1 #!/bin/sh 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 set -e 15 16 . ../conf.sh 17 18 DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" 19 20 # 21 # Shared secrets. 22 # 23 md5="97rnFx24Tfna4mHPfgnerA==" 24 sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" 25 sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" 26 sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" 27 sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" 28 sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" 29 30 status=0 31 32 if $FEATURETEST --md5; then 33 echo_i "fetching using hmac-md5 (old form)" 34 ret=0 35 $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa >dig.out.md5.old || ret=1 36 grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old >/dev/null || ret=1 37 if [ $ret -eq 1 ]; then 38 echo_i "failed" 39 status=1 40 fi 41 42 echo_i "fetching using hmac-md5 (new form)" 43 ret=0 44 $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa >dig.out.md5.new || ret=1 45 grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new >/dev/null || ret=1 46 if [ $ret -eq 1 ]; then 47 echo_i "failed" 48 status=1 49 fi 50 else 51 echo_i "skipping using hmac-md5" 52 fi 53 54 echo_i "fetching using hmac-sha1" 55 ret=0 56 $DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1 || ret=1 57 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 58 if [ $ret -eq 1 ]; then 59 echo_i "failed" 60 status=1 61 fi 62 63 echo_i "fetching using hmac-sha224" 64 ret=0 65 $DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224 || ret=1 66 grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 67 if [ $ret -eq 1 ]; then 68 echo_i "failed" 69 status=1 70 fi 71 72 echo_i "fetching using hmac-sha256" 73 ret=0 74 $DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256 || ret=1 75 grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 76 if [ $ret -eq 1 ]; then 77 echo_i "failed" 78 status=1 79 fi 80 81 echo_i "fetching using hmac-sha384" 82 ret=0 83 $DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384 || ret=1 84 grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 85 if [ $ret -eq 1 ]; then 86 echo_i "failed" 87 status=1 88 fi 89 90 echo_i "fetching using hmac-sha512" 91 ret=0 92 $DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512 || ret=1 93 grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 94 if [ $ret -eq 1 ]; then 95 echo_i "failed" 96 status=1 97 fi 98 99 # 100 # 101 # Truncated TSIG 102 # 103 # 104 if $FEATURETEST --md5; then 105 echo_i "fetching using hmac-md5 (trunc)" 106 ret=0 107 $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa >dig.out.md5.trunc || ret=1 108 grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc >/dev/null || ret=1 109 if [ $ret -eq 1 ]; then 110 echo_i "failed" 111 status=1 112 fi 113 else 114 echo_i "skipping using hmac-md5 (trunc)" 115 fi 116 117 echo_i "fetching using hmac-sha1 (trunc)" 118 ret=0 119 $DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa >dig.out.sha1.trunc || ret=1 120 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc >/dev/null || ret=1 121 if [ $ret -eq 1 ]; then 122 echo_i "failed" 123 status=1 124 fi 125 126 echo_i "fetching using hmac-sha224 (trunc)" 127 ret=0 128 $DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa >dig.out.sha224.trunc || ret=1 129 grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc >/dev/null || ret=1 130 if [ $ret -eq 1 ]; then 131 echo_i "failed" 132 status=1 133 fi 134 135 echo_i "fetching using hmac-sha256 (trunc)" 136 ret=0 137 $DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa >dig.out.sha256.trunc || ret=1 138 grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc >/dev/null || ret=1 139 if [ $ret -eq 1 ]; then 140 echo_i "failed" 141 status=1 142 fi 143 144 echo_i "fetching using hmac-sha384 (trunc)" 145 ret=0 146 $DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa >dig.out.sha384.trunc || ret=1 147 grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc >/dev/null || ret=1 148 if [ $ret -eq 1 ]; then 149 echo_i "failed" 150 status=1 151 fi 152 153 echo_i "fetching using hmac-sha512-256 (trunc)" 154 ret=0 155 $DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa >dig.out.sha512.trunc || ret=1 156 grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc >/dev/null || ret=1 157 if [ $ret -eq 1 ]; then 158 echo_i "failed" 159 status=1 160 fi 161 162 # 163 # 164 # Check for bad truncation. 165 # 166 # 167 if $FEATURETEST --md5; then 168 echo_i "fetching using hmac-md5-80 (BADTRUNC)" 169 ret=0 170 $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa >dig.out.md5-80 || ret=1 171 grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 >/dev/null || ret=1 172 if [ $ret -eq 1 ]; then 173 echo_i "failed" 174 status=1 175 fi 176 else 177 echo_i "skipping using hmac-md5-80 (BADTRUNC)" 178 fi 179 180 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" 181 ret=0 182 $DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1-80 || ret=1 183 grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 >/dev/null || ret=1 184 if [ $ret -eq 1 ]; then 185 echo_i "failed" 186 status=1 187 fi 188 189 echo_i "fetching using hmac-sha224-112 (BADTRUNC)" 190 ret=0 191 $DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224-112 || ret=1 192 grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 >/dev/null || ret=1 193 if [ $ret -eq 1 ]; then 194 echo_i "failed" 195 status=1 196 fi 197 198 echo_i "fetching using hmac-sha256-128 (BADTRUNC)" 199 ret=0 200 $DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256-128 || ret=1 201 grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 >/dev/null || ret=1 202 if [ $ret -eq 1 ]; then 203 echo_i "failed" 204 status=1 205 fi 206 207 echo_i "fetching using hmac-sha384-192 (BADTRUNC)" 208 ret=0 209 $DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384-192 || ret=1 210 grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 >/dev/null || ret=1 211 if [ $ret -eq 1 ]; then 212 echo_i "failed" 213 status=1 214 fi 215 216 echo_i "fetching using hmac-sha512-256 (BADTRUNC)" 217 ret=0 218 $DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512-256 || ret=1 219 grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 >/dev/null || ret=1 220 if [ $ret -eq 1 ]; then 221 echo_i "failed" 222 status=1 223 fi 224 225 echo_i "attempting fetch with bad tsig algorithm" 226 ret=0 227 $DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa >dig.out.badalgo 2>&1 || ret=1 228 grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo >/dev/null || ret=1 229 if [ $ret -eq 1 ]; then 230 echo_i "failed" 231 status=1 232 fi 233 234 echo_i "checking both OPT and TSIG records are returned when TC=1" 235 ret=0 236 $DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt >dig.out.large 2>&1 || ret=1 237 grep "flags:.* tc[ ;]" dig.out.large >/dev/null || ret=1 238 grep "status: NOERROR" dig.out.large >/dev/null || ret=1 239 grep "EDNS:" dig.out.large >/dev/null || ret=1 240 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 241 if [ $ret -eq 1 ]; then 242 echo_i "failed" 243 status=1 244 fi 245 246 echo_i "check that dnssec-keygen won't generate TSIG keys" 247 ret=0 248 $KEYGEN -a hmac-sha256 -b 128 -n host example.net >keygen.out3 2>&1 && ret=1 249 grep "unknown algorithm" keygen.out3 >/dev/null || ret=1 250 251 echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" 252 ret=0 253 $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp <badtime >/dev/null || ret=1 254 $DIG -p ${PORT} @10.53.0.1 version.bind txt ch >dig.out.verify || ret=1 255 grep "status: NOERROR" dig.out.verify >/dev/null || ret=1 256 if [ $ret -eq 1 ]; then 257 echo_i "failed" 258 status=1 259 fi 260 261 if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' >/dev/null 2>&1; then 262 echo_i "check that TSIG in the wrong place returns FORMERR" 263 ret=0 264 $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d <badlocation >packet.out 265 grep "rcode = FORMERR" packet.out >/dev/null || ret=1 266 if [ $ret -eq 1 ]; then 267 echo_i "failed" 268 status=1 269 fi 270 fi 271 272 echo_i "check that a malformed truncated response to a TSIG query is handled" 273 ret=0 274 $DIG -p $PORT @10.53.0.1 bad-tsig >dig.out.bad-tsig || ret=1 275 grep "status: SERVFAIL" dig.out.bad-tsig >/dev/null || ret=1 276 if [ $ret -eq 1 ]; then 277 echo_i "failed" 278 status=1 279 fi 280 281 if $FEATURETEST --md5; then 282 echo_i "fetching using hmac-md5 (legacy)" 283 ret=0 284 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa >dig.out.md5.legacy 2>&1 || ret=1 285 grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy >/dev/null || ret=1 286 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy >/dev/null || ret=1 287 if [ $ret -eq 1 ]; then 288 echo_i "failed" 289 status=1 290 fi 291 else 292 echo_i "skipping using hmac-md5" 293 fi 294 295 echo_i "fetching using hmac-sha1 (legacy)" 296 ret=0 297 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa >dig.out.sha1.legacy 2>&1 || ret=1 298 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy >/dev/null || ret=1 299 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy >/dev/null || ret=1 300 if [ $ret -eq 1 ]; then 301 echo_i "failed" 302 status=1 303 fi 304 305 echo_i "fetching using hmac-sha224 (legacy)" 306 ret=0 307 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa >dig.out.sha224 2>&1 || ret=1 308 grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 309 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 >/dev/null || ret=1 310 if [ $ret -eq 1 ]; then 311 echo_i "failed" 312 status=1 313 fi 314 315 echo_i "fetching using hmac-sha256 (legacy)" 316 ret=0 317 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa >dig.out.sha256 2>&1 || ret=1 318 grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 319 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 >/dev/null || ret=1 320 if [ $ret -eq 1 ]; then 321 echo_i "failed" 322 status=1 323 fi 324 325 echo_i "fetching using hmac-sha384 (legacy)" 326 ret=0 327 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa >dig.out.sha384 2>&1 || ret=1 328 grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 329 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 >/dev/null || ret=1 330 if [ $ret -eq 1 ]; then 331 echo_i "failed" 332 status=1 333 fi 334 335 echo_i "fetching using hmac-sha512 (legacy)" 336 ret=0 337 $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa >dig.out.sha512 2>&1 || ret=1 338 grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 >/dev/null || ret=1 339 grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 340 if [ $ret -eq 1 ]; then 341 echo_i "failed" 342 status=1 343 fi 344 345 echo_i "exit status: $status" 346 [ $status -eq 0 ] || exit 1 347
Indexes created Tue Mar 03 05:31:39 UTC 2026