upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Stop using "tkey-gssapi-credential" in tests

Browse source 
Since the "tkey-gssapi-credential" statement is now deprecated and is
about to be removed, migrate the only system test using it ("nsupdate")
to "tkey-gssapi-keytab".

Currently, the GSS-TSIG parts of the "nsupdate" system test require
properly setting up a combination of:

  - "tkey-gssapi-credential" statements in named.conf files,
  - the KRB5_KTNAME environment variable.

Specifically, this configuration causes named startup to include
acquiring the credential that GSS-API is allowed to match keys against
from a keytab file specified by the KRB5_KTNAME environment variable.

By contrast, the revised configuration uses the "tkey-gssapi-keytab"
statement, which makes GSS-API match keys against any credential present
in the specified keytab file.

Since both keytabs in question (ns9/dns.keytab, ns10/dns.keytab) only
contain a single credential, the two configurations are functionally
equivalent, with the revised one being significantly more readable and
simpler to prepare.
This commit is contained in:
Michał Kępień 2025-10-06 13:19:50 +02:00
parent 9170722cb3
commit 73197feec7
No known key found for this signature in database
4 changed files with 4 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bin/tests/system/isctest/vars/basic.py
View file

@ -54,7 +54,6 @@ BASIC_VARS = {
"PIPEQUERIES": f"{BUILD_VARS['TOP_BUILDDIR']}/pipequeries",
"TMPDIR": os.getenv("TMPDIR", "/tmp"),
"KRB5_CONFIG": "/dev/null", # we don't want a KRB5_CONFIG setting breaking the tests
"KRB5_KTNAME": "dns.keytab", # use local keytab instead of default /etc/krb5.keytab
"LC_ALL": "C",
"ANS_LOG_LEVEL": "debug",
"DYLIB": ("dylib" if os.uname().sysname == "Darwin" else "so"),

2
bin/tests/system/nsupdate/ns10/named.conf.in
View file

@ -26,7 +26,7 @@ options {
notify yes;
minimal-responses no;
dnssec-validation no;
@TKEY_CONFIGURATION@
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {

2
bin/tests/system/nsupdate/ns9/named.conf.in
View file

@ -24,7 +24,7 @@ options {
notify yes;
minimal-responses no;
dnssec-validation no;
@TKEY_CONFIGURATION@
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {

19
bin/tests/system/nsupdate/setup.sh
View file

@ -27,23 +27,8 @@ copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named1.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is
# not available, named will refuse to start. As the test system framework does
# not support starting named instances conditionally, ensure that
# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is
# available.
copy_setports ns9/named.conf.in ns9/named.conf.in.tkey
copy_setports ns10/named.conf.in ns10/named.conf.in.tkey
if $FEATURETEST --gssapi; then
sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey >ns9/named.conf
sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey >ns10/named.conf
else
sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey >ns9/named.conf
sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey >ns10/named.conf
fi
rm -f ns9/named.conf.in.tkey
rm -f ns10/named.conf.in.tkey
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
copy_setports verylarge.in verylarge