Commit d98de244 authored by Mark Andrews's avatar Mark Andrews

Merge branch '511-add-ms-selfsub-and-krb5-selfsub' into 'master'

Resolve "add ms-selfsub and krb5-selfsub"

Closes #511

See merge request isc-projects/bind9!732
parents d6f14f06 f924c89f
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]
5031. [cleanup] Various defines in platform.h has been either dropped
if always or never triggered on supported platforms
or replaced with config.h equivalents if the defines
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant * krb5-selfsub TXT;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant * ms-selfsub TXT;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant * external TXT;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant a-key-name name TXT;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant a-key-name subdomain TXT;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant a-key-name wildcard TXT;
};
};
......@@ -54,10 +54,14 @@ do
pat="identity and name fields are not the same"
grep "$pat" checkconf.out > /dev/null || ret=1
;;
bad-update-policy*.conf)
bad-update-policy[4589].conf|bad-update-policy1[01].conf)
pat="name field not set to placeholder value"
grep "$pat" checkconf.out > /dev/null || ret=1
;;
bad-update-policy[67].conf|bad-update-policy1[2345].conf)
pat="missing name field type '.*' found"
grep "$pat" checkconf.out > /dev/null || ret=1
;;
esac
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -40,6 +40,18 @@ rm -f ns3/nsec3param.test.db
rm -f ns3/too-big.test.db
rm -f ns5/local.db
rm -f ns6/in-addr.db
rm -f ns7/in-addr.db
rm -f ns7/example.com.db
rm -f ns7/_default.tsigkeys
rm -f ns8/in-addr.db
rm -f ns8/example.com.db
rm -f ns8/_default.tsigkeys
rm -f ns9/in-addr.db
rm -f ns9/example.com.db
rm -f ns9/_default.tsigkeys
rm -f ns10/example.com.db
rm -f ns10/in-addr.db
rm -f ns10/_default.tsigkeys
rm -f nsupdate.out*
rm -f typelist.out.*
rm -f ns1/sample.db
......
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -x
PWD=`pwd`
KRB5_CONFIG="${PWD}/krb5.conf"
export KRB5_CONFIG
KRB5_KDC_PROFILE=${PWD}/krb5kdc
export KRB5_KDC_PROFILE
now=`date +%s`
lifetime=`expr 2147483647 - $now`
lifetime=`expr $lifetime / 3600 / 24 - 30`
cat << EOF > "${KRB5_CONFIG}"
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = false
# Depending on what you are testing, you may want something like:
# default_keytab_name = FILE:/usr/local/var/keytab
[realms]
EXAMPLE.COM = {
admin_server = 127.0.0.1:50001
kdc = 127.0.0.1:50000
database_module = DB2
kdc_ports = 50000
kadmind_port = 50001
}
[dbmodules]
DB2 = {
db_library = db2
}
[logging]
# Use any pathnames you want here.
kdc = FILE:${PWD}/kdc.log
admin_server = FILE:${PWD}/kadmin.log
# Depending on what you are testing, you may want:
# [domain_realm]
# your.domain = EXAMPLE.COM
EOF
rm -rf ${KRB5_KDC_PROFILE}
mkdir -p ${KRB5_KDC_PROFILE}
chmod 700 ${KRB5_KDC_PROFILE}
cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf
[kdcdefaults]
kdc_ports = 50000
kdc_tcp_ports = 50000
[realms]
EXAMPLE.COM = {
key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM
database_module = EXAMPLE.COM
max_life = ${lifetime}d
}
[dbmodules]
EXAMPLE.COM = {
db_library = db2
database_name = ${KRB5_KDC_PROFILE}/principal
}
EOF
kdb5_util create -s <<EOF
master
master
EOF
krb5kdc -n &
krb5kdcpid=$!
#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM
kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM
kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM
kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM
kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM
kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM
kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM'
kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM'
kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM'
kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM'
kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM'
kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM'
kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM
kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
cp ns7-server.keytab ../ns7/dns.keytab
cp ns8-server.keytab ../ns8/dns.keytab
cp ns9-server.keytab ../ns9/dns.keytab
cp ns10-server.keytab ../ns10/dns.keytab
cp krb5-machine.ccache ../ns7/machine.ccache
cp krb5-machine.ccache ../ns8/machine.ccache
cp ms-machine.ccache ../ns9/machine.ccache
cp ms-machine.ccache ../ns10/machine.ccache
echo krb5kdc pid:$krb5kdcpid
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns10.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns10
ns10 A 10.53.0.10
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns10.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns10
ns10 A 10.53.0.10
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.10;
notify-source 10.53.0.10;
transfer-source 10.53.0.10;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.10; };
recursion no;
notify yes;
minimal-responses no;
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type master;
file "in-addr.db";
update-policy { grant EXAMPLE.COM ms-subdomain . PTR; };
};
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant EXAMPLE.COM ms-selfsub . ANY;
grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
};
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns7.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns7
ns7 A 10.53.0.7
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns7.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns7
ns7 A 10.53.0.7
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.7; };
recursion no;
notify yes;
minimal-responses no;
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type master;
file "in-addr.db";
update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; };
};
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant EXAMPLE.COM krb5-self . ANY;
grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
};
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns8.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns8
ns8 A 10.53.0.8
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns8.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns8
ns8 A 10.53.0.8
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.8; };
recursion no;
notify yes;
minimal-responses no;
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type master;
file "in-addr.db";
update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; };
};
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant EXAMPLE.COM krb5-selfsub . ANY;
grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
};
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns9.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns9
ns9 A 10.53.0.9
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns9.example.com. hostmaster.example.com. (
1 ; serial
2000 ; refresh (2000 seconds)
2000 ; retry (2000 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns9
ns9 A 10.53.0.9
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.9;
notify-source 10.53.0.9;
transfer-source 10.53.0.9;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.9; };
recursion no;
notify yes;
minimal-responses no;
tkey-gssapi-keytab "dns.keytab";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type master;
file "in-addr.db";
update-policy { grant EXAMPLE.COM ms-subdomain . PTR; };
};
zone "example.com" {
type master;
file "example.com.db";
update-policy {
grant EXAMPLE.COM ms-self . ANY;