Check recovery from spoofed server addresses
Named was failing to recover when spoofed nameserver address from
a signed zone for a peer zone were returned to a previous CD=1
query. Validate non-glue interior server addresses before using them.
(cherry picked from commit 88c31fdd52)
This commit is contained in:
Mark Andrews
@@ -37,6 +37,8 @@ inprogress. NS ns10.inprogress.
|
||||
ns10.inprogress. A 10.53.0.10
|
||||
too-many-iterations. NS ns2.too-many-iterations.
|
||||
ns2.too-many-iterations. A 10.53.0.2
|
||||
peer-ns-spoof NS ns2.peer-ns-spoof.
|
||||
ns2.peer-ns-spoof. A 10.53.0.2
|
||||
dnskey-rrsigs-stripped. NS ns2.dnskey-rrsigs-stripped.
|
||||
ns2.dnskey-rrsigs-stripped. A 10.53.0.2
|
||||
ds-rrsigs-stripped. NS ns2.ds-rrsigs-stripped.
|
||||
|
||||
@@ -30,6 +30,7 @@ cp "../ns2/dsset-example." .
|
||||
cp "../ns2/dsset-in-addr.arpa." .
|
||||
cp "../ns2/dsset-too-many-iterations." .
|
||||
cp "../ns2/dsset-lazy-ksk." .
|
||||
cp "../ns2/dsset-peer-ns-spoof." .
|
||||
cp "../ns2/dsset-dnskey-rrsigs-stripped." .
|
||||
cp "../ns2/dsset-ds-rrsigs-stripped." .
|
||||
|
||||
|
||||
@@ -214,6 +214,16 @@ zone "lazy-ksk" {
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "peer-ns-spoof" {
|
||||
type primary;
|
||||
file "peer-ns-spoof.db.signed";
|
||||
};
|
||||
|
||||
zone "peer.peer-ns-spoof" {
|
||||
type primary;
|
||||
file "peer.peer-ns-spoof.db.signed";
|
||||
};
|
||||
|
||||
zone "dnskey-rrsigs-stripped" {
|
||||
type primary;
|
||||
file "dnskey-rrsigs-stripped.db.signed";
|
||||
|
||||
24
bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in
Normal file
24
bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in
Normal file
@@ -0,0 +1,24 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
ns2 A 10.53.0.2
|
||||
peer NS ns2.peer
|
||||
ns2.peer A 10.53.0.2
|
||||
target NS ns3.peer
|
||||
22
bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in
Normal file
22
bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in
Normal file
@@ -0,0 +1,22 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
ns2 A 10.53.0.2
|
||||
ns3 A 10.53.0.3
|
||||
@@ -27,6 +27,8 @@ for subdomain in secure unsupported disabled enabled; do
|
||||
cp "../ns3/dsset-$subdomain.trusted." .
|
||||
done
|
||||
|
||||
cp "../ns3/dsset-target.peer-ns-spoof." .
|
||||
|
||||
# Sign the "trusted." and "managed." zones.
|
||||
zone=managed.
|
||||
infile=key.db.in
|
||||
@@ -355,6 +357,37 @@ rm "$rm1.private"
|
||||
rm "$rm2.key"
|
||||
rm "$rm2.private"
|
||||
|
||||
#
|
||||
# A zone with where the address for peer zone server is modified and signatures
|
||||
# stripped.
|
||||
#
|
||||
zone=peer.peer-ns-spoof
|
||||
infile=peer.peer-ns-spoof.db.in
|
||||
zonefile=peer.peer-ns-spoof.db
|
||||
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
|
||||
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
|
||||
| awk '$1 == "ns3.peer.peer-ns-spoof." && $4 == "RRSIG" && $5 == "A" { next }
|
||||
$1 == "ns3.peer.peer-ns-spoof." && $4 == "A" { $5 = "10.53.0.100" }
|
||||
{ print }' >"$zonefile.stripped"
|
||||
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
|
||||
| awk '$4 == "SOA" { $7 = $7 + 1; print; next } { print }' >"$zonefile.next"
|
||||
"$SIGNER" -g -o "$zone" -f "$zonefile.next" "$zonefile.next" >/dev/null 2>&1
|
||||
cp "$zonefile.stripped" "$zonefile.signed"
|
||||
|
||||
#
|
||||
# parent zone for peer.peer-ns-spoof
|
||||
#
|
||||
zone=peer-ns-spoof
|
||||
infile=peer-ns-spoof.db.in
|
||||
zonefile=peer-ns-spoof.db
|
||||
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
|
||||
|
||||
#
|
||||
# A zone with the DNSKEY RRSIGS stripped
|
||||
#
|
||||
|
||||
@@ -423,6 +423,11 @@ zone "rsasha1-1024.example" {
|
||||
file "rsasha1-1024.example.db";
|
||||
};
|
||||
|
||||
zone "target.peer-ns-spoof" {
|
||||
type primary;
|
||||
file "target.peer-ns-spoof.db.signed";
|
||||
};
|
||||
|
||||
dnssec-policy "siginterval1" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
|
||||
@@ -701,3 +701,14 @@ zone=rsasha1-1024.example
|
||||
zonefile=rsasha1-1024.example.db
|
||||
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
|
||||
| $DSFROMKEY -f - "$zone" >"dsset-${zone}."
|
||||
|
||||
#
|
||||
#
|
||||
#
|
||||
zone=target.peer-ns-spoof
|
||||
infile=target.peer-ns-spoof.db.in
|
||||
zonefile=target.peer-ns-spoof.db
|
||||
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
|
||||
|
||||
20
bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in
Normal file
20
bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in
Normal file
@@ -0,0 +1,20 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3.peer.peer-ns-spoof.
|
||||
@@ -184,6 +184,26 @@ n=$((n + 1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking recovery from spoofed server addresses ($n)"
|
||||
ret=0
|
||||
# prime cache with spoofed address records
|
||||
dig_with_opts +cd target.peer-ns-spoof @10.53.0.4 a >dig.out.prime.ns4.test$n || ret=1
|
||||
grep "status: SERVFAIL" dig.out.prime.ns4.test$n >/dev/null || ret=1
|
||||
rndccmd 10.53.0.4 dumpdb | sed 's/^/ns4 /' | cat_i
|
||||
mv ns4/named_dump.db ns4/named_dump.db.test$n >/dev/null || ret=1
|
||||
grep "10.53.0.100" ns4/named_dump.db.test$n || ret=1
|
||||
# reload server with properly signed zone
|
||||
cp ns2/peer.peer-ns-spoof.db.next ns2/peer.peer-ns-spoof.db.signed
|
||||
nextpart ns2/named.run >/dev/null
|
||||
rndccmd 10.53.0.2 reload peer.peer-ns-spoof | sed 's/^/ns2 /' | cat_i
|
||||
wait_for_log 5 "zone peer.peer-ns-spoof/IN: loaded serial 2000042408" ns2/named.run || ret=1
|
||||
dig_with_opts +noauth test.target.peer-ns-spoof @10.53.0.4 txt >dig.out.ns4.test$n || ret=1
|
||||
grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "flags: qr rd ra ad;" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
n=$((n + 1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "checking recovery from stripped DNSKEY RRSIG ($n)"
|
||||
ret=0
|
||||
# prime cache with DNSKEY without RRSIGs
|
||||
|
||||
@@ -62,6 +62,10 @@ pytestmark = pytest.mark.extra_artifacts(
|
||||
"ns2/lazy-ksk.db",
|
||||
"ns2/managed.db",
|
||||
"ns2/nsec3chain-test.db",
|
||||
"ns2/peer-ns-spoof.db",
|
||||
"ns2/peer.peer-ns-spoof.db",
|
||||
"ns2/peer.peer-ns-spoof.db.next",
|
||||
"ns2/peer.peer-ns-spoof.db.stripped",
|
||||
"ns2/settime.out.updatecheck-kskonly.secure.ksk",
|
||||
"ns2/settime.out.updatecheck-kskonly.secure.zsk",
|
||||
"ns2/single-nsec3.db",
|
||||
@@ -128,6 +132,7 @@ pytestmark = pytest.mark.extra_artifacts(
|
||||
"ns3/siginterval.example.db",
|
||||
"ns3/split-dnssec.example.db",
|
||||
"ns3/split-smart.example.db",
|
||||
"ns3/target.peer-ns-spoof.db",
|
||||
"ns3/trusted-future.key",
|
||||
"ns3/ttlpatch.example.db",
|
||||
"ns3/ttlpatch.example.db.patched",
|
||||
@@ -143,6 +148,7 @@ pytestmark = pytest.mark.extra_artifacts(
|
||||
"ns4/managed.conf",
|
||||
"ns4/managed-keys.bind",
|
||||
"ns4/named.secroots",
|
||||
"ns4/named_dump.db",
|
||||
"ns4/named_dump.db.*",
|
||||
"ns5/revoked.conf",
|
||||
"ns5/trusted.conf",
|
||||
|
||||
Reference in New Issue
Block a user