automatic import of bindopeneuler24.03_LTS

author: CoprDistGit <infra@openeuler.org> 2024-08-05 01:38:29 +0000
committer: CoprDistGit <infra@openeuler.org> 2024-08-05 01:38:29 +0000
commit: 60e6ebff61b1c2f87ec78831b610b17fbd130ae3 (patch)
tree: d14033338828a8a03b3562472148a3387b50215b /bind-9.16-CVE-2021-25220-test.patch
parent: ad69e2cec05ad6d646c8b6e1355f0e18af3b7692 (diff)
1 files changed, 1144 insertions, 0 deletions
diff --git a/bind-9.16-CVE-2021-25220-test.patch b/bind-9.16-CVE-2021-25220-test.patch
new file mode 100644
index 0000000..150aa87
--- /dev/null
+++ b/bind-9.16-CVE-2021-25220-test.patch
@@ -0,0 +1,1144 @@
+From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 18 Jan 2022 00:19:47 +1100
+Subject: [PATCH] Add tests for forwarder cache poisoning scenarios
+
+- Check that an NS in an authority section returned from a forwarder
+  which is above the name in a configured "forward first" or "forward
+  only" zone (i.e., net/NS in a response from a forwarder configured for
+  local.net) is not cached.
+- Test that a DNAME for a parent domain will not be cached when sent
+  in a response from a forwarder configured to answer for a child.
+- Check that glue is rejected if its name falls below that of zone
+  configured locally.
+- Check that an extra out-of-bailiwick data in the answer section is
+  not cached (this was already working correctly, but was not explicitly
+  tested before).
+
+(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604)
+(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739)
+---
+ bin/tests/system/forward/ans11/ans.py         | 136 ++++++++++++++++++
+ bin/tests/system/forward/clean.sh             |   2 +
+ bin/tests/system/forward/ns1/diditwork.net.db |  22 +++
+ bin/tests/system/forward/ns1/named.conf.in    |  20 +++
+ bin/tests/system/forward/ns1/net.example.lll  |  15 ++
+ bin/tests/system/forward/ns1/spoofed.net.db   |  22 +++
+ bin/tests/system/forward/ns1/sub.local.net.db |  22 +++
+ bin/tests/system/forward/ns10/fakenet.zone    |  17 +++
+ bin/tests/system/forward/ns10/fakenet2.zone   |  15 ++
+ .../system/forward/ns10/fakesublocalnet.zone  |  15 ++
+ .../system/forward/ns10/fakesublocaltld.zone  |  15 ++
+ bin/tests/system/forward/ns10/named.conf.in   |  53 +++++++
+ bin/tests/system/forward/ns10/net.example.lll |  15 ++
+ bin/tests/system/forward/ns10/spoofednet.zone |  16 +++
+ bin/tests/system/forward/ns2/tld.db           |   6 +
+ bin/tests/system/forward/ns4/named.conf.in    |   5 +
+ bin/tests/system/forward/ns4/sibling.tld.db   |  22 +++
+ bin/tests/system/forward/ns8/named.conf.in    |   5 +
+ bin/tests/system/forward/ns8/sub.local.tld.db |  15 ++
+ bin/tests/system/forward/ns9/local.net.db     |  16 +++
+ bin/tests/system/forward/ns9/local.tld.db     |  15 ++
+ bin/tests/system/forward/ns9/named1.conf.in   |  67 +++++++++
+ bin/tests/system/forward/ns9/named2.conf.in   |  70 +++++++++
+ bin/tests/system/forward/ns9/named3.conf.in   |  50 +++++++
+ bin/tests/system/forward/ns9/named4.conf.in   |  47 ++++++
+ bin/tests/system/forward/ns9/root.db          |  13 ++
+ bin/tests/system/forward/setup.sh             |   2 +
+ bin/tests/system/forward/tests.sh             | 122 ++++++++++++++++
+ bin/tests/system/ifconfig.sh                  |   8 +-
+ 29 files changed, 844 insertions(+), 4 deletions(-)
+ create mode 100644 bin/tests/system/forward/ans11/ans.py
+ create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db
+ create mode 100644 bin/tests/system/forward/ns1/net.example.lll
+ create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db
+ create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db
+ create mode 100644 bin/tests/system/forward/ns10/fakenet.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone
+ create mode 100644 bin/tests/system/forward/ns10/named.conf.in
+ create mode 100644 bin/tests/system/forward/ns10/net.example.lll
+ create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone
+ create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db
+ create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db
+ create mode 100644 bin/tests/system/forward/ns9/local.net.db
+ create mode 100644 bin/tests/system/forward/ns9/local.tld.db
+ create mode 100644 bin/tests/system/forward/ns9/named1.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named2.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named3.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named4.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/root.db
+
+diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
+new file mode 100644
+index 0000000000..1d35b3d3f1
+--- /dev/null
++++ b/bin/tests/system/forward/ans11/ans.py
+@@ -0,0 +1,136 @@
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# SPDX-License-Identifier: MPL-2.0
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0.  If a copy of the MPL was not distributed with this
++# file, you can obtain one at https://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++from __future__ import print_function
++import os
++import sys
++import signal
++import socket
++import select
++from datetime import datetime, timedelta
++import time
++import functools
++
++import dns, dns.message, dns.query, dns.flags
++from dns.rdatatype import *
++from dns.rdataclass import *
++from dns.rcode import *
++from dns.name import *
++
++# Log query to file
++def logquery(type, qname):
++    with open("qlog", "a") as f:
++        f.write("%s %s\n", type, qname)
++
++############################################################################
++# Respond to a DNS query.
++############################################################################
++def create_response(msg):
++    m = dns.message.from_wire(msg)
++    qname = m.question[0].name.to_text()
++    rrtype = m.question[0].rdtype
++    typename = dns.rdatatype.to_text(rrtype)
++
++    with open("query.log", "a") as f:
++        f.write("%s %s\n" % (typename, qname))
++        print("%s %s" % (typename, qname), end=" ")
++
++    r = dns.message.make_response(m)
++    r.set_rcode(NOERROR)
++    if rrtype == A:
++        tld=qname.split('.')[-2] + '.'
++        ns="local." + tld
++        r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
++        r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
++        r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
++    elif rrtype == NS:
++        r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
++    elif rrtype == SOA:
++        r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
++    else:
++        r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
++    r.flags |= dns.flags.AA
++    return r
++
++def sigterm(signum, frame):
++    print ("Shutting down now...")
++    os.remove('ans.pid')
++    running = False
++    sys.exit(0)
++
++############################################################################
++# Main
++#
++# Set up responder and control channel, open the pid file, and start
++# the main loop, listening for queries on the query channel or commands
++# on the control channel and acting on them.
++############################################################################
++ip4 = "10.53.0.11"
++ip6 = "fd92:7065:b8e:ffff::11"
++
++try: port=int(os.environ['PORT'])
++except: port=5300
++
++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++query4_socket.bind((ip4, port))
++havev6 = True
++try:
++    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
++    try:
++        query6_socket.bind((ip6, port))
++    except:
++        query6_socket.close()
++        havev6 = False
++except:
++    havev6 = False
++signal.signal(signal.SIGTERM, sigterm)
++
++f = open('ans.pid', 'w')
++pid = os.getpid()
++print (pid, file=f)
++f.close()
++
++running = True
++
++print ("Listening on %s port %d" % (ip4, port))
++if havev6:
++    print ("Listening on %s port %d" % (ip6, port))
++print ("Ctrl-c to quit")
++
++if havev6:
++    input = [query4_socket, query6_socket]
++else:
++    input = [query4_socket]
++
++while running:
++    try:
++        inputready, outputready, exceptready = select.select(input, [], [])
++    except select.error as e:
++        break
++    except socket.error as e:
++        break
++    except KeyboardInterrupt:
++        break
++
++    for s in inputready:
++        if s == query4_socket or s == query6_socket:
++            print ("Query received on %s" %
++                    (ip4 if s == query4_socket else ip6), end=" ")
++            # Handle incoming queries
++            msg = s.recvfrom(65535)
++            rsp = create_response(msg[0])
++            if rsp:
++                print(dns.rcode.to_text(rsp.rcode()))
++                s.sendto(rsp.to_wire(), msg[1])
++            else:
++                print("NO RESPONSE")
++    if not running:
++        break
+diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
+index bc04eadb2c..b65b092680 100644
+--- a/bin/tests/system/forward/clean.sh
++++ b/bin/tests/system/forward/clean.sh
+@@ -10,10 +10,12 @@
+ #
+ # Clean up after forward tests.
+ #
++rm -f ./ans11/query.log
+ rm -f ./dig.out.*
+ rm -f ./*/named.conf
+ rm -f ./*/named.memstats
+ rm -f ./*/named.run ./*/named.run.prev
++rm -f ./*/named_dump.db
+ rm -f ./ns*/named.lock
+ rm -f ./ns*/managed-keys.bind*
+ rm -f ./ns1/root.db ./ns1/root.db.signed
+diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
+new file mode 100644
+index 0000000000..fd9a46eb0c
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/diditwork.net.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300	; 5 minutes
++@			IN SOA	ns root (
++				2000082401 ; serial
++				1800       ; refresh (30 minutes)
++				1800       ; retry (30 minutes)
++				1814400    ; expire (3 weeks)
++				3600       ; minimum (1 hour)
++				)
++			NS	ns
++			TXT	"recursed"
++ns			A	10.53.0.1
+diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
+index 4aef4e55e5..c5fb2eb172 100644
+--- a/bin/tests/system/forward/ns1/named.conf.in
++++ b/bin/tests/system/forward/ns1/named.conf.in
+@@ -63,3 +63,23 @@ zone "sld.tld" {
+ zone "example6" {
+ 	type forward;
+ };
++
++zone "diditwork.net" {
++	type primary;
++	file "diditwork.net.db";
++};
++
++zone "spoofed.net" {
++	type primary;
++	file "spoofed.net.db";
++};
++
++zone "sub.local.net" {
++	type primary;
++	file "sub.local.net.db";
++};
++
++zone "net.example.lll" {
++	type master;
++	file "net.example.lll";
++};
+diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
+new file mode 100644
+index 0000000000..ba0804fd75
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/net.example.lll
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net.example.lll.		SOA	. . 0 0 0 0 0
++net.example.lll.		NS	attackSecureDomain.net.
++didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
+diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
+new file mode 100644
+index 0000000000..eedc46f5c0
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/spoofed.net.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300	; 5 minutes
++@			IN SOA	ns root (
++				2000082401 ; serial
++				1800       ; refresh (30 minutes)
++				1800       ; retry (30 minutes)
++				1814400    ; expire (3 weeks)
++				3600       ; minimum (1 hour)
++				)
++			NS	ns
++ns			A	10.53.0.1
++sub			TXT	"recursed"
+diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
+new file mode 100644
+index 0000000000..fd9a46eb0c
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/sub.local.net.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300	; 5 minutes
++@			IN SOA	ns root (
++				2000082401 ; serial
++				1800       ; refresh (30 minutes)
++				1800       ; retry (30 minutes)
++				1814400    ; expire (3 weeks)
++				3600       ; minimum (1 hour)
++				)
++			NS	ns
++			TXT	"recursed"
++ns			A	10.53.0.1
+diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
+new file mode 100644
+index 0000000000..b655a32459
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakenet.zone
+@@ -0,0 +1,17 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net.			SOA	. . 0 0 0 0 0
++net.			NS	attackSecureDomain.net.
++attackSecureDomain.net.	A	10.53.0.10
++didItWork.net.		TXT	"if you can see this record the attack worked"
++ns.spoofed.net.		A	10.53.0.10
+diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
+new file mode 100644
+index 0000000000..cd1e6e9944
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakenet2.zone
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net2.			SOA	. . 0 0 0 0 0
++net2.			NS	attackSecureDomain.net.
++net2.			DNAME	net.example.lll.
+diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
+new file mode 100644
+index 0000000000..160b5332b2
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++sub.local.net.		SOA	. . 0 0 0 0 0
++sub.local.net.		NS	ns.spoofed.net.
++sub.local.net.		TXT	"if you see this attacker overrode local delegation"
+diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
+new file mode 100644
+index 0000000000..f78cbc77f6
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
++sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
++sub.local.tld.		3600	IN	TXT	bad
++ns.sub.local.tld.	3600	IN	A	10.53.0.8
+diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
+new file mode 100644
+index 0000000000..1f318dd867
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/named.conf.in
+@@ -0,0 +1,53 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.10;
++	notify-source 10.53.0.10;
++	transfer-source 10.53.0.10;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.10; };
++	listen-on-v6 { none; };
++	minimal-responses no;
++};
++
++zone "net." {
++	type master;
++	file "fakenet.zone";
++};
++
++zone "spoofed.net." {
++	type master;
++	file "spoofednet.zone";
++};
++
++zone "sub.local.net." {
++	type master;
++	file "fakesublocalnet.zone";
++};
++
++zone "net2" {
++	type master;
++	file "fakenet2.zone";
++};
++
++zone "net.example.lll" {
++	type master;
++	file "net.example.lll";
++};
++
++zone "sub.local.tld." {
++	type master;
++	file "fakesublocaltld.zone";
++};
+diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
+new file mode 100644
+index 0000000000..ba0804fd75
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/net.example.lll
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net.example.lll.		SOA	. . 0 0 0 0 0
++net.example.lll.		NS	attackSecureDomain.net.
++didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
+diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
+new file mode 100644
+index 0000000000..fb70a4372b
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/spoofednet.zone
+@@ -0,0 +1,16 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++spoofed.net.		SOA	. . 0 0 0 0 0
++spoofed.net.		NS	ns.spoofed.net.
++ns.spoofed.net.		A	10.53.0.10
++spoofed.net.		TXT	"this record is clearly spoofed"
+diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db
+index 61b6569b07..819210dc05 100644
+--- a/bin/tests/system/forward/ns2/tld.db
++++ b/bin/tests/system/forward/ns2/tld.db
+@@ -10,3 +10,9 @@ $TTL 300	; 5 minutes
+ ns			A	10.53.0.2
+ sld			NS	ns.sld
+ ns.sld			A	10.53.0.1
++local			NS	ns.local
++ns.local		A	10.53.0.9
++sibling			NS	ns.sibling
++ns.sibling		A	10.53.0.4
++sibling			NS	ns.sub.local
++ns.sub.local		A	10.53.0.10
+diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
+index 855b4bfb82..85349aa97e 100644
+--- a/bin/tests/system/forward/ns4/named.conf.in
++++ b/bin/tests/system/forward/ns4/named.conf.in
+@@ -60,3 +60,8 @@ zone "malicious." {
+ 	type primary;
+ 	file "malicious.db";
+ };
++
++zone "sibling.tld" {
++	type primary;
++	file "sibling.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
+new file mode 100644
+index 0000000000..fe080ae974
+--- /dev/null
++++ b/bin/tests/system/forward/ns4/sibling.tld.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL    86400
++@       IN      SOA     malicious. admin.malicious. (
++                              1         ; Serial
++                         604800         ; Refresh
++                          86400         ; Retry
++                        2419200         ; Expire
++                          86400 )       ; Negative Cache TTL
++
++@           IN    NS      ns
++
++ns          IN    A       10.53.0.4
+diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
+index 531ff59ece..f752eae885 100644
+--- a/bin/tests/system/forward/ns8/named.conf.in
++++ b/bin/tests/system/forward/ns8/named.conf.in
+@@ -26,3 +26,8 @@ zone "." {
+ 	type hint;
+ 	file "root.db";
+ };
++
++zone "sub.local.tld" {
++	type primary;
++	file "sub.local.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
+new file mode 100644
+index 0000000000..f2234c754e
+--- /dev/null
++++ b/bin/tests/system/forward/ns8/sub.local.tld.db
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
++sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
++sub.local.tld.		3600	IN	TXT	good
++ns.sub.local.tld.	3600	IN	A	10.53.0.8
+diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
+new file mode 100644
+index 0000000000..af0d2a5a67
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/local.net.db
+@@ -0,0 +1,16 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++local.net.		3600	IN	SOA	. . 0 0 0 0 0
++local.net.		3600	IN	NS	localhost.
++ns.local.net.		3600	IN	A	10.53.0.9
++txt.local.net.		3600	IN	TXT	"something in the local auth zone"
++sub.local.net.		3600	IN	NS	ns.spoofed.net.  ; attacker will try to override this
+diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
+new file mode 100644
+index 0000000000..876a9139da
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/local.tld.db
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++local.tld.		3600	IN	SOA	. . 0 0 0 0 0
++local.tld.		3600	IN	NS	localhost.
++sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
++ns.sub.local.tld.	3600	IN	A	10.53.0.8
+diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
+new file mode 100644
+index 0000000000..be9a43842f
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named1.conf.in
+@@ -0,0 +1,67 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.9;
++	notify-source 10.53.0.9;
++	transfer-source 10.53.0.9;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.9; };
++	listen-on-v6 { none; };
++	dnssec-validation no;
++	edns-udp-size 1232;
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++	edns no;
++};
++
++server 10.53.0.11 {
++	edns no;
++};
++
++zone "." {
++	type hint;
++	file "root.db";
++};
++
++zone "attacksecuredomain.net." {
++	type forward;
++	forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net2." {
++	type forward;
++	forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net3." {
++	type forward;
++	forwarders { 10.53.0.11; };
++};
++
++zone "local.net." {
++	type primary;
++	file "local.net.db";
++	forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
+new file mode 100644
+index 0000000000..2c40b42a0c
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named2.conf.in
+@@ -0,0 +1,70 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.9;
++	notify-source 10.53.0.9;
++	transfer-source 10.53.0.9;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.9; };
++	listen-on-v6 { none; };
++	dnssec-validation no;
++	edns-udp-size 1232;
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++	edns no;
++};
++
++server 10.53.0.11 {
++	edns no;
++};
++
++zone "." {
++	type hint;
++	file "root.db";
++};
++
++zone "attacksecuredomain.net." {
++	type forward;
++	forward only;
++	forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net2." {
++	type forward;
++	forward only;
++	forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net3." {
++	type forward;
++	forward only;
++	forwarders { 10.53.0.11; };
++};
++
++zone "local.net." {
++	type primary;
++	file "local.net.db";
++	forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
+new file mode 100644
+index 0000000000..576f57c10b
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named3.conf.in
+@@ -0,0 +1,50 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.9;
++	notify-source 10.53.0.9;
++	transfer-source 10.53.0.9;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.9; };
++	listen-on-v6 { none; };
++	dnssec-validation no;
++	edns-udp-size 1232;
++	forward only;
++	forwarders { 10.53.0.10; };
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++	edns no;
++};
++
++zone "." {
++	type hint;
++	file "root.db";
++};
++
++zone "local.net." {
++	type primary;
++	file "local.net.db";
++	forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
+new file mode 100644
+index 0000000000..5cd7d84109
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named4.conf.in
+@@ -0,0 +1,47 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.9;
++	notify-source 10.53.0.9;
++	transfer-source 10.53.0.9;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.9; };
++	listen-on-v6 { none; };
++	dnssec-validation no;
++	edns-udp-size 1232;
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++	edns no;
++};
++
++zone "." {
++	type hint;
++	file "root.db";
++};
++
++zone "local.tld." {
++	type primary;
++	file "local.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
+new file mode 100644
+index 0000000000..2cbdff5977
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/root.db
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; SPDX-License-Identifier: MPL-2.0
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0.  If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++.			NS	a.root-servers.nil.
++a.root-servers.nil.	A	10.53.0.1
+diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
+index 21cf67b782..a56dd3c03f 100644
+--- a/bin/tests/system/forward/setup.sh
++++ b/bin/tests/system/forward/setup.sh
+@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf
+ copy_setports ns5/named.conf.in ns5/named.conf
+ copy_setports ns7/named.conf.in ns7/named.conf
+ copy_setports ns8/named.conf.in ns8/named.conf
++copy_setports ns9/named1.conf.in ns9/named.conf
++copy_setports ns10/named.conf.in ns10/named.conf
+ 
+ (
+     cd ns1
+diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
+index 6096b06ca7..dfbaf887f7 100644
+--- a/bin/tests/system/forward/tests.sh
++++ b/bin/tests/system/forward/tests.sh
+@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
++#
++# Check various spoofed response scenarios. The same tests will be
++# run twice, with "forward first" and "forward only" configurations.
++#
++run_spooftests () {
++    n=$((n+1))
++    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
++    ret=0
++    # prime
++    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
++    # check 'net' is not poisoned.
++    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
++    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
++    # check 'sub.local.net' is not poisoned.
++    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
++    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
++    if [ $ret != 0 ]; then echo_i "failed"; fi
++    status=$((status+ret))
++
++    n=$((n+1))
++    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
++    ret=0
++    # prime
++    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
++    # check that net2/DNAME is not cached
++    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
++    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
++    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
++    if [ $ret != 0 ]; then echo_i "failed"; fi
++    status=$((status+ret))
++
++    n=$((n+1))
++    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
++    ret=0
++    # prime
++    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
++    # check extra net3 records are not cached
++    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
++    for try in 1 2 3 4 5; do
++        lines=$(grep "net3" ns9/named_dump.db | wc -l)
++        if [ ${lines} -eq 0 ]; then
++                sleep 1
++                continue
++        fi
++        [ ${lines} -eq 1 ] || ret=1
++        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
++        grep -q '^local.net3' ns9/named_dump.db && ret=1
++    done
++    if [ $ret != 0 ]; then echo_i "failed"; fi
++    status=$((status+ret))
++}
++
++echo_i "checking spoofed response scenarios with forward first zones"
++run_spooftests
++
++copy_setports ns9/named2.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++echo_i "rechecking spoofed response scenarios with forward only zones"
++run_spooftests
++
++#
++# This scenario expects the spoofed response to succeed. The tests are
++# similar to the ones above, but not identical.
++#
++echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
++copy_setports ns9/named3.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++n=$((n+1))
++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
++# check 'net' is poisoned.
++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
++# check 'sub.local.net' is poisoned.
++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
++n=$((n+1))
++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
++# check that net2/DNAME is cached
++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
++#
++# This test doesn't use any forwarder clauses but is here because it
++# is similar to forwarders, as the set of servers that can populate
++# the namespace is defined by the zone content.
++#
++echo_i "rechecking spoofed response scenarios glue below local zone"
++copy_setports ns9/named4.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++n=$((n+1))
++echo_i "checking sibling glue below zone ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
++# check for glue A record for sub.local.tld is not used
++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
+index e078f3313b..2a4d955caf 100755
+--- a/bin/tests/system/ifconfig.sh
++++ b/bin/tests/system/ifconfig.sh
+@@ -12,10 +12,10 @@
+ #
+ # Set up interface aliases for bind9 system tests.
+ #
+-# IPv4: 10.53.0.{1..10}				RFC 1918
++# IPv4: 10.53.0.{1..11}				RFC 1918
+ #       10.53.1.{1..2}
+ #       10.53.2.{1..2}
+-# IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
++# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
+ #       fd92:7065:b8e:99ff::{1..2}
+ #       fd92:7065:b8e:ff::{1..2}
+ #
+@@ -55,7 +55,7 @@ case "$1" in
+ 		  2) ipv6="00" ;;
+ 		  *) ipv6="" ;;
+ 		esac
+-		for ns in 1 2 3 4 5 6 7 8 9 10
++		for ns in 1 2 3 4 5 6 7 8 9 10 11
+ 		do
+ 			[ $i -gt 0 -a $ns -gt 2 ] && break
+ 			int=`expr $i \* 10 + $ns`
+@@ -160,7 +160,7 @@ case "$1" in
+ 		  2) ipv6="00" ;;
+ 		  *) ipv6="" ;;
+ 		esac
+-		for ns in 10 9 8 7 6 5 4 3 2 1
++		for ns in 11 10 9 8 7 6 5 4 3 2 1
+ 		do
+ 			[ $i -gt 0 -a $ns -gt 2 ] && continue
+ 			int=`expr $i \* 10 + $ns - 1`
+-- 
+2.34.1
+
author	CoprDistGit <infra@openeuler.org>	2024-08-05 01:38:29 +0000
committer	CoprDistGit <infra@openeuler.org>	2024-08-05 01:38:29 +0000
commit	60e6ebff61b1c2f87ec78831b610b17fbd130ae3 (patch)
tree	d14033338828a8a03b3562472148a3387b50215b /bind-9.16-CVE-2021-25220-test.patch
parent	ad69e2cec05ad6d646c8b6e1355f0e18af3b7692 (diff)