[v9_9] fix insecure delegation across static-stub zones
3689. [bug] Fixed a bug causing an insecure delegation from one
static-stub zone to another to fail with a broken
trust chain. [RT #35081]
(cherry picked from commit 9b895f30f1)
This commit is contained in:
Evan Hunt
@@ -54,8 +54,8 @@ dname2 DNAME dname2-target
|
||||
foo.dname2-target TXT "testing dname"
|
||||
|
||||
; A secure subdomain
|
||||
secure NS ns.secure
|
||||
ns.secure A 10.53.0.3
|
||||
secure NS ns3.secure
|
||||
ns3.secure A 10.53.0.3
|
||||
|
||||
; An insecure subdomain
|
||||
insecure NS ns.insecure
|
||||
|
||||
@@ -13,8 +13,6 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: insecure.secure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
@@ -23,8 +21,8 @@ $TTL 300 ; 5 minutes
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
NS ns2
|
||||
ns2 A 10.53.0.2
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
|
||||
@@ -13,8 +13,6 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: secure.example.db.in,v 1.16 2010/07/15 01:17:45 jinmei Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
@@ -23,8 +21,8 @@ $TTL 300 ; 5 minutes
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
@@ -36,8 +34,8 @@ x CNAME a
|
||||
private NS ns.private
|
||||
ns.private A 10.53.0.2
|
||||
|
||||
insecure NS ns.insecure
|
||||
ns.insecure A 10.53.0.2
|
||||
insecure NS ns2.insecure
|
||||
ns2.insecure A 10.53.0.2
|
||||
|
||||
nosoa NS ns.nosoa
|
||||
ns.nosoa A 10.53.0.7
|
||||
|
||||
83
bin/tests/system/dnssec/ns4/named4.conf
Normal file
83
bin/tests/system/dnssec/ns4/named4.conf
Normal file
@@ -0,0 +1,83 @@
|
||||
/*
|
||||
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
// NS4
|
||||
|
||||
controls { /* empty */ };
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.4;
|
||||
notify-source 10.53.0.4;
|
||||
transfer-source 10.53.0.4;
|
||||
port 5300;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
key auth {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
view rec {
|
||||
match-recursive-only yes;
|
||||
recursion yes;
|
||||
acache-enable yes;
|
||||
dnssec-validation yes;
|
||||
dnssec-accept-expired yes;
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
zone secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type static-stub;
|
||||
server-addresses { 10.53.0.4; };
|
||||
};
|
||||
};
|
||||
|
||||
view auth {
|
||||
recursion no;
|
||||
allow-recursion { none; };
|
||||
|
||||
zone secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.3; };
|
||||
};
|
||||
|
||||
zone insecure.secure.example {
|
||||
type slave;
|
||||
masters { 10.53.0.2; };
|
||||
};
|
||||
};
|
||||
@@ -2336,5 +2336,21 @@ n=`expr $n + 1`
|
||||
if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
cp ns4/named4.conf ns4/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
|
||||
sleep 3
|
||||
|
||||
echo "I:check insecure delegation between static-stub zones ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS ns insecure.secure.example \
|
||||
@10.53.0.4 > dig.out.ns4.1.test$n || ret=1
|
||||
grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1
|
||||
$DIG $DIGOPTS ns secure.example \
|
||||
@10.53.0.4 > dig.out.ns4.2.test$n || ret=1
|
||||
grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Reference in New Issue
Block a user