From 56fbed2f0fe288cf1214d59a58cd190a8c6e5017 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 17 Feb 2022 15:03:52 +1100
Subject: [PATCH] Add regression test for CVE-2022-0635

---
 .../system/synthfromdnssec/ns1/dnamed.db.in   |  3 ++-
 bin/tests/system/synthfromdnssec/tests.sh     | 21 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
index 299adb2e50..61dfcf8d50 100644
--- a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
@@ -10,7 +10,8 @@
 ; information regarding copyright ownership.
 
 $TTL 3600
-@		SOA	ns1 hostmaster 1 3600 1200 604800 3600
+@		SOA	ns1 hostmaster 1 3600 1200 604800 5
 @		NS	ns1
 ns1		A	10.53.0.1
 a		A	10.53.0.1
+dname		DNAME	example.
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 643b6f52a2..d9cf0927ec 100644
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -850,5 +850,26 @@ n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+echo_i "regression test for CVE-2022-0635 ($n)"
+ret=0
+# add DNAME to cache
+dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1
+# add A record to cache at name before DNAME owner
+dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+# add NSEC record to cache at name before DNAME owner
+dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1
+# wait for NSEC to timeout
+sleep 6
+# use DNAME for lookup
+dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1