From 8c9ca2f8f60ac25cd2a7bdf89d02286e1d3f5de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 9 Dec 2024 21:11:44 +0100 Subject: [PATCH] Include a test for nsupdate changes Resolves: RHEL-77354 --- bind-9.20-nsupdate-tls-test.patch | 1630 +++++++++++++++++++++++++++++ bind.spec | 3 + 2 files changed, 1633 insertions(+) create mode 100644 bind-9.20-nsupdate-tls-test.patch diff --git a/bind-9.20-nsupdate-tls-test.patch b/bind-9.20-nsupdate-tls-test.patch new file mode 100644 index 0000000..65d825d --- /dev/null +++ b/bind-9.20-nsupdate-tls-test.patch @@ -0,0 +1,1630 @@ +From 2e0dd9a0a3e77f21a37d894133d301afdac6db7b Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 21 Sep 2022 13:15:50 +0000 +Subject: [PATCH] Extend the nsupdate system test with DoT-related checks + +Add a simple test PKI based on the existing one in the doth test. + +Check ephemeral, forward-secrecy, and forward-secrecy-mutual-tls +TLS configurations with different scenarios. + +(cherry picked from commit f2bb80d6ae172f6fd7943bf913d1b0566b5df352) +--- + bin/tests/system/nsupdate/.gitignore | 5 + + bin/tests/system/nsupdate/CA/CA-other.pem | 26 +++ + bin/tests/system/nsupdate/CA/CA.cfg | 77 +++++++ + bin/tests/system/nsupdate/CA/CA.pem | 29 +++ + bin/tests/system/nsupdate/CA/README | 2 + + .../CA/certs/srv01.client01.example.nil.key | 40 ++++ + .../CA/certs/srv01.client01.example.nil.pem | 93 +++++++++ + .../srv01.client02-expired.example.nil.key | 40 ++++ + .../srv01.client02-expired.example.nil.pem | 93 +++++++++ + .../CA/certs/srv01.crt01.example.nil.key | 40 ++++ + .../CA/certs/srv01.crt01.example.nil.pem | 93 +++++++++ + .../certs/srv01.crt02-expired.example.nil.key | 40 ++++ + .../certs/srv01.crt02-expired.example.nil.pem | 93 +++++++++ + bin/tests/system/nsupdate/CA/index.txt | 4 + + bin/tests/system/nsupdate/CA/index.txt.attr | 1 + + .../nsupdate/CA/newcerts/70B9F4EB2FA19598.pem | 93 +++++++++ + .../nsupdate/CA/newcerts/70B9F4EB2FA19599.pem | 93 +++++++++ + .../nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem | 93 +++++++++ + .../nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem | 93 +++++++++ + .../system/nsupdate/CA/private/CA-other.key | 39 ++++ + bin/tests/system/nsupdate/CA/private/CA.key | 39 ++++ + bin/tests/system/nsupdate/CA/serial | 1 + + bin/tests/system/nsupdate/dhparam3072.pem | 11 + + bin/tests/system/nsupdate/ns1/named.conf.in | 34 +++ + bin/tests/system/nsupdate/ns10/named.conf.in | 2 + + bin/tests/system/nsupdate/tests.sh | 193 ++++++++++++++++++ + 26 files changed, 1367 insertions(+) + create mode 100644 bin/tests/system/nsupdate/.gitignore + create mode 100644 bin/tests/system/nsupdate/CA/CA-other.pem + create mode 100644 bin/tests/system/nsupdate/CA/CA.cfg + create mode 100644 bin/tests/system/nsupdate/CA/CA.pem + create mode 100644 bin/tests/system/nsupdate/CA/README + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key + create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem + create mode 100644 bin/tests/system/nsupdate/CA/index.txt + create mode 100644 bin/tests/system/nsupdate/CA/index.txt.attr + create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem + create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem + create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem + create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem + create mode 100644 bin/tests/system/nsupdate/CA/private/CA-other.key + create mode 100644 bin/tests/system/nsupdate/CA/private/CA.key + create mode 100644 bin/tests/system/nsupdate/CA/serial + create mode 100644 bin/tests/system/nsupdate/dhparam3072.pem + +diff --git a/bin/tests/system/nsupdate/.gitignore b/bin/tests/system/nsupdate/.gitignore +new file mode 100644 +index 0000000..df5fe68 +--- /dev/null ++++ b/bin/tests/system/nsupdate/.gitignore +@@ -0,0 +1,5 @@ ++# temporary files generated by "openssl ca" ++/CA/*.old ++# there is little point in keeping the certificate requests ++# for the issued certificates ++/CA/certs/*.csr +diff --git a/bin/tests/system/nsupdate/CA/CA-other.pem b/bin/tests/system/nsupdate/CA/CA-other.pem +new file mode 100644 +index 0000000..6bdbeda +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/CA-other.pem +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEZTCCAs0CFDYlin3oeYDu16bFItl9tGZz1Ra4MA0GCSqGSIb3DQEBCwUAMG4x ++CzAJBgNVBAYTAlVBMRcwFQYDVQQIDA5LaGFya2l2IE9ibGFzdDEQMA4GA1UEBwwH ++S2hhcmtpdjEMMAoGA1UECgwDSVNDMSYwJAYDVQQLDB1Tb2Z0d2FyZSBFbmdlbmVl ++cmluZyAoQklORCA5KTAgFw0yMjA5MDcyMTIzNTBaGA8yMDUyMDgzMDIxMjM1MFow ++bjELMAkGA1UEBhMCVUExFzAVBgNVBAgMDktoYXJraXYgT2JsYXN0MRAwDgYDVQQH ++DAdLaGFya2l2MQwwCgYDVQQKDANJU0MxJjAkBgNVBAsMHVNvZnR3YXJlIEVuZ2Vu ++ZWVyaW5nIChCSU5EIDkpMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA ++10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9IYVyR/0Mibg79FAs+ ++rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50OeQnbbTrBl0PuNwvzE ++kbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmwUTX5Jxndsjydk/zW ++/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA+45GT2lHu07xc+cV ++eZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QBXkotnq3rHnrI/ku6 ++dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9awEqwvy8uVbGkTmUZd ++tjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGWvcfMRZZhWaoHyhnH ++g9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeYfcQ5eaIZ3OuIpyQz ++AgMBAAEwDQYJKoZIhvcNAQELBQADggGBAKdQkmmyUqcE1by7AeHoxkqFgqUeSAlh ++flXi5DD+j5+Op2GAUrx84LGy4+heKEwAkV5Cw2c9IMHmDDMnGe/g4FjBS+dTZsTs ++JRXXDR7t20eWiBpvO/3IMqVpPq9CAQY1L9PYAVuVM5cwdzsJXdH82z2BZ3Ttg3GX ++NPnybxzD/auC051vqEp28Jzbswd4c3VvTmRnYY7rYNNKnLD7812BIp7lnE6s5X2D ++y0PPSYdhscTqfJV0+GDF5hUduOFX1xTcPlXaXfyKLLelqtrw40p3ynww9v/J4mwt ++FBV+a8gguM7tCZMoV/VJZghObglV/wpokAQchL/pnxL7+U8JklRqaU4DlxyGZ+K4 ++QlR5mJe19ZlkgHePk1MbwNZaTXjaOFirYmZzs4YynOp3iBHrW3CYY3kVlrUpKP08 ++o101hce32VxkyST6i5W24MU02O/wuPdyQpN+rJjYv32Axsrh/ePkI5qKew9eZ63i ++WzNb7BW1LrHrQ/lXoJ3ekRQd10UX3xhk/w== ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/CA.cfg b/bin/tests/system/nsupdate/CA/CA.cfg +new file mode 100644 +index 0000000..1a3ed65 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/CA.cfg +@@ -0,0 +1,77 @@ ++# See ../../doth/CA/ca.cfg for more information ++ ++# certificate authority configuration ++[ca] ++default_ca = CA_default # The default ca section ++ ++[CA_default] ++dir = . ++new_certs_dir = $dir/newcerts # new certs dir (must be created) ++certificate = $dir/CA.pem # The CA cert ++private_key = $dir/private/CA.key # CA private key ++ ++serial = $dir/serial # serial number file for the next certificate ++ # Update before issuing it: ++ # xxd -l 8 -u -ps /dev/urandom > ./serial ++database = $dir/index.txt # (must be created manually: touch ./index.txt) ++ ++default_days = 1 # how long to certify for ++ ++#default_crl_days = 30 # the number of days before the ++default_crl_days = 10950 # next CRL is due. That is the ++ # days from now to place in the ++ # CRL nextUpdate field. If CRL ++ # is expired, certificate ++ # verifications will fail even ++ # for otherwise valid ++ # certificates. Clients might ++ # cache the CRL, so the expiry ++ # period should normally be ++ # relatively short (default: ++ # 30) for production CAs. ++ ++default_md = sha256 # digest to use ++ ++policy = policy_default # default policy ++email_in_dn = no # Don't add the email into cert DN ++ ++name_opt = ca_default # Subject name display option ++cert_opt = ca_default # Certificate display option ++ ++# We need the following in order to copy Subject Alt Name(s) from a ++# request to the certificate. ++copy_extensions = copy # copy extensions from request ++ ++[policy_default] ++countryName = optional ++stateOrProvinceName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++# default certificate requests settings ++[req] ++# Options for the `req` tool (`man req`). ++default_bits = 3072 # for RSA only ++distinguished_name = req_default ++string_mask = utf8only ++# SHA-1 is deprecated, so use SHA-256 instead. ++default_md = sha256 ++# do not encrypt the private key file ++encrypt_key = no ++ ++[req_default] ++# See . ++countryName = Country Name (2 letter code) ++stateOrProvinceName = State or Province Name (full name) ++localityName = Locality Name (e.g., city) ++0.organizationName = Organization Name (e.g., company) ++organizationalUnitName = Organizational Unit Name (e.g. department) ++commonName = Common Name (e.g. server FQDN or YOUR name) ++emailAddress = Email Address ++# defaults ++countryName_default = UA ++stateOrProvinceName_default = Kharkiv Oblast ++localityName_default = Kharkiv ++0.organizationName_default = ISC ++organizationalUnitName_default = Software Engeneering (BIND 9) +diff --git a/bin/tests/system/nsupdate/CA/CA.pem b/bin/tests/system/nsupdate/CA/CA.pem +new file mode 100644 +index 0000000..1f725db +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/CA.pem +@@ -0,0 +1,29 @@ ++-----BEGIN CERTIFICATE----- ++MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL ++BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G ++A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0 ++aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1 ++NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh ++cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l ++dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j ++b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo ++Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI ++B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF ++ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5 ++3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee ++wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia ++eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX ++z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ ++ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD ++VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y ++SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB ++AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc ++TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig ++TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod ++CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz ++qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO ++70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS ++wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE ++rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2 ++8Q== ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/README b/bin/tests/system/nsupdate/CA/README +new file mode 100644 +index 0000000..13069ca +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/README +@@ -0,0 +1,2 @@ ++Please take a look at the contents of the CA.cfg file for further ++instructions and configurations options. +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key +new file mode 100644 +index 0000000..5e3420e +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key +@@ -0,0 +1,40 @@ ++-----BEGIN PRIVATE KEY----- ++MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCrYC6cYeOJxlIr ++vOnhBf0YZUIg9lYWQDPSy5/37yJUp8lVcMpS8OKiWDh/EK0rBeARtmkhfy04Vt3V ++5PPepzI19zMqUoCut9Z8NXTDDIrDOhhhaHNiWFb/eCVXHHu+mIgh3RyKE6WaUkiY ++2T3EKKZ+mxFWfs4Ju1GJiqgbALVzK0GTsWJAMCnq9qPnvPDpngcrrqmgHU3Z+BhN ++g0dOaO5XyFUVhjxtHvUx8d7Pwn5rjiJaxXav0AHeq3oDspYzzKAmrt7EvXaFlseI ++5Ea8P8ZUyZWDh5xJDTHdxBdSmeRlSZud863OZghX9IO+XofaQloBKm1o0Y042Riu ++Xi5UcosBRZav9aPQKV0ii7TUMK8CNsUt6SnrLOpqfiezcPyHHyvEsTqmwum3wm9G ++Y7eWLlPYt83D9LVtsvxXSayfmMn+tPV8k0guk9zpGFRjXxij5xKq/jjwc+UXHv5A ++ZYGoj2BGwhbyqJ2xG7zOBd43sqiGR72Nkt7g5UKJuOP4sSQIfpkCAwEAAQKCAYEA ++i3PT2fsp3cXcvayXID3wSvayzgHF4YtS4FhEDsuvwvVZtsX2TXGo6fQh3Pvj/dtl ++DuTBPbmwQWUmVNRewbKKADHsl6bVAdekmCQjpEhDbkOK7VDCe6do+693qyAJbfnO ++5Md5Xr5IBoCohIBaa5Gskd97R0gePvsHiYWj730vKc1sKlOwoIzQv1r92yf7Xg7y ++xM/3RcwyuojQtdp6nspyEEp7Oe2mpCEJ4x9vcN5SYxEg0X5Xaw83RkuBGRsscHA0 ++GN+4eJ59Ld1R9uktLYvUA06ZdoAVZyblE4xxjk2vueE3K2/kT2ooKHVWulGI+PnF ++2xYedZsZkgwLbXcEhPXBo3vMTjzRlePh668ULi9B6ntMjWpCSCvGnz142Uwatfq0 ++PeasBVgRngu9Wg+smkA4kHnDi7ih3zpLh6sTcOKL7F1cBgvtjgIyzZDp9eJUEfVH ++G/89mTCswhqV1WtQ3n9zbYVbSK9vaAxCrfK50pG+IfHXG9EqnrQPzKsRxNsDpN91 ++AoHBANeNLQb3gSk6sBg53smh9oFUEwwgAjHY31ZOOInO4X7udXrtRcON6SCkZjaD ++6y1N3Orjama6mr+/eHxJeDEbWBB7INOsaqHewoQF8qaOa7HHmCbXcUIlAQFvaE6e ++Qd5e+YHLmbYZbkPfntqWmXuSmk7hUxjnPPOv1P9sgv/3b4TJQJ4FEJasKpWgIOAy ++3g8UrjtbI3ITSo3SKCei3wvOCzIdnzwgcHY420jU1yU/oDzN07D4K0iODAbasUl1 ++ZH5UvwKBwQDLiNual2aCUtjKAoRLnGDtP6LOYV3eXchBrywIj2tNAMlD7TXbjG04 ++Le+I9O+azRorvXQ2WBBIYzka1JozK8WTsxkQYRd9AEy2AsQgPlK5hfy3xcGxSscC ++vdxSdQQQ/ASKHHbCTKhDhnA2b2fvLhWxZqsbSO4hSmvjXrSUpGrAABFipK9VqS6Y ++Sg6uEo1AlTrwsGW66LHpFeG6YQ0uj4sF0x5mzH7R50And30lVg8DjJASdClzOIWJ ++WV+3opbgSqcCgcEAvGGJhJkyrJG57LJG3vlJsmWD8AjZYi8joQ3jo6zGrmRBEBnl ++6q5PnFORcPuBwapW9IGkL/vN2t6/sf+Tp3c6U80IN3ZsCuPgI/n+w0mdHVZOx0Nq ++nGAyrMps4qi08F8YuDL0N42qLG93KZqMsM7DRUTvlsghIOf+wuxW4NWjBO3OJ0xN ++3yDAZtv3X3mVUKDGVOGl7MCnW6LbrShOvsZoSnhQ/f9ryiaOnuxEyyz8IafQ5s09 ++Jr/eCu9+GbEbDr2JAoHAXUZg7Z3IupzhAOLaYhROTyvEnrP8YrWz2nY+xcWENQvR ++MLH65pyaSQ60IZ2uWND512XBZk5BWAsw1lzsNdsvdpqzN9BnBUAn55mo6+Xj32XK ++BSY5t9g/D8CWwasiq+3y3qBgxHaA/kEUF75CcVg7VMtqStzHVLZYbyCtvRkEWu0t ++CnnSaH1Z/yyhQaD63sgE9NzCIkAVmG4QvmtPsTDTU14HJrE8xVEnE28tCPlBdCzs ++sahOfqE+gU1WEkAOyMctAoHAASVc1KFfBI48tM+cr8vDt1QklVgnKn44DL6HF5tp ++iA8/xhB2fHKq6a+xuGxubXo7jo0KbKyYXPFyE5MDrzIDKp0GLUr7WtaunNVMKbKs ++B/2YSw+PELoIc5GpiH4lqP5iFYyHKmJighou4oxLcjMlHpRWUERPdxA+L6zggPyJ ++56PX2tcezcCZMVm65VpHsX3CqEQyWnFDCt0zclRNFWPKCENsl10emenBZVnxb8fc ++smxv7aRpgoWBRa5vinKvOv2T ++-----END PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem +new file mode 100644 +index 0000000..f546d35 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 8 08:20:17 2022 GMT ++ Not After : Aug 31 08:20:17 2052 GMT ++ Subject: CN=srv01.client01.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05: ++ fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef: ++ 22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10: ++ ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4: ++ f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35: ++ 74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78: ++ 25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52: ++ 48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb: ++ 51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30: ++ 29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d: ++ 4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86: ++ 3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5: ++ 76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae: ++ de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9: ++ 95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49: ++ 9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42: ++ 5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72: ++ 8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30: ++ af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70: ++ fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63: ++ b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49: ++ ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18: ++ 54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e: ++ fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b: ++ bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5: ++ 42:89:b8:e3:f8:b1:24:08:7e:99 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.client01.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f: ++ 5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba: ++ 51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c: ++ 19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69: ++ 26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b: ++ 4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb: ++ 73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17: ++ ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e: ++ 01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07: ++ 79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9: ++ a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14: ++ 89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88: ++ ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d: ++ f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d: ++ 4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6: ++ f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98: ++ bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80: ++ af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91: ++ 76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31: ++ f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1: ++ d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79: ++ 97:e3:7f:2a:14:73 ++-----BEGIN CERTIFICATE----- ++MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx ++MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC ++AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl ++QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3 ++MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b ++EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI ++VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ ++lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF ++lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3 ++zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC ++FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE ++JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B ++AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl ++SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7 ++hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/ ++EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl ++lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD ++Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu ++ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp ++jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg ++j5x5l+N/KhRz ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key +new file mode 100644 +index 0000000..d8f68ac +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key +@@ -0,0 +1,40 @@ ++-----BEGIN PRIVATE KEY----- ++MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDAEScXJTqthaA7 ++WQsiZGN9uwUyNU9o1RkrzUa94rZCjAjPCQ2ozVjZG3fbF4r88FXy4VD0/ZCqSRVd ++6ptaR8QvggdGh/YF7xUCpDyh2vxbdTYS9xJQVfi+DH0hkeKS2EE/cf6yF8BoHQm+ ++/MQk7O/SXFKpT9ZdMLiraC456YtbxvBkQve4vbKQMiJovDhwLxSuyHxjBNURsgrx ++jhMQsjtp9P464vFYViiTwSiqpxnJkRJD+PUdNFg9Mp8RZ9EfU9Tg1Qx4LG84P+GJ ++abUJPBL0qe7lL8VHZaaC+up4SDGJEbYjiiftfB1t6KugKd5A9PKbYSLanCIy9z34 ++TOE4p+LDr6Rnf5Sk/VIliU30mtY1upgg8UvJpc+sclgqzTtKPukEMeKadDLVUmA0 ++rQyFAmVYQXQqV5E0VTapFFtFzCgn1226VaPdnwAEpEPCr1yvhlOm1adJqjHWXpJ9 ++Jt2N9IeKm0joJfTHNMrP4/eEGTtDx2q42m5vha+NDPt86sdznJsCAwEAAQKCAYBv ++D3wTHiv3+rTUnICbuoDtSx+OENWCQPb1JRYq5tWNVXwie5GycktV/1QnFE4CRNbu ++QuuVPqpQTUJVtDtw0N7Yuc+LMUNJ2x3DEUUeMoqKOBS0krm8SnozKvWQW9MwJmxU ++S46DXMida20fSvoAgCGM+mWyEcBa0rl2JB/WzP0QbNDEqRSldsuyJctP1Mat2AuV ++pciHWVv7h4BcfVL47Jb+hfQcCO6Vrfx4s9DYHRgEPibZtzPFV2dOu97PKcD65HXL ++o30hP9xhhy8nT4oFijEQ9rPi0JvOpvB5bJQ42OAznWByR0uL9ZoXopkYDDemzt7t ++D5F9X/2iH9dv3GA0AiPCF6DjyVMwbh/NOt8oxS+NMY2RPlzA+r9SZpCcyPFk1hMi ++LHzrPU8dwC2GmaMKB3Uw/bA5ufw3IpcbJIZEBJQ5Ttf7zEFcfDo/jidTz3ZOptOT ++kSKoCN73AUlmcx8UoKF9JwcpJq63ww8eef+1HLL5Dk0uM4YSKd15gI6477RgfgEC ++gcEA48ZpMdz4mz7rO0CMyPfOLdHOcxHuZI4oJg6gJ1IBxCnIB1mhy6xn+NdkS5Mm ++/1S6eFuo+DgabXO/A2xSDrJ4Lnlf4H4OjQKCeJdO9JglHjdTzv7TB8Vm/IdGC0Jk ++eDRY1lmkSXcdSmGqPVgd2AHpkcTgLyUb+iIWkIspelsaNNQBHJzd4S/x9Pp/ftrg ++CpfwGKsmNia3n3m21lkeTLtKVsPuK8CAJnCDaEI22mhV83x6grPxA0GVFZ0VHfCL ++qZVhAoHBANfd/oVKWGTiJzlc+aHJAb4XRROQzCL4yi6uspT3h9QN5QiFD7PhgIOg ++mES35mpGocN78oc19zhfD4XLNkLbQuMQhpk0D4MjLfUS/IskFoOJWuQbIBPqrMzY ++Z93DDkiBno2As1IN7fZ9amw7Thcf8Qt6yVNFjIMcfk63VmC+AnPUj4KCes7IuGDH ++SA/LjjiKgMa3g3I5/HVB6q1dyZQggBF3dCJ/V8ecgtdibUfzvvViZ52Hd7XDs1SX ++yCas+IE3ewKBwQC/YSFYBRtZjacmFNl1rkitVQCKzMEp+guf1mAYSZ40TQrFqjj4 ++obaGbavWmCCHHpDCufkh/jmuRzdyT9wufyPdoJu/Sws8zaQEYNW1S/S8C66+WHvF ++psYeXiarJTC3kvwlthIErDGPIrpgap5AtXKjyPC4jAySwXuGHXdPWCaPxqXcfa0s ++HRXGSYdAdfUS0ZCpmXw0uZlFRIYsWZrMy/ztJBkE5+yE37p5qlDeeBXnzGo/UaOq ++obr6+w4YJtmiNmECgcEAsSAPqzEgrM7AnpoCn1S+4EpZvL8wMXXw+DMSh5dAVah9 ++COudwdzDxb2tk51OLF/+dderXnTSgOfHZeIjiOI+1PAHcYg9Pj5MhG5q2ITpEE9R ++TCBRxuXlmkPrnhRiEO6CudsjyK1zV7D69QoIfoMQF3pN3c0QibiEj3RyJPlkK8T7 ++aHxF5ozedVKvd35wGUbUebm02rJny5Mly9FMCQZN74cTvQa+cSSkW7UAtGx1gQWY ++vbKdcIC/Eidk7Q867VQnAoHBAKqiugBoItfhuN1GUI5bqIx0ya4DSVECpSFiF8h3 ++eK+bO7uG4OBH+qoAmC8EqQNVPtivxpsA2aBvdoUMTYPu/S5cVFXcMkEJ1jX8L8IZ ++ImE5LXC+SiZO3G9SyHfj+rgwr66G7NWDVJhZ2t/56s4qEdewwR4Vjm99gVvHHAFP ++rrkT9jfHVmozRroL/XAMNITZpJw+vwPMwWOaRncjzyyPp0JWt0h+Wv0+A3SjBIh2 ++c+Ctg5Ig6vwr2weVc7s/4jz9Kg== ++-----END PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem +new file mode 100644 +index 0000000..365b493 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 7 08:14:18 2022 GMT ++ Not After : Sep 8 08:14:18 2022 GMT ++ Subject: CN=srv01.client02-expired.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64: ++ 63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2: ++ b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17: ++ 8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea: ++ 9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4: ++ 3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c: ++ 7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d: ++ 09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30: ++ b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd: ++ b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04: ++ d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2: ++ f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8: ++ f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5: ++ 0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9: ++ ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11: ++ b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4: ++ f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7: ++ e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a: ++ d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd: ++ 3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad: ++ 0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14: ++ 5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4: ++ 43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e: ++ 92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34: ++ ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85: ++ af:8d:0c:fb:7c:ea:c7:73:9c:9b ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4: ++ bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a: ++ c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb: ++ ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb: ++ ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22: ++ 12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31: ++ e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48: ++ 07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17: ++ 7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa: ++ 4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82: ++ b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28: ++ 33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c: ++ 51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1: ++ 6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e: ++ 5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db: ++ 52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54: ++ e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7: ++ 4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab: ++ 70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55: ++ 2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e: ++ e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b: ++ 44:b8:6f:2b:af:6e ++-----BEGIN CERTIFICATE----- ++MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4 ++MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl ++Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ ++CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q ++m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78 ++xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO ++ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp ++tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM ++4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt ++DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m ++3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz ++BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK ++NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE ++msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6 ++w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX ++XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn +++SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR ++ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+ ++knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z ++3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m ++GJALaoX444MqfJHDUhxtqitEuG8rr24= ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key +new file mode 100644 +index 0000000..8a1f5dc +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key +@@ -0,0 +1,40 @@ ++-----BEGIN PRIVATE KEY----- ++MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQC0mmOYBK29qym/ ++InBUMN/Ha3dduF4LzQ6gbHQ350t40Zbaypl9krHkGgoetBy+7syVjFIDk4XhQENo ++hoa8amJt1grK7k+TLe5r33r23PpEpjmALDh8ic3Zo5ns6CtIbYRBPQ4aH2heF4iP ++pdpNHDYmrrR+0v6iWdVnOlbCIWUN3Zdv8OW0HoeulzUN9Juu3Io+KKq4oqvunbLF ++kfZxmaWGyzGcBdablBNGqZrJpVVfbMzQhCfisbVzOQh/gC8EJpYMjSmbvl7MOa+i ++24KCVwfmskrZPch5bmdh80g3qE+fs8+EtlAIPemF6al2UIDnLG9llcviI0FYOXDn ++eCk9wtYgfCuHML2Yh2PtSq257XpLE6E9Yl62dGTvJaPdk0eq0yV+KtcJG1xZUPHU ++xpzyZIp8y8xSN1CIS4Q1QFEOoQaiYLaw44/52I5Fd30OfRGSIhUPozeExCXcFLQg ++ercWlnLUv01d0qtxQ0S+h0TSuHT3hj/SXd1e5nSr+8yjXaaEgAsCAwEAAQKCAYAG ++wzkzeglfbsdTZuC55lKazwVbNwoeewEvNKBtb3W+AmsZqjhxIUsT9X2nhKsG4z45 ++41U22RFMS/G6Oj9VUs54umkRDDdilXe2Blo+YCvm4iqJCB7dWvOgUKX03wSv45nu ++L3EVvVNVIqB0cItqE8JbVHNhxFjQj3iUMvUIs+Nqz39aK7UON45xFSxhZ2Vk+NEc ++Xr11yHGTr8f/6eVGf7BZCcbDxtwwWy0Vmkg3gL9foV1R+YDc1jarJ9mPnKcmCqPH ++lW5aT5putR0kO1vO6Rh7YfbHsqw334B9v1yjB4TgaJBKVHz5Z8KTvDFHodMtLqCC ++WV61O2h7gh4mQ6lEX5tjArqYdKMuWLAhZ+9AK9sSs4k+/nlvEbqAOCbkx7UmrZoF ++QkYfDt2Gjrk7WLwb9CCFIH0a2EEB2Fms1iHBK++S3iA4w0kfbePP0mo4GTsTwA45 ++DKDbYByzJzVUvGmowMaaypE548sopQ9K4kQJ9okLV+Gc1V7fjklYIIBmwDgqfIEC ++gcEA5Xt0qFjYn4H2gu2xyD0etx83CjKUx0mjwPvdwLg79HMb9P+OTTU+NzsHTa2I ++CTEJ1gA4VkqOtKxEBJQarQmJnVL/fiIp88h9fmLBQ48HLefH33S+bF3VWvKOgJeY ++uVyyWnhTwHNQv3RsO+DEcjqG3aJ2vdzCnDLBr9ATFV8uzpk1Op0h7QljUbhHv1mS ++ip2yQVeuJwtWFixjqEp7BuTluqk/UlGP39PBjgG04Tpw3MkiZNJgk/kSnN+YYOiu ++i91rAoHBAMl4/WAaIL5lHiyakHAmE0fwUm+LUKPG1rF22qvqdBFV6OE14/VgTKNP ++LfcS7Ulzmt7hM7fbcJ0FYxeyPbbQRjBRsGXFzLU96VgoUxoI/IyFXFY83UJ0s63L ++RhZmg4GNvpO0qfOjL4wQtB3N6LPhxpF+pLkkHXSdFkUyocaXGUGOBC+ZEBaCd8Lm ++2GlGoi/f+zSl4xSY4crspS7GNG2+jcXh5K/OMdjEb1/tyRYnHf0D89WNmr10EeYG ++Pe9alaDv4QKBwDROcYa1yZqB6who2W8Ez216BfejE9pg5JxmTGNTGwda/XJYlbzv ++d+Dq6X1BIpLFxLIslqrEj8aKxW4tu+7ZD672bhn3+4v/lOsr41Vc0owaGqrKV2Un ++9iumweh5pWwKvvR0HNLu9ebNyKXVU7GduYPnNh2MpicoQpGqYc8rROX+ce2MR2Fa ++FHNaB7CL4CUMUMcoDyADK3oeYBDJ+UTXA64KSc6fnKWuBJ4zsWDtCzCn/9jvQug3 ++i5CKPpdIMhDbRQKBwEekz61B/UzXVnCUEjLfR1H4osfpqaZjyerXkhE6UUXs3+Be ++Mo8KTJZyTK0kvN62zmbdfG+wCA6+YKuHhayhyaPbGLhIK3Bz8KuZw1tpwK0Tq287 ++O48rQs3VkDndAHysdA3AXAM4j2rmcbZ7h3mYGu2YNGll71eNmOLIi4C8MI4AO3rV ++mkP25zGWt3RQWtJdes4RA3xKlVh86IyGjRRNg8rPdmwSDeXAjL53J1/KTz6vDiFt ++to4SXV8H7zRTaQwO4QKBwBwMU2zjMYXLJq0LAmn3h4h6CVZjPrqzR8PeSd/YM831 ++qdH7OvnkadqIdqMOo6BUA9PvUIY/B5c5zSSOJg9gh1PJ3vDLIZY23zkXigh7poBe ++YW6/PLvGQJ0Rzyz5pf6uPX8AWkAqTyI1Ox3NdxzirarxWDPznvA2KsVxVF/jxnvr ++TD/R5kCQUcxZuInguahGYd1JF3dArYh6NKRPyVO0r73LfVeZ+udlo/+ZMNVGlNNF ++v3Tmy/b2gUdEwuKFCxx97g== ++-----END PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem +new file mode 100644 +index 0000000..4a4556c +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 7 20:28:03 2022 GMT ++ Not After : Aug 30 20:28:03 2052 GMT ++ Subject: CN=srv01.crt01.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30: ++ df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7: ++ 4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4: ++ 1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86: ++ 86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df: ++ 7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3: ++ 99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17: ++ 88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59: ++ d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e: ++ 87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2: ++ ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05: ++ d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84: ++ 27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d: ++ 29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2: ++ 4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3: ++ cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c: ++ 6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2: ++ d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed: ++ 7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93: ++ 47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6: ++ 9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40: ++ 51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77: ++ 7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14: ++ b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43: ++ 44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6: ++ 74:ab:fb:cc:a3:5d:a6:84:80:0b ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.crt01.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f: ++ 7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb: ++ 2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5: ++ c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00: ++ 07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a: ++ 75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14: ++ e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11: ++ 71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98: ++ 2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64: ++ 69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20: ++ b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1: ++ 1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1: ++ 79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5: ++ 9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0: ++ 90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30: ++ 0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04: ++ 93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55: ++ 33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd: ++ 87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65: ++ ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b: ++ 52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd: ++ 1c:4e:e0:3f:0a:8b ++-----BEGIN CERTIFICATE----- ++MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw ++MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw ++DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124 ++XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru ++T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S ++/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF ++1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9 ++yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw ++vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3 ++UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S ++q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf ++ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC ++AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi ++D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50 ++iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX ++Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b ++IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s ++pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM ++ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd ++TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g ++PwqL ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key +new file mode 100644 +index 0000000..307d26d +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key +@@ -0,0 +1,40 @@ ++-----BEGIN PRIVATE KEY----- ++MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDsLIgBtYs6dFYN ++V7N1/QVYBe2Kq+gpDvFSNC4iYm5BdP94M7T/FXP6zpAQpP7SZhR7C3l71iCI+UEx ++FJpJNow4dEvz4lHn5W+9ZTjmnDCAPyRW9mieCXaBW1mBRFafHD9I8JW/YEAp36xC ++PcNvhS3DDgi29xIqUQC/z/5srtd93sFy+DIDX8k/St7l+iSQRvBKXwnYk0y/HGFM ++0tzbbPivc1u3O3robRy7JiNHh/1QBg/xtYiKqCVpV+NGO9JrUvtaAfaW6SrPE+cW ++TP1a9h8Ljfclo2jXFfxcSEkF4oUkcFex2AUkriY6AJtyqEcFxfN8LfJYcjf7wYtP ++Qo/dmqxbrm8hYq0pgbmLS2z/YZkPfAnTbQAgLbEMAGyZTJLcDhEt57p7x8ixoxph +++Mwsrxe228w2Av77ZhV3hHDNQiW3FmQorp2MgYWg4FCCqujprFH8K2NEsQi4kNeM ++HCOyGwhZhdXdOUT3R15ICDTrLN91Rwi2tuYy7XZ0d849Tf4CsTMCAwEAAQKCAYA+ ++B7AtKr6HutiDJp63BZ6qsNvkCSSv7AHMAnJ/i3TD8nPK4WHPgZX1sN070eov3qnQ ++a4Ib2XCwKS9LMcsYIaCQj1MHmlDC5IsFpplcUHeYp3zm7k8p+vhKH3ERt548qhGh ++GbdrDV+s39eBinFTUBpl2cDGNXxq6t2Ug4+iggWNRL1wcenI4xabbhG/O4Tw9ADW ++t8GBRabppw2TPOrPIv7qLhVPueqdM1NRgEHR3tDUfNMhO/nB2UoCMhg6cSniEGf8 ++32NDQHI7ajIcETnn9z0tAP67+w5VUYMlP3+VGr8v4UZCL6Qal9Swv4XWPqHjHoIi ++q5by4H6HEYeoUPT5hCJjMdXlHrWWUgsX/YdgY4tJJBowMR6rovA7Ypy71FxRnXkP ++2iD36jZmDI1mBQ41Yx7P5iM+veRQmBOH/x70Bd9ZbSLlmeTX5dhjAxNShjZxxeUy ++QbQGe3JLzdCGzRY9TKFMmLa/qs+Ggqxopdh4AZuHtQpKUej6g9GI9Eo0IIWTKEkC ++gcEA+EC1ms0MEIIq/JJrsN4ByEyZXbuNKny/04h8dfkT0lTXk8QihQLke6ZLLOl9 ++mwgO9NOHkghtU9wdNXg/dNR2VDevUZCjIlYZT6stjEX7X0oNACJwSeBwEXxn6I94 ++umuvJ9hq9WchTnQA4lrIXCETIUxThjm7jfJe9RKzghQkCfGnxzclXg0viqxvm21j ++eg0iide23y9xpFd8Qn1oq+hhzcKqHWdkHuDjRJD5gfAEPD7MJ7oT5jR4szQoIUcP ++4C+NAoHBAPOLUwAwcY5zUBAZ7oZ8wRgnAFZjHdYYWDr04ahA1DpwPeX67MczdGud ++L7hUq3APa3qcj4hrDL2jkF6FkbURhtdguMccb4hBENyYr+qjoTAfYJIZwJ9akQ/j ++x8u+5kGsN+ozaKikHFsI2xXHJhbShICL3sIfNeqGFB2onp/dv8WdywTnSf2aXGjf ++NFvVJYnaEOGiTM7uIf/F0n8Iae8HSdPZXtDTXNjnLFzzHjvFe1mfyYO55BDkxmr2 ++PDnhVkbTvwKBwQCNPwQU16WNnwImQojTUP1ioXKBSjy/d8sM6BMobFdCzNL7WBTr ++6QFm+O681vyIQMWBtvjjtbe+hvZ3fbtdFaVdtXEiz1CCMMql8ZcwwICNbuyGrxGE ++dxZMXKQiRb9DEhHOcewpRExG/umh4FUvVgI0Z+D99csosEYm2kUYNa1rmvsC9fVk ++1cu+8u1tWYfH4cFM/FcoFS5revtQOVpctRMwpxlzMWhdyUaFtJbBv3YpcPFniQ/Z ++YvFpxLswc+Ysf+ECgcEAhEeMUXH+e6zOM7CiCZIBHykv2bwEHKEkawFO/6AWpZcJ ++R7y+loOwHDNIFAqJA1icvAAFRcc/KFGKvIw30+0tHBaAxkT/nzYX/nlAM2Wkywp/ ++3Vr3cJY0bDj/7/5D+i+cPyylD9PzQs7QkEeWvJajOV6/Ixjoo/UnP+SyI4rB+of2 ++GTe2zHPm9V8mhSqENReoS6Vnqo1VEiNUbYMYZqfCxbou8aWbrIQDaIj0RurAULGl ++NlLlOPfJfZc4pwdpYRbpAoHAJ7Vxdfn1ec+8xIpjn6dQzWDQWrOw+4pyi54sPlVb ++RUWC9nYDbTwEKkWdQ0FdyJkU7tiYIIFlVNfPAa1lkujIiC5zxe41VJ1598pXPEXn ++a6UB1yn2Ay7kmCq7/qOD6IRkAS8TKyzM6Z7nFgglMEPPdzYBkeKP/aWl75el1B4e ++mpGz7o6u6kSHXt0UWZ7VT9AspEw0oyHIoaXmYHvpXjGtWghn6MKPMngKIb87Xjvt ++bKvcUjDKJOb0BURXpKzS8Rf9 ++-----END PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem +new file mode 100644 +index 0000000..3fa0b9a +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 6 20:34:09 2022 GMT ++ Not After : Sep 7 20:34:09 2022 GMT ++ Subject: CN=srv01.crt02-expired.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd: ++ 05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62: ++ 6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4: ++ fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14: ++ 9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65: ++ 38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b: ++ 59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df: ++ ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51: ++ 00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f: ++ c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93: ++ 4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b: ++ 7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5: ++ 88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01: ++ f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d: ++ f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70: ++ 57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5: ++ f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a: ++ ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61: ++ 99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c: ++ 92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8: ++ cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84: ++ 70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0: ++ 50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90: ++ d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47: ++ 5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed: ++ 76:74:77:ce:3d:4d:fe:02:b1:33 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c: ++ b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34: ++ cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45: ++ ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2: ++ 7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad: ++ 6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97: ++ bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49: ++ 7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86: ++ c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7: ++ b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc: ++ 42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68: ++ a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c: ++ db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c: ++ 8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9: ++ 73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d: ++ cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5: ++ e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56: ++ da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1: ++ a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb: ++ 30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba: ++ 9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a: ++ 1f:5c:c5:04:10:f6 ++-----BEGIN CERTIFICATE----- ++MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw ++MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p ++bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9 ++BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2 ++jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F ++LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts +++K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2 ++HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a ++rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv ++F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib ++CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV ++HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G ++CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG ++MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31 ++CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+ ++ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn ++jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/ ++awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L ++hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq ++4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/ ++4N9ksrVfmKFFP0ofXMUEEPY= ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/index.txt b/bin/tests/system/nsupdate/CA/index.txt +new file mode 100644 +index 0000000..020155f +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/index.txt +@@ -0,0 +1,4 @@ ++V 20520830202803Z 70B9F4EB2FA19598 unknown /CN=srv01.crt01.example.nil ++V 220907203409Z 70B9F4EB2FA19599 unknown /CN=srv01.crt02-expired.example.nil ++V 20520831082017Z 70B9F4EB2FA1959A unknown /CN=srv01.client01.example.nil ++V 220908081418Z 70B9F4EB2FA1959B unknown /CN=srv01.client02-expired.example.nil +diff --git a/bin/tests/system/nsupdate/CA/index.txt.attr b/bin/tests/system/nsupdate/CA/index.txt.attr +new file mode 100644 +index 0000000..8f7e63a +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/index.txt.attr +@@ -0,0 +1 @@ ++unique_subject = yes +diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem +new file mode 100644 +index 0000000..4a4556c +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 7 20:28:03 2022 GMT ++ Not After : Aug 30 20:28:03 2052 GMT ++ Subject: CN=srv01.crt01.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30: ++ df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7: ++ 4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4: ++ 1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86: ++ 86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df: ++ 7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3: ++ 99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17: ++ 88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59: ++ d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e: ++ 87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2: ++ ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05: ++ d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84: ++ 27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d: ++ 29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2: ++ 4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3: ++ cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c: ++ 6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2: ++ d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed: ++ 7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93: ++ 47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6: ++ 9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40: ++ 51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77: ++ 7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14: ++ b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43: ++ 44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6: ++ 74:ab:fb:cc:a3:5d:a6:84:80:0b ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.crt01.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f: ++ 7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb: ++ 2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5: ++ c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00: ++ 07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a: ++ 75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14: ++ e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11: ++ 71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98: ++ 2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64: ++ 69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20: ++ b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1: ++ 1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1: ++ 79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5: ++ 9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0: ++ 90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30: ++ 0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04: ++ 93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55: ++ 33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd: ++ 87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65: ++ ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b: ++ 52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd: ++ 1c:4e:e0:3f:0a:8b ++-----BEGIN CERTIFICATE----- ++MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw ++MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw ++DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124 ++XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru ++T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S ++/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF ++1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9 ++yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw ++vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3 ++UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S ++q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf ++ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC ++AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi ++D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50 ++iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX ++Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b ++IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s ++pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM ++ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd ++TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g ++PwqL ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem +new file mode 100644 +index 0000000..3fa0b9a +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 6 20:34:09 2022 GMT ++ Not After : Sep 7 20:34:09 2022 GMT ++ Subject: CN=srv01.crt02-expired.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd: ++ 05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62: ++ 6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4: ++ fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14: ++ 9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65: ++ 38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b: ++ 59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df: ++ ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51: ++ 00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f: ++ c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93: ++ 4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b: ++ 7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5: ++ 88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01: ++ f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d: ++ f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70: ++ 57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5: ++ f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a: ++ ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61: ++ 99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c: ++ 92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8: ++ cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84: ++ 70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0: ++ 50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90: ++ d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47: ++ 5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed: ++ 76:74:77:ce:3d:4d:fe:02:b1:33 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c: ++ b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34: ++ cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45: ++ ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2: ++ 7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad: ++ 6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97: ++ bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49: ++ 7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86: ++ c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7: ++ b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc: ++ 42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68: ++ a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c: ++ db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c: ++ 8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9: ++ 73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d: ++ cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5: ++ e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56: ++ da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1: ++ a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb: ++ 30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba: ++ 9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a: ++ 1f:5c:c5:04:10:f6 ++-----BEGIN CERTIFICATE----- ++MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw ++MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p ++bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9 ++BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2 ++jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F ++LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts +++K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2 ++HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a ++rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv ++F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib ++CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV ++HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G ++CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG ++MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31 ++CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+ ++ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn ++jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/ ++awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L ++hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq ++4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/ ++4N9ksrVfmKFFP0ofXMUEEPY= ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem +new file mode 100644 +index 0000000..f546d35 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 8 08:20:17 2022 GMT ++ Not After : Aug 31 08:20:17 2052 GMT ++ Subject: CN=srv01.client01.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05: ++ fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef: ++ 22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10: ++ ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4: ++ f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35: ++ 74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78: ++ 25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52: ++ 48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb: ++ 51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30: ++ 29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d: ++ 4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86: ++ 3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5: ++ 76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae: ++ de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9: ++ 95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49: ++ 9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42: ++ 5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72: ++ 8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30: ++ af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70: ++ fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63: ++ b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49: ++ ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18: ++ 54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e: ++ fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b: ++ bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5: ++ 42:89:b8:e3:f8:b1:24:08:7e:99 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.client01.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f: ++ 5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba: ++ 51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c: ++ 19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69: ++ 26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b: ++ 4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb: ++ 73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17: ++ ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e: ++ 01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07: ++ 79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9: ++ a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14: ++ 89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88: ++ ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d: ++ f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d: ++ 4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6: ++ f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98: ++ bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80: ++ af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91: ++ 76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31: ++ f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1: ++ d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79: ++ 97:e3:7f:2a:14:73 ++-----BEGIN CERTIFICATE----- ++MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx ++MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC ++AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl ++QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3 ++MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b ++EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI ++VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ ++lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF ++lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3 ++zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC ++FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE ++JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B ++AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl ++SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7 ++hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/ ++EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl ++lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD ++Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu ++ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp ++jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg ++j5x5l+N/KhRz ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem +new file mode 100644 +index 0000000..365b493 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem +@@ -0,0 +1,93 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com ++ Validity ++ Not Before: Sep 7 08:14:18 2022 GMT ++ Not After : Sep 8 08:14:18 2022 GMT ++ Subject: CN=srv01.client02-expired.example.nil ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (3072 bit) ++ Modulus: ++ 00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64: ++ 63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2: ++ b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17: ++ 8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea: ++ 9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4: ++ 3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c: ++ 7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d: ++ 09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30: ++ b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd: ++ b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04: ++ d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2: ++ f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8: ++ f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5: ++ 0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9: ++ ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11: ++ b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4: ++ f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7: ++ e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a: ++ d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd: ++ 3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad: ++ 0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14: ++ 5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4: ++ 43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e: ++ 92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34: ++ ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85: ++ af:8d:0c:fb:7c:ea:c7:73:9c:9b ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Alternative Name: ++ DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1 ++ Signature Algorithm: sha256WithRSAEncryption ++ 18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4: ++ bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a: ++ c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb: ++ ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb: ++ ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22: ++ 12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31: ++ e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48: ++ 07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17: ++ 7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa: ++ 4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82: ++ b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28: ++ 33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c: ++ 51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1: ++ 6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e: ++ 5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db: ++ 52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54: ++ e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7: ++ 4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab: ++ 70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55: ++ 2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e: ++ e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b: ++ 44:b8:6f:2b:af:6e ++-----BEGIN CERTIFICATE----- ++MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE ++BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp ++djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD ++DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4 ++MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl ++Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ ++CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q ++m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78 ++xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO ++ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp ++tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM ++4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt ++DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m ++3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz ++BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK ++NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE ++msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6 ++w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX ++XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn +++SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR ++ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+ ++knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z ++3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m ++GJALaoX444MqfJHDUhxtqitEuG8rr24= ++-----END CERTIFICATE----- +diff --git a/bin/tests/system/nsupdate/CA/private/CA-other.key b/bin/tests/system/nsupdate/CA/private/CA-other.key +new file mode 100644 +index 0000000..41818aa +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/private/CA-other.key +@@ -0,0 +1,39 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEA10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9I ++YVyR/0Mibg79FAs+rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50Oe ++QnbbTrBl0PuNwvzEkbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmw ++UTX5Jxndsjydk/zW/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA +++45GT2lHu07xc+cVeZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QB ++Xkotnq3rHnrI/ku6dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9aw ++Eqwvy8uVbGkTmUZdtjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGW ++vcfMRZZhWaoHyhnHg9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeY ++fcQ5eaIZ3OuIpyQzAgMBAAECggGAD+vUWvsr2datgeZqhfR0YdM9czyGhasn7B4q ++EH8VPrA5iGDZCpJdHeLqNfeX0hau0SQ69Q0PDRy/J6O61wtNv2lOy5bLXKMIRBor ++FMRxNQDlHEmM999wgtZbAWTJbEVjiF+Jw0M8kMiuA7UnSp31uqhJfhcHt+JU6Gtt ++9jlOD2oDzzxS9P6n6bNpCRigkuRdRhQvHUxcjrE2EbyGsaTXIR4+Uh1xh1EcT9Hg ++uYqFIfzo3nkhpDk2jAL+UiUZiHfrpO6OfqpNQj27jju/35DT+2hgGuS2JApzpi91 ++gJSDXwsDQYdP2a2B0y3K0+HwC7/YovAzlXkfes06ebtsiG4Nzl15vnKaTbON0vZO ++7jMkedmstKaLGM5PlLW0afls5ahr0dtrhWFs+1QKcv1JahcfeEvggeH9/gtjpunM ++MT31VuYbwleWAsRxjGG3OWKLgst4cJXqGTdM21JzBDOP43/ZIaaedl43jJzIgIM5 ++b4ae9DrhsTNIboYO20XYdwtn9Q2pAoHBAPLO1xTWfqpCwZU6udtX73jMfpwhGlWW ++0jqg9gvxs9Neg4nfYMtiliBS5VT+6oID8YSKOSWXHWFGFkBN5hqfGbu5Nd94rY0J ++g6UYgGOAcNfoGOTpI2xljpEWJJfquTFgbajwFg+q3p6mL1zShkzvf6hzqENxbLxy ++OvEPkszN6cy16jgEUv5qK9qNf7ISB8Ki3yFSKAfuRlapny3TcRTYkJNZ0y398/sG ++E5vqrrYyjUWv5Uwz0mHmZpmZuZuaUJxtlwKBwQDi+BKnIiYYwdJPmCNCykRJB02Z ++QZlxtnrrajxZsXHysTopX5HkOQH80VSbH6fj287qX7vV0ux2maFLoszjM0wtfQhE ++8fsuKRPfzxR0cFtPFtncCHI5FVT2MOsdz5dZ8BsinCgsVlZ3SrUC9gxPKpVdRd21 ++OUC3r+tOPvM0gdfyT560GDLhaH12iOA5KtWnE3FIEpk6y95D1a4E7zu4ZaoI98UU ++F8ezSREzF9UzAcdVn8MA3v82nlGQS8iFI9mHicUCgcACWkS1O/rQNYNgqcgBOxHj ++7r9PTfbOW36/+K1JolbmtmS54kMy1Uq1F3iHYUzuY5Fkgl5ZYeRz+9TdXKPdICuE ++qR+/gZDU7AGtiNY9oJH3VZVgKm4gb7944mkKW8jdlJybZXAhSLuNd/i/gn6woiVv ++gWdg9+lgzg6KJWd7uocIZ77UOh5/vpGcNYDGPex7U06sKPqgUQu3bT9Ql1riI9MK ++ynUEXhCOHxnzicuVklnSEgk7usjQEAZweI/W1SDw0xMCgcEAm9BQBdsEqlRNDAVW ++l6CB9lyEIiUNsSnkAr9AxRZzMngGhKauYi3ctnICkifOOzgIOZAVRDpzyQu41lLi ++M0thDY1bYvF4TX03vprL4Q/NL2NxloNZ3uRNGmIE1sdPkRermTv4vE9dNrHbyDef ++xa1nMswm4yV1z2R+to2yqqZE2H1eZyaBr4rrLrfSroxAdl17lE3oUZvpb0o/F/Yg ++Wnu4mkV2T0/v8Z3Ep/3BiC29aYOu/Gcab6WKOvQ7qWMuD8U9AoHBAJslXJMsMZVc ++UIaxRbknRMEBRBJW6X6EPbV3zGa+R9e9XRSG7jYSOWB9Yb2AbwjsvF4Qq+8VQq+V ++Ksxs7XOuwR202oZFzQDMoVj1LL4Cn60rRWlI+p6Q5SB2DQVo2kulTv1NtvdVR+U0 ++ABa0xp5TKi7+jTY/e3CJGiT69sZc7v2VXptoiGytlUl9GVr0SImD1ZJdaJSJCPZX ++S+cEzfF6LVnnhlaq4puuv/vKjumNWDymv3zwZOy9D8nn/tMHqLKWSg== ++-----END RSA PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/private/CA.key b/bin/tests/system/nsupdate/CA/private/CA.key +new file mode 100644 +index 0000000..2d5419d +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/private/CA.key +@@ -0,0 +1,39 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC ++aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D ++lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm ++PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy ++VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy ++nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH ++EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp ++Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL ++wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc ++bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI ++r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC ++GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9 ++DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x ++E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB ++wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8 ++V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC ++SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke ++s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx ++HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx ++r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp ++tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk ++AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx ++LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa ++IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn ++RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf ++ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv ++NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao ++ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev ++dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr ++q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj ++bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw ++HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3 ++nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9 ++r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c ++j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn ++HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd ++B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw== ++-----END RSA PRIVATE KEY----- +diff --git a/bin/tests/system/nsupdate/CA/serial b/bin/tests/system/nsupdate/CA/serial +new file mode 100644 +index 0000000..0a263a5 +--- /dev/null ++++ b/bin/tests/system/nsupdate/CA/serial +@@ -0,0 +1 @@ ++70B9F4EB2FA1959C +diff --git a/bin/tests/system/nsupdate/dhparam3072.pem b/bin/tests/system/nsupdate/dhparam3072.pem +new file mode 100644 +index 0000000..9c2e0aa +--- /dev/null ++++ b/bin/tests/system/nsupdate/dhparam3072.pem +@@ -0,0 +1,11 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K ++3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab ++EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os ++O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H ++0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR ++JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp ++eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ ++vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX ++GKz9+uk5eS6jAgEC ++-----END DH PARAMETERS----- +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 2c1899f..aaf1d9c 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -11,14 +11,48 @@ + * information regarding copyright ownership. + */ + ++tls tls-forward-secrecy { ++ protocols { TLSv1.2; }; ++ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; ++ prefer-server-ciphers yes; ++ key-file "../CA/certs/srv01.crt01.example.nil.key"; ++ cert-file "../CA/certs/srv01.crt01.example.nil.pem"; ++ dhparam-file "../dhparam3072.pem"; ++}; ++ ++tls tls-forward-secrecy-mutual-tls { ++ protocols { TLSv1.2; }; ++ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; ++ prefer-server-ciphers yes; ++ key-file "../CA/certs/srv01.crt01.example.nil.key"; ++ cert-file "../CA/certs/srv01.crt01.example.nil.pem"; ++ dhparam-file "../dhparam3072.pem"; ++ ca-file "../CA/CA.pem"; ++}; ++ ++tls tls-expired { ++ protocols { TLSv1.2; }; ++ ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; ++ prefer-server-ciphers yes; ++ key-file "../CA/certs/srv01.crt02-expired.example.nil.key"; ++ cert-file "../CA/certs/srv01.crt02-expired.example.nil.pem"; ++ dhparam-file "../dhparam3072.pem"; ++}; ++ ++ + options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; ++ tls-port @TLSPORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; ++ listen-on tls ephemeral { 10.53.0.1; }; ++ listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.1; }; ++ listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; ++ listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in +index 25ba141..51a0b4f 100644 +--- a/bin/tests/system/nsupdate/ns10/named.conf.in ++++ b/bin/tests/system/nsupdate/ns10/named.conf.in +@@ -16,9 +16,11 @@ options { + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; ++ tls-port @TLSPORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; ++ listen-on tls ephemeral { 10.53.0.10; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index 916f45b..735b659 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -1145,7 +1145,182 @@ fi + + n=$((n + 1)) + ret=0 ++echo_i "check DoT (opportunistic-tls) ($n)" ++$NSUPDATE -D -S -O -k ns1/ddns.key <nsupdate.out.test$n 2>&1 || ret=1 ++server 10.53.0.1 ${TLSPORT} ++update add dot-non-auth-client-o.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client-o.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 || ret=1 ++server 10.53.0.1 ${EXTRAPORT1} ++update add dot-non-auth-client.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 || ret=1 ++server 10.53.0.1 ${EXTRAPORT1} ++update add dot-fs.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fs.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (strict-tls) with a correct hostname ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.nil -k ns1/ddns.key <nsupdate.out.test$n 2>&1 || ret=1 ++server 10.53.0.1 ${EXTRAPORT1} ++update add dot-fs-h.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (strict-tls) with an incorrect hostname (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.bad -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT1} ++update add dot-fs-h-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (strict-tls) with a wrong authority (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA-other.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT1} ++update add dot-fs-auth-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fs-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (mutual-tls) with a valid client certificate ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 || ret=1 ++server 10.53.0.1 ${EXTRAPORT2} ++update add dot-fsmt.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (mutual-tls) with a valid client certificate but with an incorrect hostname (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -H srv01.crt01.example.bad -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT2} ++update add dot-fsmt-h-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi + ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (mutual-tls) with a valid client certificate but with a wrong authority (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA-other.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/client01.crt01.example.nil.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT2} ++update add dot-fsmt-auth-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (mutual-tls) with an expired client certificate (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client02-expired.example.nil.key -E CA/certs/srv01.client02-expired.example.nil.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT2} ++update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check DoT (mutual-tls) with a valid client certificate and an expired server certificate (failure expected) ($n)" ++$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <nsupdate.out.test$n 2>&1 && ret=1 ++server 10.53.0.1 ${EXTRAPORT3} ++update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3 ++send ++END ++sleep 2 ++$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1 ++grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1 ++if [ $ret -ne 0 ]; then ++ echo_i "failed" ++ status=1 ++fi ++ ++n=$((n + 1)) ++ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" + if $FEATURETEST --md5; then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +@@ -1409,6 +1584,7 @@ send + END + t2=$($PERL -e 'print time()') + grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 ++grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 + grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 + elapsed=$((t2 - t1)) + # Check that default timeout value is respected, there should be 4 tries with 3 seconds each. +@@ -2710,6 +2886,23 @@ EOF + status=1 + } + ++ n=$((n + 1)) ++ ret=0 ++ echo_i "check ms-selfsub match using DoT (opportunistic-tls) ($n)" ++ KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" ++ export KRB5CCNAME ++ $NSUPDATE -d -S -O << EOF > nsupdate.out.test$n 2>&1 || ret=1 ++ gsstsig ++ realm EXAMPLE.COM ++ server 10.53.0.10 ${TLSPORT} ++ zone example.com ++ update add dot.machine.example.com 3600 IN A 10.53.0.10 ++ send ++EOF ++ $DIG $DIGOPTS +tcp @10.53.0.10 dot.machine.example.com A > dig.out.ns10.test$n ++ grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 ++ grep "dot.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1 ++ [ $ret = 0 ] || { echo_i "failed"; status=1; } + fi + + echo_i "exit status: $status" +-- +2.47.0 + diff --git a/bind.spec b/bind.spec index c5bad16..18c01d6 100644 --- a/bind.spec +++ b/bind.spec @@ -125,6 +125,8 @@ Patch26: bind-9.18-unittest-netmgr-unstable.patch Patch28: bind-9.20-nsupdate-tls.patch # Man change for patch28 nsupdate Patch29: bind-9.20-nsupdate-tls-doc.patch +# Test suport for patch28 nsupdate +Patch30: bind-9.20-nsupdate-tls-test.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers @@ -900,6 +902,7 @@ fi; %changelog * Sun Feb 02 2025 Petr Menšík - 32:9.18.33-2 - Add nsupdate TLS support (RHEL-77354) +- Include a test for nsupdate changes * Sun Feb 02 2025 Petr Menšík - 32:9.18.33-1 - Update to 9.16.33 (rhbz#2342784)