQCUN&Am-T5#eJb02XMNy4PN|BO4S7};#%qn%o&3H+
zi^o3X`SHKd03{*~fK)OAF;9f9v!k<ztFynKn-!2R3XEaX_~c|@YDtYx&d*DWPf09E
z1WItFB^H;&Czd5<<^Xwekc6O*l*k;A*gzFT0OrcnVyH4ATntizB}p>7_yq%H1oDav
z4fIkg5_1c3QuUJaa~Z&ivfj+8=XRp?1B06B&Sl%8wEymljeZo{+gtr}-rN8I^L9w0
z6n}w8l$^*8XN(3W%5Y$!491!$l?)U>;*1L=4aB8E4w1%i1~6HQ1N95T(<RfQCPr2k
zU}7y4<`Mk%#pzX9_wJ@2BCJzdD(75S6*J3nR{6xj#$P(>DUsU!uYT2*#pJd4`R(yy
zYpZ-$!uRc3x}$UG!!_=FK6Y9c9fajWmX`k&dY7sAgMU`{^?enye*F#kSN8YWgJlo7
zMVGQN3mBcdc6MXmy1=%@tUl6hd0#?qtNYI{3qIz$_xLH53xYfvDestE&)&+3c<?AP
z+}i1!Rc54{LuH+{saK|eClfc5XH=xg1IwE?uGp-ZweMtHcoUcY_Y@^rsn;UzEK_(d
zZ`Pc5`C`W>hi#QwwmUc?v%}n!Jj;W(n*ULVENgk7*=n|`@|T+T>s>(;=bth1DLvy6
RX(5*T%$cpCM?MY|&;V&TiLn3x

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in
new file mode 100644
index 0000000000..44b207a077
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.10; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-selfsub . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns7/dns.keytab b/bin/tests/system/nsupdate/ns7/dns.keytab
new file mode 100644
index 0000000000000000000000000000000000000000..08d5ef46f287d6ef7ef96ff7d29372ff1c652930
GIT binary patch
literal 166
zcmZQ&VqjnhV_;(7c8zfK4e)W*bN2UTV0Q5fX5h~&HrGq7NX#wBN!3fv&jl)EjGiRA
zpNT<;K_O(l<KIM<mzgIHJ2d|J^U`3)JK+^+e;7QhCfzt*v&F0ws2F6j8;K?hG6?+i
WJNC!%pjWugmSckFIptS^OacIUC^4h}

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns7/example.com.db.in b/bin/tests/system/nsupdate/ns7/example.com.db.in
new file mode 100644
index 0000000000..c327325f91
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7
diff --git a/bin/tests/system/nsupdate/ns7/in-addr.db.in b/bin/tests/system/nsupdate/ns7/in-addr.db.in
new file mode 100644
index 0000000000..c327325f91
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/in-addr.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7
diff --git a/bin/tests/system/nsupdate/ns7/machine.ccache b/bin/tests/system/nsupdate/ns7/machine.ccache
new file mode 100644
index 0000000000000000000000000000000000000000..7dcd9595d8bea07a581e441f18c902bda15a65c6
GIT binary patch
literal 1327
zcmZQ&Vc=n4WZ+;x07f8_35dB}BOHALd|dUM{e6L4mW=%35+E&{o0y!DnU|`UT9KGr
zkdvyHoSzF6CQld09xQgTWfvutq=RfjafA?1KtZy$P4BW8&k4rnOZqa2vZC3V+i$*B
z(`%mI`TY><-vbKKlSKD}aQ$^Jd!TwCaD-40k})i?i808aiP3KXGZQ20LSAWPD;6mj
z$brO}7K$5)N<*E2qGE9qqX<y907#Y4LLkAosELt@rSX5QqOt9UJM*q7?Kr+zXNuM5
z6}L{X-PqT3#{XFU4B=#fXG#kLWO`Rbf0g@rH|VI}ig{|=o>b3ty!-YPuWrS4b~E!t
z(E$53YTu84duYn_qNBcdNyw?2_m*;NnEw2E)I{Kl^2@l2psSinw-kgAdKadZ+?6_-
zF5Sbm+UwMv>f>1^RrZ=CUz2`*zR0cpOONyaSE)PYtFJBHxb>r%YaaI=w@s_q&tJc~
zEBD=nkN+0L2)=x{tZU|+rri--!C}158&<@>=9(^e`MgZm38!;QnT<F%@m^$FEPnsY
z@3kixK7DUh<C}h`fP32F{>-D-4{mJ9tiR#WzU4xDZP^>IzYlkb+&mDa{RtYz<Rt@;
zW@aGfiO_X+boOv{_V;tM0`f(H>A*BTIT@JZQsa~J^U~r|5=#<+5?pDC#U=5HWr>+N
zK%N{Vx#%M$SO+9FPz4cyxiYmFs*F5O;LyeF;uj1wmp`xA93{(u6Z7<2e2*fS_I!Kh
zEA!S!=P1V;^VIg@6CM61-g>Mldt*=oNzCHU5s8@-*(;3Mz{H#mOpeJ|6SJa$JV=~z
zp@e~$G{_y&=&k^!W(}Zr6?kf90;Xm$mL^7_3;Q!FYA>#PT=YiakH+iE47)i`pN`0@
zd;j(NyzhyN47zG3$4rv<j8T?4d;61iBiHY_O+w8FPJDW)pZYX#s_y)QEmhf?57s)$
zbnjgLzgKgybosyg>ll~pxADC-v+h(v=Au=sX}7j&Ut08b{=TNSHzfspeG^Py^zFIS
zz4-maA7z;;D!-MF{@(xWt;38tmrNfo)aMbEf3=+{;QoahRX0|f9h}T?=yrGDZN^<8
zuQrH&e|C}Mfys$A5AX4A%1O@sc-Lggl3$NSYd6MsmDQg9aqH7tW98jvCpb-cG2ypl
z)9t$}zujH`b}8ot{rS2J4w&riZ|^vka^i0B|L5Ctx3WAvS@qJp?vL1=Gbz&N4wb0>
QS$*a8+Zh3x)u4a}0L~5ADgXcg

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named.conf.in
new file mode 100644
index 0000000000..f0ef6d3655
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.7; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-self . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns8/dns.keytab b/bin/tests/system/nsupdate/ns8/dns.keytab
new file mode 100644
index 0000000000000000000000000000000000000000..33400498c9354a521ca2a5e2e4e45a17a761dcd8
GIT binary patch
literal 166
zcmZQ&VqjnhV_;(7c8zfK4e)W*bN2UTV0Q5fX5h~&w$MwhNX#wBN!3fv&jl)EjGiRA
zpNT<;K|%aQswz{(P6r*8pVqS$%-z-+JFjD2+Z3ghaTjdLDzcP-ia{p3k!Z3YgTR|<
VML*B+q&nOUVBT7vaC{TUBmhV3FCqW{

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns8/example.com.db.in b/bin/tests/system/nsupdate/ns8/example.com.db.in
new file mode 100644
index 0000000000..eb24766f68
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/nsupdate/ns8/in-addr.db.in b/bin/tests/system/nsupdate/ns8/in-addr.db.in
new file mode 100644
index 0000000000..eb24766f68
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/in-addr.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/nsupdate/ns8/machine.ccache b/bin/tests/system/nsupdate/ns8/machine.ccache
new file mode 100644
index 0000000000000000000000000000000000000000..6e75afff54be327f5f210fac629d84927715a73b
GIT binary patch
literal 1327
zcmZQ&Vc=n4WZ+;x07f8_35dB}BOHALd|dUM{e6L4mW=%35+E&{o0y!DnU|`UT9KGr
zkdvyHoSzF6CQld09xQgTWfvutq=RfjafA?1KtZy$P4BW8&k4rnOZqa2vZC3V+i$*B
z(`%mI`TY><-vbKKlSKD}aQ$^Jd!TwCaD-40k})i?i808aiP3KXGZQ20LSAWPD;6mj
z$brO}7K$5)N<*E2qGE9qqX<y907#Y4LLkAosELt@rSX5QqOt9UJM*q7?Kr+zXNuM5
z6}L{X-PqT3#{XFU4B=#fXG#kLWO`Rbf0g@rH|VI}ig{|=o>b3ty!-YPuWrS4b~E!t
z(E$53YTu84duYn_qNBcdNyw?2_m*;NnEw2E)I{Kl^2@l2psSinw-kgAdKadZ+?6_-
zF5Sbm+UwMv>f>1^RrZ=CUz2`*zR0cpOONyaSE)PYtFJBHxb>r%YaaI=w@s_q&tJc~
zEBD=nkN+0L2)=x{tZU|+rri--!C}158&<@>=9(^e`MgZm38!;QnT<F%@m^$FEPnsY
z@3kixK7DUh<C}h`fP32F{>-D-4{mJ9tiR#WzU4xDZP^>IzYlkb+&mDa{RtYz<Rt@;
zW@aGfiO_X+boOv{_V;tM0`f(H>A*BTIT@JZQsa~J^U~r|5=#<+5?pDC#U=5HWr>+N
zK%N{Vx#%M$SO+9FPz4cyxiYmFs*F5O;LyeF;uj1wmp`xA0wv3U6SF{xy_UX2-rt#F
z(W~W;*<8-t{Zr;<`{PfFx<)>N1<c%##4P?Ck(fD=y~3CcOw8%P<d}>#F)JF#gTxsZ
zN*IVqgWMsF?h0UP)&Oc(fv09BU}_d)X<`%#oNg>`ucgqEo$i%u{bcvrvPF0I+y2$A
zWRaUApWXGaxr*7$%=z{94<Bz^d3Q(W9uArHW4}_*=0~5-+8zD5cXNH<lgE!&CeG4x
zx?sQe*3pOBhxlghW3;K`I-)cuQLFydubFq2w)+*H`q~{N)F8LR=H`c+!q4Aad?_fy
z<*ENy!ox0WjrQF$Y7(Aluf?;AU%GkoM|e)X+py!1^s-A8O1olyH`|_0<8;ekJ8!F*
z!&{k6n;VVUm1nZ^#2AN*sBo?G$i9AY*Oa;<Tb0cIDZ>9c{f;YdUaPif(#n!cD}qAB
z(<T_VL_bv9nwyY%+jHyNO;g*mOSZ>lS{<y`|7iU$_5QaFKIUbQ7p8N3*LquLB5+H)
L?80YPP{0EKuNA+U

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in
new file mode 100644
index 0000000000..56195cd2d4
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-selfsub . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns9/dns.keytab b/bin/tests/system/nsupdate/ns9/dns.keytab
new file mode 100644
index 0000000000000000000000000000000000000000..470317f0b409185222c54828e965e3fb32f306f9
GIT binary patch
literal 166
zcmZQ&VqjnhV_;(7c8zfK4e)W*bN2UTV0Q5fX5h~&w$w|lNX#wBN!3fv&jl)EjGiRA
zpNT<;LE(ObT$Qm<*{+-)H&34Q7Wuz;nG1W8LeeVX+2Q+M&D_=mR17lNjYN|L83e8v
Vf87wLe&^d4e*d8A6w@@2NdWAqFj)Wq

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns9/example.com.db.in b/bin/tests/system/nsupdate/ns9/example.com.db.in
new file mode 100644
index 0000000000..a618fdccd8
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9
diff --git a/bin/tests/system/nsupdate/ns9/in-addr.db.in b/bin/tests/system/nsupdate/ns9/in-addr.db.in
new file mode 100644
index 0000000000..a618fdccd8
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/in-addr.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9
diff --git a/bin/tests/system/nsupdate/ns9/machine.ccache b/bin/tests/system/nsupdate/ns9/machine.ccache
new file mode 100644
index 0000000000000000000000000000000000000000..2b59cec9f65d50a44107f3687fe6ddc5688245d9
GIT binary patch
literal 1215
zcmZQ&Vc=n4WZ+;x07f7agt=WK9DM_PT=ks&eSut#+{EOJ%)C?;s5Aj3Oh9EIjAja3
zc2QDEdI`FO5Kurt$zSuKW>O5N5%(>Y|Au<HE*Fd3UL2lwm?dZ5?90bqEsmZfx*vq=
zuY1`8)dPVego2Qa&WTNo_6ALi)(e=K7+DwcN+a97NWnl3B+j%@+(1+s>I@VWi<=l3
z4I2M}6bUT^5{!!)Ke9BwJN)>8Ya&lXO>ke(`sHmUk6U)P%Fhh!o#|L`t1`gs`Q#=c
z&58w5?Sk`X?^K&JV-vS<#<eB49kk!qtt#Abugr>prNS(>aPgN$Z3BzM=5?%UTp6z(
zu5~-w`PcEZ+v*EvvStg!)y}r>(2Bmf@#fkWLcJL_9ma`M0z`7GKP@?W_2lmZzY7_C
zSJ(WU6a3G0>#XIWrH`Gt?#cPdM}=Sg#`5&mTmuQe`%5DhnyGH*kUDd}K+e-K^39W#
zJEq#tt}L&8u>5C!GH=_TN7hCQCUN&Am-T5#eJb02XMNy4PN|BO4S7};#%qn%o&3H+
zi^o3X`SHKd03{*~fK)OAF;9f9v!k<ztFynKn-!2R3XEaX_~c|@YDtYx&d*DWPf09E
z1WItFB^H;&Czd5<<^Xwekc6O*l*k;A*gzFT0OrcnVyH4ATntizB}p>7_yq%H`16V_
z^-?Pma|?1(^^)^*8Ng{W<H*k(ZYCS=t_3PR&rZp2+^JIY_;TK5>8HEDW~@3V)C5VB
z;x7<sk`vk8j8VWe83s&~L0HqIqJca}oN=LqftWPN9n$Eo047Rtpmt$+s$^Q!#K_75
zOsXO)lB8|_&VN?io~vu}tM1V)S=UczOJh?*g-%9>1U>0BkF$vS&Uj+Ov561nGG$(U
z+dD7M*jdtL-nz3Z7VP|~%e%qP_@u`CUmMi!y-yOVFkSll4ujd=p8q@Q6_wsNRXNn{
z-_m~5^XG;B8%I0~wtX*U3Ttp#@NLzuzb5a?*Nd)dlvLI;m|OABO#Y;)$)0Y5%@QAX
zavZ-pRcFOrndxh1#ywj#;oq&mn<e_cpIrSIw|aMjEB`K?6E815O0~TgwQs7>S~1R5
zH)_Rvk|Rx*IvzJEVS9LN(Toi&kAljN@XhYa`(*U}$or6o#}2*UD&w^)KGP%N-`u38
VuR^Pj3p-{$W6e}rZzu~2X8<H1ngsv=

literal 0
HcmV?d00001

diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
new file mode 100644
index 0000000000..1b41cc6421
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.9; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-self . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 9513fae0d2..fb493e9af4 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -18,6 +18,10 @@ copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
 
 copy_setports verylarge.in verylarge
 
@@ -77,3 +81,11 @@ rm -f ns1/maxjournal.db.jnl
 
 cp -f ns5/local.db.in ns5/local.db
 cp -f ns6/in-addr.db.in ns6/in-addr.db
+cp -f ns7/in-addr.db.in ns7/in-addr.db
+cp -f ns7/example.com.db.in ns7/example.com.db
+cp -f ns8/in-addr.db.in ns8/in-addr.db
+cp -f ns8/example.com.db.in ns8/example.com.db
+cp -f ns9/in-addr.db.in ns9/in-addr.db
+cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns10/in-addr.db.in ns10/in-addr.db
+cp -f ns10/example.com.db.in ns10/example.com.db
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 03f9fc8407..cb71a50237 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -15,6 +15,21 @@ SYSTEMTESTTOP=..
 DIGOPTS="-p ${PORT}"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 
+#
+# Uncomment when creating credential cache files.
+#
+# KRB5_CONFIG=`pwd`/krb/krb5.conf
+#
+# Cd krb and run krb/setup.sh to create new keys.
+# Run nsupdate system test.
+# Kill the krb5kdc server started by krb/setup.sh.
+# Check the expiry date on the cached machine.ccache with klist is in 2038.
+# Comment out KRB5_CONFIG.
+# Re-run nsupdate system test to confirm everything still works.
+# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
+# Clean up krb.
+#
+
 status=0
 n=0
 
@@ -322,7 +337,7 @@ $KILL -KILL `cat named.pid`
 rm named.pid
 cd ..
 sleep 10
-if 
+if
 	$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1
 then
 	echo_i "restarted server ns1"
@@ -615,7 +630,7 @@ $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
         @10.53.0.3 dnskey | \
 	sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
 	(echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
-$NSUPDATE 
+$NSUPDATE
 
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
 	@10.53.0.3 any > dig.out.ns3.$n
@@ -663,7 +678,7 @@ n=`expr $n + 1`
 ret=0
 echo_i "check command list ($n)"
 (
-while read cmd 
+while read cmd
 do
     echo "$cmd" | $NSUPDATE  > /dev/null 2>&1
     if test $? -gt 1 ; then
@@ -1002,6 +1017,225 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+if $FEATURETEST --gssapi ; then
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-self match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-self no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-subdomain match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns7/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-selfsub match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n
+  grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check krb5-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns8/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
+  grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+
+  echo_i "check ms-self match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-self no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-subdomain match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns9/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-selfsub match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n
+  grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=`expr $n + 1`
+  ret=0
+  echo_i "check ms-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:"`pwd`/ns10/machine.ccache
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
+  grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+fi
 #
 #  Add client library tests here
 #