diff --git a/SOURCES/bind-9.11-CVE-2021-25220-test.patch b/SOURCES/bind-9.11-CVE-2021-25220-test.patch deleted file mode 100644 index a13f81a..0000000 --- a/SOURCES/bind-9.11-CVE-2021-25220-test.patch +++ /dev/null @@ -1,1171 +0,0 @@ -From 800ef75553881527e2406f22887e976bb1ba3bfe Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 18 Jan 2022 00:19:47 +1100 -Subject: [PATCH] Add tests for forwarder cache poisoning scenarios - -- Check that an NS in an authority section returned from a forwarder - which is above the name in a configured "forward first" or "forward - only" zone (i.e., net/NS in a response from a forwarder configured for - local.net) is not cached. -- Test that a DNAME for a parent domain will not be cached when sent - in a response from a forwarder configured to answer for a child. -- Check that glue is rejected if its name falls below that of zone - configured locally. -- Check that an extra out-of-bailiwick data in the answer section is - not cached (this was already working correctly, but was not explicitly - tested before). - -- v9_11 backport: Revert primary/secondary to master/slave, - backport rndc helper, backport ns8 config. - -(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) -(cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7) ---- - bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ - bin/tests/system/forward/clean.sh | 2 + - bin/tests/system/forward/ns1/diditwork.net.db | 20 +++ - bin/tests/system/forward/ns1/named.conf.in | 20 +++ - bin/tests/system/forward/ns1/net.example.lll | 13 ++ - bin/tests/system/forward/ns1/spoofed.net.db | 20 +++ - bin/tests/system/forward/ns1/sub.local.net.db | 20 +++ - bin/tests/system/forward/ns10/fakenet.zone | 15 ++ - bin/tests/system/forward/ns10/fakenet2.zone | 13 ++ - .../system/forward/ns10/fakesublocalnet.zone | 13 ++ - .../system/forward/ns10/fakesublocaltld.zone | 13 ++ - bin/tests/system/forward/ns10/named.conf.in | 51 +++++++ - bin/tests/system/forward/ns10/net.example.lll | 13 ++ - bin/tests/system/forward/ns10/spoofednet.zone | 14 ++ - bin/tests/system/forward/ns4/named.conf.in | 5 + - bin/tests/system/forward/ns4/sibling.tld.db | 20 +++ - bin/tests/system/forward/ns8/named.conf.in | 33 +++++ - bin/tests/system/forward/ns8/root.db | 11 ++ - bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++ - bin/tests/system/forward/ns9/local.net.db | 14 ++ - bin/tests/system/forward/ns9/local.tld.db | 13 ++ - bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++ - bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++ - bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++ - bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++ - bin/tests/system/forward/ns9/root.db | 11 ++ - bin/tests/system/forward/prereq.sh | 14 ++ - bin/tests/system/forward/setup.sh | 3 + - bin/tests/system/forward/tests.sh | 126 ++++++++++++++++ - bin/tests/system/ifconfig.sh | 8 +- - 30 files changed, 856 insertions(+), 4 deletions(-) - create mode 100644 bin/tests/system/forward/ans11/ans.py - create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db - create mode 100644 bin/tests/system/forward/ns1/net.example.lll - create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db - create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db - create mode 100644 bin/tests/system/forward/ns10/fakenet.zone - create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone - create mode 100644 bin/tests/system/forward/ns10/named.conf.in - create mode 100644 bin/tests/system/forward/ns10/net.example.lll - create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone - create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db - create mode 100644 bin/tests/system/forward/ns8/named.conf.in - create mode 100644 bin/tests/system/forward/ns8/root.db - create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db - create mode 100644 bin/tests/system/forward/ns9/local.net.db - create mode 100644 bin/tests/system/forward/ns9/local.tld.db - create mode 100644 bin/tests/system/forward/ns9/named1.conf.in - create mode 100644 bin/tests/system/forward/ns9/named2.conf.in - create mode 100644 bin/tests/system/forward/ns9/named3.conf.in - create mode 100644 bin/tests/system/forward/ns9/named4.conf.in - create mode 100644 bin/tests/system/forward/ns9/root.db - -diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py -new file mode 100644 -index 0000000000..2956cf6eff ---- /dev/null -+++ b/bin/tests/system/forward/ans11/ans.py -@@ -0,0 +1,136 @@ -+############################################################################ -+# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, you can obtain one at https://mozilla.org/MPL/2.0/. -+# -+# See the COPYRIGHT file distributed with this work for additional -+# information regarding copyright ownership. -+############################################################################ -+ -+from __future__ import print_function -+import os -+import sys -+import signal -+import socket -+import select -+from datetime import datetime, timedelta -+import time -+import functools -+ -+import dns, dns.message, dns.query, dns.flags -+from dns.rdatatype import * -+from dns.rdataclass import * -+from dns.rcode import * -+from dns.name import * -+ -+# Log query to file -+def logquery(type, qname): -+ with open("qlog", "a") as f: -+ f.write("%s %s\n", type, qname) -+ -+############################################################################ -+# Respond to a DNS query. -+############################################################################ -+def create_response(msg): -+ m = dns.message.from_wire(msg) -+ qname = m.question[0].name.to_text() -+ rrtype = m.question[0].rdtype -+ typename = dns.rdatatype.to_text(rrtype) -+ -+ with open("query.log", "a") as f: -+ f.write("%s %s\n" % (typename, qname)) -+ print("%s %s" % (typename, qname), end=" ") -+ -+ r = dns.message.make_response(m) -+ r.set_rcode(NOERROR) -+ if rrtype == A: -+ tld=qname.split('.')[-2] + '.' -+ ns="local." + tld -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) -+ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) -+ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) -+ elif rrtype == NS: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) -+ elif rrtype == SOA: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ else: -+ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ r.flags |= dns.flags.AA -+ return r -+ -+def sigterm(signum, frame): -+ print ("Shutting down now...") -+ os.remove('ans.pid') -+ running = False -+ sys.exit(0) -+ -+############################################################################ -+# Main -+# -+# Set up responder and control channel, open the pid file, and start -+# the main loop, listening for queries on the query channel or commands -+# on the control channel and acting on them. -+############################################################################ -+ip4 = "10.53.0.11" -+ip6 = "fd92:7065:b8e:ffff::11" -+ -+try: port=int(os.environ['PORT']) -+except: port=5300 -+ -+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) -+query4_socket.bind((ip4, port)) -+havev6 = True -+try: -+ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) -+ try: -+ query6_socket.bind((ip6, port)) -+ except: -+ query6_socket.close() -+ havev6 = False -+except: -+ havev6 = False -+signal.signal(signal.SIGTERM, sigterm) -+ -+f = open('ans.pid', 'w') -+pid = os.getpid() -+print (pid, file=f) -+f.close() -+ -+running = True -+ -+print ("Listening on %s port %d" % (ip4, port)) -+if havev6: -+ print ("Listening on %s port %d" % (ip6, port)) -+print ("Ctrl-c to quit") -+ -+if havev6: -+ input = [query4_socket, query6_socket] -+else: -+ input = [query4_socket] -+ -+while running: -+ try: -+ inputready, outputready, exceptready = select.select(input, [], []) -+ except select.error as e: -+ break -+ except socket.error as e: -+ break -+ except KeyboardInterrupt: -+ break -+ -+ for s in inputready: -+ if s == query4_socket or s == query6_socket: -+ print ("Query received on %s" % -+ (ip4 if s == query4_socket else ip6), end=" ") -+ # Handle incoming queries -+ msg = s.recvfrom(65535) -+ rsp = create_response(msg[0]) -+ if rsp: -+ print(dns.rcode.to_text(rsp.rcode())) -+ s.sendto(rsp.to_wire(), msg[1]) -+ else: -+ print("NO RESPONSE") -+ if not running: -+ break -diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh -index 26e4e76db6..26a550db49 100644 ---- a/bin/tests/system/forward/clean.sh -+++ b/bin/tests/system/forward/clean.sh -@@ -10,8 +10,10 @@ - # - # Clean up after forward tests. - # -+rm -f ./ans11/query.log - rm -f ./dig.out.* - rm -f ./*/named.conf - rm -f ./*/named.memstats - rm -f ./*/named.run ./*/named.run.prev -+rm -f ./*/named_dump.db - rm -f ./ns*/named.lock -diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db -new file mode 100644 -index 0000000000..be9a7f72bc ---- /dev/null -+++ b/bin/tests/system/forward/ns1/diditwork.net.db -@@ -0,0 +1,20 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in -index 9904f37ef5..1c31d84608 100644 ---- a/bin/tests/system/forward/ns1/named.conf.in -+++ b/bin/tests/system/forward/ns1/named.conf.in -@@ -54,3 +54,23 @@ zone "example5." { - zone "example6" { - type forward; - }; -+ -+zone "diditwork.net" { -+ type master; -+ file "diditwork.net.db"; -+}; -+ -+zone "spoofed.net" { -+ type master; -+ file "spoofed.net.db"; -+}; -+ -+zone "sub.local.net" { -+ type master; -+ file "sub.local.net.db"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll -new file mode 100644 -index 0000000000..d179853fa5 ---- /dev/null -+++ b/bin/tests/system/forward/ns1/net.example.lll -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db -new file mode 100644 -index 0000000000..d498d5fa0d ---- /dev/null -+++ b/bin/tests/system/forward/ns1/spoofed.net.db -@@ -0,0 +1,20 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ns A 10.53.0.1 -+sub TXT "recursed" -diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db -new file mode 100644 -index 0000000000..be9a7f72bc ---- /dev/null -+++ b/bin/tests/system/forward/ns1/sub.local.net.db -@@ -0,0 +1,20 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone -new file mode 100644 -index 0000000000..14e5c777cb ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net. SOA . . 0 0 0 0 0 -+net. NS attackSecureDomain.net. -+attackSecureDomain.net. A 10.53.0.10 -+didItWork.net. TXT "if you can see this record the attack worked" -+ns.spoofed.net. A 10.53.0.10 -diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone -new file mode 100644 -index 0000000000..7ca28a934e ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet2.zone -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net2. SOA . . 0 0 0 0 0 -+net2. NS attackSecureDomain.net. -+net2. DNAME net.example.lll. -diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone -new file mode 100644 -index 0000000000..6caa071891 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+sub.local.net. SOA . . 0 0 0 0 0 -+sub.local.net. NS ns.spoofed.net. -+sub.local.net. TXT "if you see this attacker overrode local delegation" -diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone -new file mode 100644 -index 0000000000..6a431de47f ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT bad -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in -new file mode 100644 -index 0000000000..025c108418 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/named.conf.in -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.10; -+ notify-source 10.53.0.10; -+ transfer-source 10.53.0.10; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.10; }; -+ listen-on-v6 { none; }; -+ minimal-responses no; -+}; -+ -+zone "net." { -+ type master; -+ file "fakenet.zone"; -+}; -+ -+zone "spoofed.net." { -+ type master; -+ file "spoofednet.zone"; -+}; -+ -+zone "sub.local.net." { -+ type master; -+ file "fakesublocalnet.zone"; -+}; -+ -+zone "net2" { -+ type master; -+ file "fakenet2.zone"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -+ -+zone "sub.local.tld." { -+ type master; -+ file "fakesublocaltld.zone"; -+}; -diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll -new file mode 100644 -index 0000000000..d179853fa5 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/net.example.lll -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone -new file mode 100644 -index 0000000000..13921a08cd ---- /dev/null -+++ b/bin/tests/system/forward/ns10/spoofednet.zone -@@ -0,0 +1,14 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+spoofed.net. SOA . . 0 0 0 0 0 -+spoofed.net. NS ns.spoofed.net. -+ns.spoofed.net. A 10.53.0.10 -+spoofed.net. TXT "this record is clearly spoofed" -diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in -index d42a9eb797..6db65e71bc 100644 ---- a/bin/tests/system/forward/ns4/named.conf.in -+++ b/bin/tests/system/forward/ns4/named.conf.in -@@ -60,3 +60,8 @@ zone "malicious." { - type master; - file "malicious.db"; - }; -+ -+zone "sibling.tld" { -+ type master; -+ file "sibling.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db -new file mode 100644 -index 0000000000..58037d093b ---- /dev/null -+++ b/bin/tests/system/forward/ns4/sibling.tld.db -@@ -0,0 +1,20 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+@ IN SOA malicious. admin.malicious. ( -+ 1 ; Serial -+ 604800 ; Refresh -+ 86400 ; Retry -+ 2419200 ; Expire -+ 86400 ) ; Negative Cache TTL -+ -+@ IN NS ns -+ -+ns IN A 10.53.0.4 -diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in -new file mode 100644 -index 0000000000..9260f69ded ---- /dev/null -+++ b/bin/tests/system/forward/ns8/named.conf.in -@@ -0,0 +1,33 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.8; -+ notify-source 10.53.0.8; -+ transfer-source 10.53.0.8; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.8; }; -+ listen-on-v6 { none; }; -+ forwarders { 10.53.0.2; }; // returns referrals -+ forward first; -+ dnssec-validation yes; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "sub.local.tld" { -+ type master; -+ file "sub.local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db -new file mode 100644 -index 0000000000..4f30322270 ---- /dev/null -+++ b/bin/tests/system/forward/ns8/root.db -@@ -0,0 +1,11 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+. NS a.root-servers.nil. -+a.root-servers.nil. A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db -new file mode 100644 -index 0000000000..eb20683ae9 ---- /dev/null -+++ b/bin/tests/system/forward/ns8/sub.local.tld.db -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT good -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db -new file mode 100644 -index 0000000000..2c971e1e93 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.net.db -@@ -0,0 +1,14 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.net. 3600 IN SOA . . 0 0 0 0 0 -+local.net. 3600 IN NS localhost. -+ns.local.net. 3600 IN A 10.53.0.9 -+txt.local.net. 3600 IN TXT "something in the local auth zone" -+sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this -diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db -new file mode 100644 -index 0000000000..59403915fb ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.tld.db -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.tld. 3600 IN SOA . . 0 0 0 0 0 -+local.tld. 3600 IN NS localhost. -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in -new file mode 100644 -index 0000000000..943e037d09 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named1.conf.in -@@ -0,0 +1,65 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type master; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in -new file mode 100644 -index 0000000000..5a17d1998a ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named2.conf.in -@@ -0,0 +1,68 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type master; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in -new file mode 100644 -index 0000000000..1e70d1ae51 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named3.conf.in -@@ -0,0 +1,48 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.net." { -+ type master; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in -new file mode 100644 -index 0000000000..6f7b1075b5 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named4.conf.in -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.tld." { -+ type master; -+ file "local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db -new file mode 100644 -index 0000000000..4f30322270 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/root.db -@@ -0,0 +1,11 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+. NS a.root-servers.nil. -+a.root-servers.nil. A 10.53.0.1 -diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh -index d2ca8fc2bf..53fb5817df 100644 ---- a/bin/tests/system/forward/prereq.sh -+++ b/bin/tests/system/forward/prereq.sh -@@ -12,6 +12,20 @@ - SYSTEMTESTTOP=.. - . $SYSTEMTESTTOP/conf.sh - -+if test -n "$PYTHON" -+then -+ if $PYTHON -c "import dns" 2> /dev/null -+ then -+ : -+ else -+ echo_i "This test requires the dnspython module." >&2 -+ exit 1 -+ fi -+else -+ echo_i "This test requires Python and the dnspython module." >&2 -+ exit 1 -+fi -+ - if $PERL -e 'use Net::DNS;' 2>/dev/null - then - : -diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh -index 87452b9a88..18e81d277d 100644 ---- a/bin/tests/system/forward/setup.sh -+++ b/bin/tests/system/forward/setup.sh -@@ -18,3 +18,6 @@ copy_setports ns3/named.conf.in ns3/named.conf - copy_setports ns4/named.conf.in ns4/named.conf - copy_setports ns5/named.conf.in ns5/named.conf - copy_setports ns7/named.conf.in ns7/named.conf -+copy_setports ns8/named.conf.in ns8/named.conf -+copy_setports ns9/named1.conf.in ns9/named.conf -+copy_setports ns10/named.conf.in ns10/named.conf -diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh -index e3549c5bc7..ce9b309a27 100644 ---- a/bin/tests/system/forward/tests.sh -+++ b/bin/tests/system/forward/tests.sh -@@ -19,6 +19,10 @@ sendcmd() ( - "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" - ) - -+rndccmd() { -+ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" -+} -+ - root=10.53.0.1 - hidden=10.53.0.2 - f1=10.53.0.3 -@@ -223,5 +227,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - -+# -+# Check various spoofed response scenarios. The same tests will be -+# run twice, with "forward first" and "forward only" configurations. -+# -+run_spooftests () { -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+ # check 'net' is not poisoned. -+ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 -+ # check 'sub.local.net' is not poisoned. -+ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+ # check that net2/DNAME is not cached -+ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 -+ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 3 - extra answer ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 -+ # check extra net3 records are not cached -+ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i -+ for try in 1 2 3 4 5; do -+ lines=$(grep "net3" ns9/named_dump.db | wc -l) -+ if [ ${lines} -eq 0 ]; then -+ sleep 1 -+ continue -+ fi -+ [ ${lines} -eq 1 ] || ret=1 -+ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 -+ grep -q '^local.net3' ns9/named_dump.db && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+} -+ -+echo_i "checking spoofed response scenarios with forward first zones" -+run_spooftests -+ -+copy_setports ns9/named2.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+echo_i "rechecking spoofed response scenarios with forward only zones" -+run_spooftests -+ -+# -+# This scenario expects the spoofed response to succeed. The tests are -+# similar to the ones above, but not identical. -+# -+echo_i "rechecking spoofed response scenarios with 'forward only' set globally" -+copy_setports ns9/named3.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+# check 'net' is poisoned. -+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 -+# check 'sub.local.net' is poisoned. -+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+# check that net2/DNAME is cached -+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+# -+# This test doesn't use any forwarder clauses but is here because it -+# is similar to forwarders, as the set of servers that can populate -+# the namespace is defined by the zone content. -+# -+echo_i "rechecking spoofed response scenarios glue below local zone" -+copy_setports ns9/named4.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking sibling glue below zone ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 -+# check for glue A record for sub.local.tld is not used -+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 -diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh -index d0eb9fa61d..8b9212c3e0 100755 ---- a/bin/tests/system/ifconfig.sh -+++ b/bin/tests/system/ifconfig.sh -@@ -12,10 +12,10 @@ - # - # Set up interface aliases for bind9 system tests. - # --# IPv4: 10.53.0.{1..10} RFC 1918 -+# IPv4: 10.53.0.{1..11} RFC 1918 - # 10.53.1.{1..2} - # 10.53.2.{1..2} --# IPv6: fd92:7065:b8e:ffff::{1..10} ULA -+# IPv6: fd92:7065:b8e:ffff::{1..11} ULA - # fd92:7065:b8e:99ff::{1..2} - # fd92:7065:b8e:ff::{1..2} - # -@@ -65,7 +65,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 1 2 3 4 5 6 7 8 9 10 -+ for ns in 1 2 3 4 5 6 7 8 9 10 11 - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=`expr $i \* 10 + $ns` -@@ -165,7 +165,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 10 9 8 7 6 5 4 3 2 1 -+ for ns in 11 10 9 8 7 6 5 4 3 2 1 - do - [ $i -gt 0 -a $ns -gt 2 ] && continue - int=`expr $i \* 10 + $ns - 1` --- -2.34.1 - diff --git a/SOURCES/bind-9.11-CVE-2021-25220.patch b/SOURCES/bind-9.11-CVE-2021-25220.patch deleted file mode 100644 index 37f3c41..0000000 --- a/SOURCES/bind-9.11-CVE-2021-25220.patch +++ /dev/null @@ -1,254 +0,0 @@ -From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 1 Mar 2022 09:48:05 +1100 -Subject: [PATCH] Add additional name checks when using a forwarder - -When using a forwarder, check that the owner name of response -records are within the bailiwick of the forwarded name space. - -(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028) - -Check that the forward declaration is unchanged and not overridden - -If we are using a fowarder, in addition to checking that names to -be cached are subdomains of the forwarded namespace, we must also -check that there are no subsidiary forwarded namespaces which would -take precedence. To be safe, we don't cache any responses if the -forwarding configuration has changed since the query was sent. - -(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972) - -Check cached names for possible "forward only" clause - -When caching additional and glue data *not* from a forwarder, we must -check that there is no "forward only" clause covering the owner name -that would take precedence. Such names would normally be allowed by -baliwick rules, but a "forward only" zone introduces a new baliwick -scope. - -(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe) - -Look for zones deeper than the current domain or forward name - -When caching glue, we need to ensure that there is no closer -source of truth for the name. If the owner name for the glue -record would be answered by a locally configured zone, do not -cache. - -(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754) - -Avoid use of compound literals - -Compound literals are not used in BIND 9.11, in order to ensure backward -compatibility with ancient compilers. Rework the relevant parts of the -BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals -are not used. - -(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15) ---- - lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 125 insertions(+), 5 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index c912f3aea8..2c68973899 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -63,6 +63,7 @@ - #include - #include - #include -+#include - - #ifdef WANT_QUERYTRACE - #define RTRACE(m) isc_log_write(dns_lctx, \ -@@ -312,6 +313,8 @@ struct fetchctx { - bool ns_ttl_ok; - uint32_t ns_ttl; - isc_counter_t * qc; -+ dns_fixedname_t fwdfname; -+ dns_name_t *fwdname; - - /*% - * The number of events we're waiting for. -@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - if (result == ISC_R_SUCCESS) { - fwd = ISC_LIST_HEAD(forwarders->fwdrs); - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copy(domain, fctx->fwdname, NULL); - if (fctx->fwdpolicy == dns_fwdpolicy_only && - isstrictsubdomain(domain, &fctx->domain)) { - fcount_decr(fctx); -@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx->restarts = 0; - fctx->querysent = 0; - fctx->referrals = 0; -+ -+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); -+ - TIME_NOW(&fctx->start); - fctx->timeouts = 0; - fctx->lamecount = 0; -@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - domain = dns_fixedname_initname(&fixed); - result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, - domain, &forwarders); -- if (result == ISC_R_SUCCESS) -+ if (result == ISC_R_SUCCESS) { - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copy(domain, fctx->fwdname, NULL); -+ } - - if (fctx->fwdpolicy != dns_fwdpolicy_only) { - /* -@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, - rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; - } - -+/* -+ * Returns true if 'name' is external to the namespace for which -+ * the server being queried can answer, either because it's not a -+ * subdomain or because it's below a forward declaration or a -+ * locally served zone. -+ */ -+static inline bool -+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { -+ isc_result_t result; -+ dns_forwarders_t *forwarders = NULL; -+ dns_fixedname_t fixed, zfixed; -+ dns_name_t *fname = dns_fixedname_initname(&fixed); -+ dns_name_t *zfname = dns_fixedname_initname(&zfixed); -+ dns_name_t *apex = NULL; -+ dns_name_t suffix; -+ dns_zone_t *zone = NULL; -+ unsigned int labels; -+ dns_namereln_t rel; -+ /* -+ * The following two variables do not influence code flow; they are -+ * only necessary for calling dns_name_fullcompare(). -+ */ -+ int _orderp = 0; -+ unsigned int _nlabelsp = 0; -+ -+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; -+ -+ /* -+ * The name is outside the queried namespace. -+ */ -+ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp); -+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { -+ return (true); -+ } -+ -+ /* -+ * If the record lives in the parent zone, adjust the name so we -+ * look for the correct zone or forward clause. -+ */ -+ labels = dns_name_countlabels(name); -+ if (dns_rdatatype_atparent(type) && labels > 1U) { -+ dns_name_init(&suffix, NULL); -+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); -+ name = &suffix; -+ } else if (rel == dns_namereln_equal) { -+ /* If 'name' is 'apex', no further checking is needed. */ -+ return (false); -+ } -+ -+ /* -+ * If there is a locally served zone between 'apex' and 'name' -+ * then don't cache. -+ */ -+ LOCK(&fctx->res->view->lock); -+ if (fctx->res->view->zonetable != NULL) { -+ unsigned int options = DNS_ZTFIND_NOEXACT; -+ result = dns_zt_find(fctx->res->view->zonetable, name, options, -+ zfname, &zone); -+ if (zone != NULL) { -+ dns_zone_detach(&zone); -+ } -+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { -+ if (dns_name_fullcompare(zfname, apex, &_orderp, -+ &_nlabelsp) == -+ dns_namereln_subdomain) -+ { -+ UNLOCK(&fctx->res->view->lock); -+ return (true); -+ } -+ } -+ } -+ UNLOCK(&fctx->res->view->lock); -+ -+ /* -+ * Look for a forward declaration below 'name'. -+ */ -+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname, -+ &forwarders); -+ -+ if (ISFORWARDER(fctx->addrinfo)) { -+ /* -+ * See if the forwarder declaration is better. -+ */ -+ if (result == ISC_R_SUCCESS) { -+ return (!dns_name_equal(fname, fctx->fwdname)); -+ } -+ -+ /* -+ * If the lookup failed, the configuration must have -+ * changed: play it safe and don't cache. -+ */ -+ return (true); -+ } else if (result == ISC_R_SUCCESS && -+ forwarders->fwdpolicy == dns_fwdpolicy_only && -+ !ISC_LIST_EMPTY(forwarders->fwdrs)) -+ { -+ /* -+ * If 'name' is covered by a 'forward only' clause then we -+ * can't cache this repsonse. -+ */ -+ return (true); -+ } -+ -+ return (false); -+} -+ - static isc_result_t - check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, - dns_section_t section) -@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, - result = dns_message_findname(rmessage, section, addname, - dns_rdatatype_any, 0, &name, NULL); - if (result == ISC_R_SUCCESS) { -- external = !dns_name_issubdomain(name, &fctx->domain); -+ external = name_external(name, type, fctx); - if (type == dns_rdatatype_a) { - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { - break; - - case dns_namereln_subdomain: -+ /* -+ * Don't accept DNAME from parent namespace. -+ */ -+ if (name_external(name, dns_rdatatype_dname, fctx)) { -+ continue; -+ } -+ - /* - * In-scope DNAME records must have at least - * as many labels as the domain being queried. -@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { - */ - result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); - while (!done && result == ISC_R_SUCCESS) { -- bool external; - name = NULL; - dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); -- external = !dns_name_issubdomain(name, &fctx->domain); -- if (!external) { -+ if (!name_external(name, dns_rdatatype_ns, fctx)) { - /* - * We expect to find NS or SIG NS rdatasets, and - * nothing else. --- -2.34.1 - diff --git a/SOURCES/bind-9.11-rh2101712.patch b/SOURCES/bind-9.11-rh2101712.patch new file mode 100644 index 0000000..e519e97 --- /dev/null +++ b/SOURCES/bind-9.11-rh2101712.patch @@ -0,0 +1,232 @@ +From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 24 Aug 2022 12:21:50 +1000 +Subject: [PATCH] Have dns_zt_apply lock the zone table + +There where a number of places where the zone table should have +been locked, but wasn't, when dns_zt_apply was called. + +Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted +all calls to using it. Removed locks in callers. + +Modified upstream commit for v9_11 +--- + bin/named/server.c | 11 ++++++----- + bin/named/statschannel.c | 8 ++++---- + lib/dns/include/dns/zt.h | 4 ++-- + lib/dns/tests/zt_test.c | 3 ++- + lib/dns/view.c | 3 ++- + lib/dns/zt.c | 34 +++++++++++++++++++--------------- + 6 files changed, 35 insertions(+), 28 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 9826588e6d..0b4b309461 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server, + strcmp(view->name, "_bind") != 0) + { + dns_view_setviewrevert(view); +- (void)dns_zt_apply(view->zonetable, false, +- removed, view); ++ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ false, removed, view); + } + dns_view_detach(&view); + } +@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { + ISC_LIST_INIT(vle->zonelist); + ISC_LIST_APPEND(dctx->viewlist, vle, link); + if (dctx->dumpzones) +- result = dns_zt_apply(view->zonetable, true, +- add_zone_tolist, dctx); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, add_zone_tolist, dctx); + return (result); + } + +@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { +- result = dns_zt_apply(view->zonetable, false, ++ result = dns_zt_apply(view->zonetable, ++ isc_rwlocktype_none, false, + synczone, &cleanup); + if (result != ISC_R_SUCCESS && + tresult == ISC_R_SUCCESS) +diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c +index 12ab048469..9828df0f4e 100644 +--- a/bin/named/statschannel.c ++++ b/bin/named/statschannel.c +@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags, + if ((flags & STATS_XML_ZONES) != 0) { + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR "zones")); +- result = dns_zt_apply(view->zonetable, true, +- zone_xmlrender, writer); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, zone_xmlrender, writer); + if (result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); /* /zones */ +@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen, + CHECKMEM(za); + + if ((flags & STATS_JSON_ZONES) != 0) { +- result = dns_zt_apply(view->zonetable, true, +- zone_jsonrender, za); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, zone_jsonrender, za); + if (result != ISC_R_SUCCESS) { + goto error; + } +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index e658e5bb67..94212250da 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze); + */ + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, + isc_result_t (*action)(dns_zone_t *, void *), void *uap); + + isc_result_t +-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap); + /*%< + * Apply a given 'action' to all zone zones in the table. +diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c +index 3f1e812d60..ee75303a50 100644 +--- a/lib/dns/tests/zt_test.c ++++ b/lib/dns/tests/zt_test.c +@@ -145,7 +145,8 @@ apply(void **state) { + assert_non_null(view->zonetable); + + assert_int_equal(nzones, 0); +- result = dns_zt_apply(view->zonetable, false, count_zone, &nzones); ++ result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL, ++ count_zone, &nzones); + assert_int_equal(result, ISC_R_SUCCESS); + assert_int_equal(nzones, 1); + +diff --git a/lib/dns/view.c b/lib/dns/view.c +index f01b4dea0f..bd1ced2863 100644 +--- a/lib/dns/view.c ++++ b/lib/dns/view.c +@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) { + REQUIRE(DNS_VIEW_VALID(view)); + REQUIRE(view->zonetable != NULL); + +- (void)dns_zt_apply(view->zonetable, false, dialup, NULL); ++ (void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL, ++ dialup, NULL); + } + + void +diff --git a/lib/dns/zt.c b/lib/dns/zt.c +index 3f12e247e0..af65740325 100644 +--- a/lib/dns/zt.c ++++ b/lib/dns/zt.c +@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) { + static void + zt_destroy(dns_zt_t *zt) { + if (zt->flush) { +- (void)dns_zt_apply(zt, false, flush, NULL); ++ (void)dns_zt_apply(zt, isc_rwlocktype_none, ++ false, flush, NULL); + } + isc_refcount_destroy(&zt->references); + dns_rbt_destroy(&zt->table); +@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, stop, load, NULL); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL); + return (result); + } + +@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg, + * Prevent loads_pending going to zero while kicking off the loads. + */ + zt->loads_pending++; +- result = dns_zt_apply2(zt, false, NULL, asyncload, ¶ms); ++ result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, ¶ms); + pending = --zt->loads_pending; + if (pending != 0) { + zt->loaddone = alldone; +@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, stop, loadnew, NULL); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL); + return (result); + } + +@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze); + if (tresult == ISC_R_NOTFOUND) + tresult = ISC_R_SUCCESS; + return ((result == ISC_R_SUCCESS) ? tresult : result); +@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) { + } + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, + isc_result_t (*action)(dns_zone_t *, void *), void *uap) + { +- return (dns_zt_apply2(zt, stop, NULL, action, uap)); ++ return (dns_zt_apply2(zt, lock, stop, NULL, action, uap)); + } + + isc_result_t +-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap) + { + dns_rbtnode_t *node; +@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, + REQUIRE(VALID_ZT(zt)); + REQUIRE(action != NULL); + ++ if (lock != isc_rwlocktype_none) { ++ RWLOCK(&zt->rwlock, lock); ++ } ++ + dns_rbtnodechain_init(&chain, zt->mctx); + result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL); + if (result == ISC_R_NOTFOUND) { +@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, + + cleanup: + dns_rbtnodechain_invalidate(&chain); +- if (sub != NULL) ++ if (sub != NULL) { + *sub = tresult; ++ } ++ ++ if (lock != isc_rwlocktype_none) { ++ RWUNLOCK(&zt->rwlock, lock); ++ } + + return (result); + } +-- +2.37.2 + diff --git a/SOURCES/bind-9.11-rh2133889.patch b/SOURCES/bind-9.11-rh2133889.patch new file mode 100644 index 0000000..c61d902 --- /dev/null +++ b/SOURCES/bind-9.11-rh2133889.patch @@ -0,0 +1,26 @@ +From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 13 Oct 2022 15:35:46 +0200 +Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h + +It got broken as part of bug #2101712 fix. Introduced new definition, +which passes during bind build, but breaks bind-dyndb-ldap build. +--- + lib/dns/include/dns/zt.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index 9421225..64c24d6 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -18,6 +18,7 @@ + #include + + #include ++#include + + #include + +-- +2.37.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 300114c..84c42cf 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.36 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -158,10 +158,11 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch Patch183:bind-9.11-rh1980757.patch # modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067 Patch184: bind-9.15-resolver-ntasks.patch -Patch185: bind-9.11-CVE-2021-25220.patch -Patch186: bind-9.11-CVE-2021-25220-test.patch Patch188: bind-9.16-CVE-2022-38177.patch Patch189: bind-9.16-CVE-2022-38178.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695 +Patch190: bind-9.11-rh2101712.patch +Patch192: bind-9.11-rh2133889.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -557,10 +558,10 @@ are used for building ISC DHCP. %patch178 -p1 -b .time-monotonic %patch183 -p1 -b .rh1980757 %patch184 -p1 -b .rh2030239 -%patch185 -p1 -b .CVE-2021-25220 -%patch186 -p1 -b .CVE-2021-25220-test %patch188 -p1 -b .CVE-2022-38177 %patch189 -p1 -b .CVE-2022-38178 +%patch190 -p1 -b .rh2101712 +%patch192 -p1 -b .rh2133889 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1613,15 +1614,17 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog -* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-5 +* Thu Oct 13 2022 Petr Menšík - 32:9.11.36-3.3 +- Correct regression preventing bind-dyndb-ldap build (#2101712) + +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-3.2 +- Prevent freeing zone during statistics rendering (#2101712) + +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-3.1 - Fix memory leak in ECDSA verify processing (CVE-2022-38177) - Fix memory leak in EdDSA verify processing (CVE-2022-38178) -* Wed Apr 13 2022 Petr Menšík - 32:9.11.36-4 -- Tighten cache protection against record from forwarders (CVE-2021-25220) -- Include test of forwarders - -* Thu Feb 10 2022 Petr Menšík - 32:9.11.36-2 +* Thu Feb 10 2022 Petr Menšík - 32:9.11.36-3 - Reduce memory used per-view on machine with few processors (#2030239) * Tue Dec 21 2021 Petr Menšík - 32:9.11.36-2