powerel7
/
web
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
204 Commits
1 Branch
0 Tags
2.3 MiB
Tree: 6f90c88b60
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6f90c88b60'
${ noResults }
web/SOURCES/bind99-fips-tests.patch

1979 lines
70 KiB
Raw Normal View History Unescape

bind package update Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org>
6 years ago
From 4a1bbbbe8ff1951dba9f5d6a69c42dcf274877d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 22 Jun 2018 14:05:43 +0200
Subject: [PATCH 2/2] Squashed commit of the following:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit d1de64d54126a9662b0f709adf1467f1ca3caa50
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jun 20 19:15:31 2018 +0200
Fix allow_query tests with hmac-256 keys
commit 854606588f53ee403364461ad29dc1cfd29525a0
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 15:54:11 2018 +0100
Increase bitsize of DSA key to pass FIPS 140-2 mode.
commit 98dae21d1f863fa26c125271392288730da52842
Author: Petr Menšík <pemensik@redhat.com>
Date: Thu Apr 19 18:28:09 2018 +0200
Fix nsupdate, tsig and rndc tests.
Do not use md5 by default for rndc, skip gracefully md5 if not available.
Rename md5 keys to rndc*.conf, to pass util/merge_copyrights change.
Fix dynamic ports merge.
commit 0ec5e2522aa32931cda5abd07a757035078840ea
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jun 20 19:34:20 2018 +0200
Use testcrypto for crypto detection. Generate random data per test into test directory.
commit 0ca3c85fa6450ae8b347fa5585d0134ebe41682c
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 13:21:00 2018 +0100
Add md5 availability detection to featuretest
commit c1b104ccf66a1ec37e941e303a56675c7dcccbaa
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Jan 22 14:12:37 2018 +0100
Update system tests to detect MD5 disabled at runtime
commit 743d24de87b6f022b99d14d3109958660b9ee07b
Author: Petr Menšík <pemensik@redhat.com>
Date: Fri Feb 23 21:57:11 2018 +0100
Make testcrypto FIPS compatible
(cherry picked from commit 0e15cc7012c537a5d683c35534d33d23fcc4d942)
commit 325dc1f4f37dc4b7133dd39d7780c10d183e4808
Author: Evan Hunt <each@isc.org>
Date: Mon Oct 31 23:01:38 2016 -0700
[v9_9] 4496. [func] dig: add +idnout to control whether labels are
display in punycode or not. Requires idn support
to be enabled at compile time. [RT #43398]
(cherry picked from commit 42470b0b87da24b18e0ff6ce78f3143e89df6d31)
(cherry picked from commit 6552f33198438390724c5823b8dbcf477ec9638c)
(cherry picked from commit 7aec46a5ef4074c3957d525643188257c7575841)
Skip IDN part and import only feature-test from system tests
(cherry picked from commit 61a01f48604ff6f5f84b64a5aaee722ebae8fadc)
commit d435ac7bcf72117e75e534c23fca1852f4140eb8
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 10:44:23 2018 +0100
Use hmac-sha256 instead of default hmac-md5 for allow-query.
Do not use hmac-md5 in tests by default, make it pass with MD5 disabled.
commit 067ca65156a9fadb191b7c9073904a43f57f1896
Author: Evan Hunt <each@isc.org>
Date: Thu Feb 6 19:48:49 2014 -0800
[v9_9] add testcrypto.sh
(cherry picked from commit e9a2673e85173d93be168f561c5c77184d4e839d)
commit 3fd542379fa381b54381e07d6625ce53f9f9b1f0
Author: Petr Menšík <pemensik@redhat.com>
Date: Thu Jun 21 12:00:35 2018 +0200
Revert "4450. [port] Provide more nuanced HSM support which better matches"
This reverts commit f3b4d031c1f714ff6e862670663aa5a18650951e.
Revert PK11_MD5_DISABLED also from remaining files. Keep documentation
changes.
commit f90934f734796595135cdd7a5008555a615dfe8e
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jun 20 19:31:19 2018 +0200
Fix rndc-confgen default algorithm, report true algorithm in usage.
commit dd53212c12c6943a21a3c24d60995edd19e1d9f7
Author: Petr Menšík <pemensik@redhat.com>
Date: Fri Feb 23 21:21:30 2018 +0100
Cleanup only if initialization was successful
commit f163ea51c46bb22bf264a1ac983e2027e43845fa
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Feb 5 12:19:28 2018 +0100
Ensure dst backend is initialized first even before hmac algorithms.
commit 58751b60bd39168b7c8f817ede70473842432081
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Feb 5 12:17:54 2018 +0100
Skip initialization of MD5 based algorithms if not available.
commit 0572b98430d3c80f4a0b0c592b1e3bf7fde9b768
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Feb 5 10:21:27 2018 +0100
Change secalgs skipping to be more safe
commit 994f497a032930fce1370d507a265fbb293c66f4
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jan 31 18:26:11 2018 +0100
Skip MD5 algorithm also in case of NULL name
commit abd82fbd2507c4b8f20e1ade202fd66d224fd646
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jan 31 16:54:29 2018 +0100
Revert part of commit 1b5c641416eb6de7fc232fc89d31a40a4d439f3d related
to SHA1.
commit b3c832d53a14a0779f598869bb99685c8e4b2bc0
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Jan 31 11:38:12 2018 +0100
Make MD5 behave like unknown algorithm in TSIG.
commit a64a3d6962ee93d6f8699b29bd6507dba0c244ed
Author: Petr Menšík <pemensik@redhat.com>
Date: Tue Nov 28 20:14:37 2017 +0100
Select token with most supported functions, instead of demanding it must support all functions
Initialize PKCS#11 always until successfully initialized
commit db118c6368668099ea1b6e75860cc12e178afa3b
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Jan 22 16:17:44 2018 +0100
Handle MD5 unavailability from DST
commit 8f8824dca2f5b4d5a3a176d31ac3ee612321c4e3
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Jan 22 14:11:16 2018 +0100
Check runtime flag from library and applications, fail gracefully.
commit bd431384af7dcde8827e670c8749517ad677a967
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Jan 22 08:39:08 2018 +0100
Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not
defined.
TODO: pk11.c should accept slot without MD5 support.
commit 160b13979ef3d0e92d2dd52d0987a3ec979be6cf
Author: Petr Menšík <pemensik@redhat.com>
Date: Mon Jan 22 07:21:04 2018 +0100
Add runtime detection whether MD5 is useable.
commit 23b27ce0f2ad496c331ae40349cc1074a1b11804
Author: Mark Andrews <marka@isc.org>
Date: Fri Aug 19 08:25:54 2016 +1000
4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
(cherry picked from commit 8ee6f289d87851a5b898b24a64587f0e6bc225bc)
---
bin/tests/system/Makefile.in | 25 +++-
bin/tests/system/acl/ns2/named1.conf | 4 +-
bin/tests/system/acl/ns2/named2.conf | 4 +-
bin/tests/system/acl/ns2/named3.conf | 6 +-
bin/tests/system/acl/ns2/named4.conf | 4 +-
bin/tests/system/acl/ns2/named5.conf | 4 +-
bin/tests/system/acl/tests.sh | 32 +++---
bin/tests/system/allow_query/ns2/named10.conf | 2 +-
bin/tests/system/allow_query/ns2/named11.conf | 4 +-
bin/tests/system/allow_query/ns2/named12.conf | 2 +-
bin/tests/system/allow_query/ns2/named30.conf | 2 +-
bin/tests/system/allow_query/ns2/named31.conf | 4 +-
bin/tests/system/allow_query/ns2/named32.conf | 2 +-
bin/tests/system/allow_query/ns2/named40.conf | 4 +-
bin/tests/system/allow_query/tests.sh | 18 +--
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
bin/tests/system/conf.sh.in | 6 +-
bin/tests/system/digdelv/ns2/example.db | 15 ++-
bin/tests/system/digdelv/tests.sh | 4 +-
bin/tests/system/dlv/ns1/sign.sh | 4 +-
bin/tests/system/dlv/ns2/sign.sh | 4 +-
bin/tests/system/dlv/ns3/sign.sh | 68 +++++------
bin/tests/system/dlv/ns6/sign.sh | 64 +++++------
bin/tests/system/dnssec/ns2/sign.sh | 8 +-
bin/tests/system/dnssec/prereq.sh | 11 +-
bin/tests/system/feature-test.c | 159 ++++++++++++++++++++++++++
bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
bin/tests/system/keymgr/prereq.sh | 15 +--
bin/tests/system/nsupdate/ns1/named.conf | 2 +-
bin/tests/system/nsupdate/ns2/named.conf | 2 +-
bin/tests/system/nsupdate/setup.sh | 7 +-
bin/tests/system/nsupdate/tests.sh | 11 +-
bin/tests/system/rndc/setup.sh | 4 +-
bin/tests/system/rndc/tests.sh | 22 ++--
bin/tests/system/testcrypto.sh | 71 ++++++++++++
bin/tests/system/tkey/keycreate.c | 3 +
bin/tests/system/tkey/keydelete.c | 18 ++-
bin/tests/system/tkey/prereq.sh | 11 +-
bin/tests/system/tsig/clean.sh | 1 +
bin/tests/system/tsig/ns1/named.conf | 12 +-
bin/tests/system/tsig/ns1/rndc5.conf.in | 22 ++++
bin/tests/system/tsig/setup.sh | 25 ++++
bin/tests/system/tsig/tests.sh | 75 +++++++-----
bin/tests/system/tsiggss/setup.sh | 2 +-
bin/tests/system/upforwd/ns1/named.conf | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
47 files changed, 547 insertions(+), 230 deletions(-)
create mode 100644 bin/tests/system/feature-test.c
create mode 100644 bin/tests/system/testcrypto.sh
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
create mode 100644 bin/tests/system/tsig/setup.sh
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
index 0c7fdffd01..afee71b2bb 100644
--- a/bin/tests/system/Makefile.in
+++ b/bin/tests/system/Makefile.in
@@ -23,10 +23,31 @@ top_srcdir = @top_srcdir@
SUBDIRS = dlzexternal dyndb filter-aaaa geoip lwresd rpz rrl \
rsabigexponent tkey tsiggss
-TARGETS =
+CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES}
+
+CDEFINES = @USE_GSSAPI@
+CWARNINGS =
+
+DNSLIBS =
+ISCLIBS = ../../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =
+ISCDEPLIBS =
+
+DEPLIBS =
+
+LIBS = @LIBS@
+
+OBJS = feature-test.@O@
+SRCS = feature-test.c
+
+TARGETS = feature-test@EXEEXT@
@BIND9_MAKE_RULES@
+feature-test@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
# Running the scripts below is bypassed when a separate
# build directory is used.
@@ -38,6 +59,8 @@ test: subdirs
testclean clean distclean::
if test -f ./cleanall.sh; then sh ./cleanall.sh; fi
rm -f systests.output
+ rm -f ${TARGETS}
+ rm -f ${OBJS}
distclean::
rm -f conf.sh
diff --git a/bin/tests/system/acl/ns2/named1.conf b/bin/tests/system/acl/ns2/named1.conf
index b70d1dd761..9037a15c9d 100644
--- a/bin/tests/system/acl/ns2/named1.conf
+++ b/bin/tests/system/acl/ns2/named1.conf
@@ -35,12 +35,12 @@ options {
include "../../common/controls.conf";
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named2.conf b/bin/tests/system/acl/ns2/named2.conf
index bcd7e0df19..648c5fdbdc 100644
--- a/bin/tests/system/acl/ns2/named2.conf
+++ b/bin/tests/system/acl/ns2/named2.conf
@@ -35,12 +35,12 @@ options {
include "../../common/controls.conf";
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named3.conf b/bin/tests/system/acl/ns2/named3.conf
index ea2cbcb44a..546ecf6af4 100644
--- a/bin/tests/system/acl/ns2/named3.conf
+++ b/bin/tests/system/acl/ns2/named3.conf
@@ -35,17 +35,17 @@ options {
include "../../common/controls.conf";
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key three {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named4.conf b/bin/tests/system/acl/ns2/named4.conf
index 99edf7ebe5..4c84d0f163 100644
--- a/bin/tests/system/acl/ns2/named4.conf
+++ b/bin/tests/system/acl/ns2/named4.conf
@@ -35,12 +35,12 @@ options {
include "../../common/controls.conf";
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf
index d17e1cf7b7..52ae56300e 100644
--- a/bin/tests/system/acl/ns2/named5.conf
+++ b/bin/tests/system/acl/ns2/named5.conf
@@ -36,12 +36,12 @@ options {
include "../../common/controls.conf";
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index 7207c5a1d3..753f9f6743 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -28,13 +28,13 @@ echo "I:testing basic ACL processing"
# key "one" should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# any other key should be fine
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
cp -f ns2/named2.conf ns2/named.conf
@@ -44,18 +44,18 @@ sleep 5
# prefix 10/8 should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# any other address should work, as long as it sends key "one"
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
echo "I:testing nested ACL processing"
@@ -67,31 +67,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# but only one or the other should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
t=`expr $t + 1`
@@ -102,7 +102,7 @@ grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; }
# and other values? right out
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
@@ -113,31 +113,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out
grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
echo "I:testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow_query/ns2/named10.conf b/bin/tests/system/allow_query/ns2/named10.conf
index 17786e6f87..918b185671 100644
--- a/bin/tests/system/allow_query/ns2/named10.conf
+++ b/bin/tests/system/allow_query/ns2/named10.conf
@@ -20,7 +20,7 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named11.conf b/bin/tests/system/allow_query/ns2/named11.conf
index 3d225bd9a2..2ccd8d4b3f 100644
--- a/bin/tests/system/allow_query/ns2/named11.conf
+++ b/bin/tests/system/allow_query/ns2/named11.conf
@@ -20,12 +20,12 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named12.conf b/bin/tests/system/allow_query/ns2/named12.conf
index e5e64184c8..fd322bb709 100644
--- a/bin/tests/system/allow_query/ns2/named12.conf
+++ b/bin/tests/system/allow_query/ns2/named12.conf
@@ -19,7 +19,7 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named30.conf b/bin/tests/system/allow_query/ns2/named30.conf
index 9182f21af3..585436f1d9 100644
--- a/bin/tests/system/allow_query/ns2/named30.conf
+++ b/bin/tests/system/allow_query/ns2/named30.conf
@@ -20,7 +20,7 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named31.conf b/bin/tests/system/allow_query/ns2/named31.conf
index 19efdf397e..d7f0e80616 100644
--- a/bin/tests/system/allow_query/ns2/named31.conf
+++ b/bin/tests/system/allow_query/ns2/named31.conf
@@ -20,12 +20,12 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named32.conf b/bin/tests/system/allow_query/ns2/named32.conf
index 3c207f3422..4d66a3812d 100644
--- a/bin/tests/system/allow_query/ns2/named32.conf
+++ b/bin/tests/system/allow_query/ns2/named32.conf
@@ -19,7 +19,7 @@
controls { /* empty */ };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow_query/ns2/named40.conf b/bin/tests/system/allow_query/ns2/named40.conf
index cb81c79e5d..c581c5eefd 100644
--- a/bin/tests/system/allow_query/ns2/named40.conf
+++ b/bin/tests/system/allow_query/ns2/named40.conf
@@ -23,12 +23,12 @@ acl accept { 10.53.0.2; };
acl badaccept { 10.53.0.1; };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow_query/tests.sh b/bin/tests/system/allow_query/tests.sh
index 0592c342d4..c5ef867451 100644
--- a/bin/tests/system/allow_query/tests.sh
+++ b/bin/tests/system/allow_query/tests.sh
@@ -195,7 +195,7 @@ sleep 5
echo "I:test $n: key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -209,7 +209,7 @@ sleep 5
echo "I:test $n: key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -223,7 +223,7 @@ sleep 5
echo "I:test $n: key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -366,7 +366,7 @@ sleep 5
echo "I:test $n: views key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -380,7 +380,7 @@ sleep 5
echo "I:test $n: views key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -394,7 +394,7 @@ sleep 5
echo "I:test $n: views key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -530,7 +530,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:test $n: zone key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -540,7 +540,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:test $n: zone key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -550,7 +550,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:test $n: zone key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
index 8f0ecf7ea0..0e4718994f 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -18,7 +18,7 @@
/* Bad secret */
key "badtsig" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "jEdD+BPKg==";
};
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 930928b429..420320c737 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -56,6 +56,10 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
ARPANAME=$TOP/bin/tools/arpaname
SAMPLE=$TOP/lib/export/samples/sample
+GENRANDOM=$TOP/bin/tools/genrandom
+FEATURETEST=$TOP/bin/tests/system/feature-test
+
+RANDFILE=$TOP/bin/tests/system/random.data
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
@@ -89,4 +93,4 @@ fi
export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
PERL PYTHON SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \
- JOURNALPRINT ARPANAME SAMPLE
+ JOURNALPRINT ARPANAME SAMPLE FEATURETEST
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
index 0a1aa5d615..fd3ed3a045 100644
--- a/bin/tests/system/digdelv/ns2/example.db
+++ b/bin/tests/system/digdelv/ns2/example.db
@@ -41,10 +41,13 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
;;
;; we are not testing DNSSEC behavior, so we don't care about the semantics
;; of the following records.
-dnskey 300 DNSKEY 256 3 1 (
- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
- b9VIE5x7KNHAYTvTO5d4S8M=
- )
+dnskey 300 DNSKEY 256 3 8 (
+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
+ /idCeeQlaLU=
+ )
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index a19256cde3..bdfacf9fb4 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -59,7 +59,7 @@ if [ -x ${DIG} ] ; then
echo "I:checking dig +rrcomments works for DNSKEY($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 *; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@@ -146,7 +146,7 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then
echo "I:checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 *; key id = 36895" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index 9854f5b7ce..cf261c136c 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -30,8 +30,8 @@ infile=root.db.in
zonefile=root.db
outfile=root.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
index edcc8f21d4..4e142b00d8 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -31,8 +31,8 @@ zonefile=druz.db
outfile=druz.pre
dlvzone=utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index 6bdc2f6cc5..64c5846f7d 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -34,8 +34,8 @@ zonefile=child1.utld.db
outfile=child1.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -49,8 +49,8 @@ zonefile=child3.utld.db
outfile=child3.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -64,8 +64,8 @@ zonefile=child4.utld.db
outfile=child4.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -79,8 +79,8 @@ zonefile=child5.utld.db
outfile=child5.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -93,8 +93,8 @@ infile=child.db.in
zonefile=child7.utld.db
outfile=child7.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -107,8 +107,8 @@ infile=child.db.in
zonefile=child8.utld.db
outfile=child8.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -122,8 +122,8 @@ zonefile=child9.utld.db
outfile=child9.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -136,8 +136,8 @@ zonefile=child10.utld.db
outfile=child10.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -151,8 +151,8 @@ outfile=child1.druz.signed
dlvsets="$dlvsets dlvset-$zone"
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -167,8 +167,8 @@ outfile=child3.druz.signed
dlvsets="$dlvsets dlvset-$zone"
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -183,8 +183,8 @@ outfile=child4.druz.signed
dlvsets="$dlvsets dlvset-$zone"
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -199,8 +199,8 @@ outfile=child5.druz.signed
dlvsets="$dlvsets dlvset-$zone"
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -214,8 +214,8 @@ zonefile=child7.druz.db
outfile=child7.druz.signed
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
@@ -228,8 +228,8 @@ infile=child.db.in
zonefile=child8.druz.db
outfile=child8.druz.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -243,8 +243,8 @@ zonefile=child9.druz.db
outfile=child9.druz.signed
dlvsets="$dlvsets dlvset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -258,8 +258,8 @@ outfile=child10.druz.signed
dlvsets="$dlvsets dlvset-$zone"
dssets="$dssets dsset-$zone"
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -272,8 +272,8 @@ infile=dlv.db.in
zonefile=dlv.utld.db
outfile=dlv.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
index 2bc133e5d6..227c1cb69f 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -28,8 +28,8 @@ infile=child.db.in
zonefile=grand.child1.utld.db
outfile=grand.child1.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -43,8 +43,8 @@ zonefile=grand.child3.utld.db
outfile=grand.child3.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -58,8 +58,8 @@ zonefile=grand.child4.utld.db
outfile=grand.child4.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -73,8 +73,8 @@ zonefile=grand.child5.utld.db
outfile=grand.child5.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -88,8 +88,8 @@ zonefile=grand.child7.utld.db
outfile=grand.child7.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -103,8 +103,8 @@ zonefile=grand.child8.utld.db
outfile=grand.child8.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -118,8 +118,8 @@ zonefile=grand.child9.utld.db
outfile=grand.child9.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -132,8 +132,8 @@ zonefile=grand.child10.utld.db
outfile=grand.child10.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -145,8 +145,8 @@ infile=child.db.in
zonefile=grand.child1.druz.db
outfile=grand.child1.druz.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -160,8 +160,8 @@ zonefile=grand.child3.druz.db
outfile=grand.child3.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -175,8 +175,8 @@ zonefile=grand.child4.druz.db
outfile=grand.child4.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -190,8 +190,8 @@ zonefile=grand.child5.druz.db
outfile=grand.child5.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -205,8 +205,8 @@ zonefile=grand.child7.druz.db
outfile=grand.child7.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -220,8 +220,8 @@ zonefile=grand.child8.druz.db
outfile=grand.child8.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -235,8 +235,8 @@ zonefile=grand.child9.druz.db
outfile=grand.child9.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -249,8 +249,8 @@ zonefile=grand.child10.druz.db
outfile=grand.child10.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 118b8a6d6b..0c4dcb4b19 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -38,8 +38,8 @@ do
cp ../ns3/dsset-$subdomain.example. .
done
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -98,7 +98,7 @@ privzone=private.secure.example.
privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`
cat $privinfile $privkeyname.key >$privzonefile
@@ -111,7 +111,7 @@ dlvzone=dlv.
dlvinfile=dlv.db.in
dlvzonefile=dlv.db
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`
cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
index 113e372c28..84630d8abc 100644
--- a/bin/tests/system/dnssec/prereq.sh
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -17,13 +17,4 @@
# $Id: prereq.sh,v 1.13 2009/10/28 00:27:10 marka Exp $
-../../../tools/genrandom 400 random.data
-
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
-then
- rm -f Kfoo*
-else
- echo "I:This test requires cryptography" >&2
- echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
- exit 1
-fi
+exec $SHELL ../testcrypto.sh
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
new file mode 100644
index 0000000000..495f46a32a
--- /dev/null
+++ b/bin/tests/system/feature-test.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include <config.h>
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+#include <isc/md5.h>
+
+#ifdef WIN32
+#include <Winsock2.h>
+#endif
+
+#ifndef MAXHOSTNAMELEN
+#ifdef HOST_NAME_MAX
+#define MAXHOSTNAMELEN HOST_NAME_MAX
+#else
+#define MAXHOSTNAMELEN 256
+#endif
+#endif
+
+static void
+usage() {
+ fprintf(stderr, "usage: feature-test <arg>\n");
+ fprintf(stderr, "args:\n");
+ fprintf(stderr, " --enable-filter-aaaa\n");
+ fprintf(stderr, " --gethostname\n");
+ fprintf(stderr, " --gssapi\n");
+ fprintf(stderr, " --have-dlopen\n");
+ fprintf(stderr, " --have-geoip\n");
+ fprintf(stderr, " --have-libxml2\n");
+ fprintf(stderr, " --md5\n");
+ fprintf(stderr, " --rpz-nsip\n");
+ fprintf(stderr, " --rpz-nsdname\n");
+ fprintf(stderr, " --with-idn\n");
+}
+
+int
+main(int argc, char **argv) {
+ if (argc != 2) {
+ usage();
+ return (1);
+ }
+
+ if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
+#ifdef ALLOW_FILTER_AAAA
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--gethostname") == 0) {
+ char hostname[MAXHOSTNAMELEN];
+ int n;
+#ifdef WIN32
+ /* From lwres InitSocket() */
+ WORD wVersionRequested;
+ WSADATA wsaData;
+ int err;
+
+ wVersionRequested = MAKEWORD(2, 0);
+ err = WSAStartup( wVersionRequested, &wsaData );
+ if (err != 0) {
+ fprintf(stderr, "WSAStartup() failed: %d\n", err);
+ exit(1);
+ }
+#endif
+
+ n = gethostname(hostname, sizeof(hostname));
+ if (n == -1) {
+ perror("gethostname");
+ return(1);
+ }
+ fprintf(stdout, "%s\n", hostname);
+#ifdef WIN32
+ WSACleanup();
+#endif
+ return (0);
+ }
+
+ if (strcmp(argv[1], "--gssapi") == 0) {
+#if defined(GSSAPI)
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--have-dlopen") == 0) {
+#if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN)
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--have-geoip") == 0) {
+#ifdef HAVE_GEOIP
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--have-libxml2") == 0) {
+#ifdef HAVE_LIBXML2
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--md5") == 0) {
+ if (isc_md5_available()) {
+ return (0);
+ } else {
+ return (1);
+ }
+ }
+
+ if (strcmp(argv[1], "--rpz-nsip") == 0) {
+#ifdef ENABLE_RPZ_NSIP
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--rpz-nsdname") == 0) {
+#ifdef ENABLE_RPZ_NSDNAME
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ if (strcmp(argv[1], "--with-idn") == 0) {
+#ifdef WITH_IDN
+ return (0);
+#else
+ return (1);
+#endif
+ }
+
+ fprintf(stderr, "unknown arg: %s\n", argv[1]);
+ usage();
+ return (1);
+}
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
index 203e37ebfb..e0c696b986 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -27,8 +27,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
index ff33b10a19..74d755763a 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -27,8 +27,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/keymgr/prereq.sh b/bin/tests/system/keymgr/prereq.sh
index be2546ec59..e71cc9f03a 100644
--- a/bin/tests/system/keymgr/prereq.sh
+++ b/bin/tests/system/keymgr/prereq.sh
@@ -14,17 +14,4 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-../../../tools/genrandom 400 random.data
-
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
-then
- rm -f Kfoo*
-else
- echo "I:This test requires cryptography" >&2
- echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
- exit 1
-fi
-#exec $SHELL ../testcrypto.sh
+exec $SHELL ../testcrypto.sh
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index 86fe91d070..c53da11685 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -42,7 +42,7 @@ controls {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf b/bin/tests/system/nsupdate/ns2/named.conf
index 6db32202ff..68022656ec 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf
+++ b/bin/tests/system/nsupdate/ns2/named.conf
@@ -33,7 +33,7 @@ options {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index bb015142da..e97406956a 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -53,8 +53,13 @@ EOF
../../../tools/genrandom 400 random.data
$DDNSCONFGEN -q -r random.data -z example.nil > ns1/ddns.key
+if $FEATURETEST --md5; then
+ $DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+else
+ echo -n > ns1/md5.key
+fi
+
-$DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
$DDNSCONFGEN -q -r random.data -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -r random.data -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r random.data -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b9a1c90536..821d7a65e2 100644
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -516,7 +516,14 @@ fi
n=`expr $n + 1`
ret=0
echo "I:check TSIG key algorithms ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+if $FEATURETEST --md5
+then
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+ ALGS="sha1 sha224 sha256 sha384 sha512"
+ echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 5300
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -524,7 +531,7 @@ send
END
done
sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
$DIG +short @10.53.0.1 -p 5300 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index ce80005faf..a7c66841cc 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -22,7 +22,7 @@ SYSTEMTESTTOP=..
sh clean.sh
-../../../tools/genrandom 400 random.data
+../../../tools/genrandom 800 random.data
sh ../genzone.sh 2 >ns2/nil.db
sh ../genzone.sh 2 >ns2/other.db
@@ -37,7 +37,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
-make_key 1 hmac-md5
+$FEATURETEST --md5 && make_key 1 hmac-md5
make_key 2 hmac-sha1
make_key 3 hmac-sha224
make_key 4 hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 01dbc811ae..20a90850d1 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -246,14 +246,20 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing rndc with hmac-md5"
-ret=0
-$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-for i in 2 3 4 5 6
-do
- $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
+if $FEATURETEST --md5
+then
+ echo "I:testing rndc with hmac-md5"
+ ret=0
+ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+ for i in 2 3 4 5 6
+ do
+ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+else
+ echo "W:skipping rndc with hmac-md5"
+fi
echo "I:testing rndc with hmac-sha1"
ret=0
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
new file mode 100644
index 0000000000..e21f18b5f5
--- /dev/null
+++ b/bin/tests/system/testcrypto.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
+. $SYSTEMTESTTOP/conf.sh
+
+# Unlike 9.11, keep generated data in current directory
+RANDFILE=random.data
+
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
+
+prog=$0
+
+args="-r $RANDFILE"
+alg="-a RSASHA1 -b 2048"
+quiet=0
+
+msg1="cryptography"
+msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11"
+while test "$#" -gt 0; do
+ case $1 in
+ -q)
+ args="$args -q"
+ quiet=1
+ ;;
+ rsa|RSA)
+ alg=""
+ msg1="RSA cryptography"
+ ;;
+ gost|GOST)
+ alg="-a eccgost"
+ msg1="GOST cryptography"
+ msg2="--with-gost"
+ ;;
+ ecdsa|ECDSA)
+ alg="-a ecdsap256sha256"
+ msg1="ECDSA cryptography"
+ msg2="--with-ecdsa"
+ ;;
+ *)
+ echo "${prog}: unknown argument"
+ exit 1
+ ;;
+ esac
+ shift
+done
+
+
+if $KEYGEN $args $alg foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ if test $quiet -eq 0; then
+ echo "I:This test requires support for $msg1" >&2
+ echo "I:configure with $msg2" >&2
+ fi
+ exit 255
+fi
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index af17582096..b61b5d0796 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -27,6 +27,7 @@
#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/log.h>
+#include <isc/md5.h>
#include <isc/mem.h>
#include <isc/sockaddr.h>
#include <isc/socket.h>
@@ -143,6 +144,8 @@ sendquery(isc_task_t *task, isc_event_t *event) {
static char keystr[] = "0123456789ab";
isc_event_free(&event);
+ if (isc_md5_available() == ISC_FALSE)
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
result = ISC_R_FAILURE;
if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 1bb33e85fe..da4b1c3c09 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -228,12 +228,18 @@ main(int argc, char **argv) {
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
- result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
- DNS_TSIG_HMACMD5_NAME,
- dstkey, ISC_TRUE, NULL, 0, 0,
- mctx, ring, &tsigkey);
- dst_key_free(&dstkey);
- CHECK("dns_tsigkey_createfromkey", result);
+ if (isc_md5_available()) {
+ result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+ DNS_TSIG_HMACMD5_NAME,
+ dstkey, ISC_TRUE,
+ NULL, 0, 0,
+ mctx, ring, &tsigkey);
+ dst_key_free(&dstkey);
+ CHECK("dns_tsigkey_createfromkey", result);
+ } else {
+ dst_key_free(&dstkey);
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+ }
(void)isc_app_run();
diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh
index 66295fee90..310849f08e 100644
--- a/bin/tests/system/tkey/prereq.sh
+++ b/bin/tests/system/tkey/prereq.sh
@@ -17,13 +17,4 @@
# $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $
-../../../tools/genrandom 400 random.data
-
-if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
-then
- rm -f foo*
-else
- echo "I:This test requires cryptography" >&2
- echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
- exit 1
-fi
+exec $SHELL ../testcrypto.sh
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
index 0e98b4047b..b11a378006 100644
--- a/bin/tests/system/tsig/clean.sh
+++ b/bin/tests/system/tsig/clean.sh
@@ -23,3 +23,4 @@
rm -f dig.out.*
rm -f */named.memstats
rm -f */named.run
+rm -f ns1/rndc5.conf
diff --git a/bin/tests/system/tsig/ns1/named.conf b/bin/tests/system/tsig/ns1/named.conf
index b48de835f4..e7e568acc7 100644
--- a/bin/tests/system/tsig/ns1/named.conf
+++ b/bin/tests/system/tsig/ns1/named.conf
@@ -30,10 +30,7 @@ options {
notify no;
};
-key "md5" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5;
-};
+# md5 key included from rndc5.conf
key "sha1" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@@ -60,10 +57,7 @@ key "sha512" {
algorithm hmac-sha512;
};
-key "md5-trunc" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5-80;
-};
+# md5-trunc key included from rndc5.conf
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@@ -94,3 +88,5 @@ zone "example.nil" {
type master;
file "example.db";
};
+
+include "rndc5.conf";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000000..f9b17d6e8e
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* These md5 keys are used only when MD5 is not disabled in build */
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
+
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
new file mode 100644
index 0000000000..7f9049ae76
--- /dev/null
+++ b/bin/tests/system/tsig/setup.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
+
+if $FEATURETEST --md5
+then
+ # Include MD5 keys only if it is
+ cp ns1/rndc5.conf.in ns1/rndc5.conf
+else
+ echo "# MD5 disabled" > ns1/rndc5.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index 50ac8d23e6..bd502dd718 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -31,22 +31,27 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
status=0
-echo "I:fetching using hmac-md5 (old form)"
-ret=0
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
- -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo "I: failed"; status=1
-fi
-
-echo "I:fetching using hmac-md5 (new form)"
-ret=0
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
- -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo "I: failed"; status=1
+if $FEATURETEST --md5
+then
+ echo "I:fetching using hmac-md5 (old form)"
+ ret=0
+ $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo "I: failed"; status=1
+ fi
+
+ echo "I:fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5"
fi
echo "I:fetching using hmac-sha1"
@@ -99,13 +104,19 @@ fi
# Truncated TSIG
#
#
+
+if $FEATURETEST --md5
+then
echo "I:fetching using hmac-md5 (trunc)"
-ret=0
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
- -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo "I: failed"; status=1
+ ret=0
+ $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo "I: failed"; status=1
+ fi
+else
+ echo "W:skipping using hmac-md5 (trunc)"
fi
echo "I:fetching using hmac-sha1 (trunc)"
@@ -159,13 +170,19 @@ fi
# Check for bad truncation.
#
#
-echo "I:fetching using hmac-md5-80 (BADTRUNC)"
-ret=0
-$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
- -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo "I: failed"; status=1
+
+if $FEATURETEST --md5
+then
+ echo "I:fetching using hmac-md5-80 (BADTRUNC)"
+ ret=0
+ $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo "I: failed"; status=1
+ fi
+else
+ echo "W:skipping using hmac-md5-80 (BADTRUNC)"
fi
echo "I:fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index 00222bad05..e795df3bff 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -26,5 +26,5 @@ rm -f ns1/*.jnl ns1/K*.key ns1/K*.private ns1/_default.tsigkeys
../../../tools/genrandom 400 $RANDFILE
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf
index 8d9d2fa0d9..c3c0238073 100644
--- a/bin/tests/system/upforwd/ns1/named.conf
+++ b/bin/tests/system/upforwd/ns1/named.conf
@@ -18,7 +18,7 @@
/* $Id: named.conf,v 1.11 2007/06/18 23:47:31 tbox Exp $ */
key "update.example." {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index a138649ac3..e14a592db6 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi
echo "I:updating zone (signed)"
ret=0
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
server 10.53.0.3 5300
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
--
2.14.4