ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

nsupdate: reject attempts to add NSEC3PARAM with excessive iterations

Browse Source
This commit is contained in:
Mark Andrews
2021-04-23 10:03:53 +10:00
parent c9f5f8a059
commit 3fe75d9809
2 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
bin/tests/system/nsupdate/tests.sh
View File

@@ -1190,6 +1190,8 @@ then
echo_i "failed"; status=1
fi
n=`expr $n + 1`
ret=0
echo_i "check that DS to the zone apex is ignored ($n)"
$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1
grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
@@ -1209,7 +1211,20 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
if $FEATURETEST --gssapi ; then
n=`expr $n + 1`
ret=0
echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
server 10.53.0.3 ${PORT}
zone example
update add example 0 in NSEC3PARAM 1 0 151 -
END
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
if ! $FEATURETEST --gssapi ; then
echo_i "SKIPPED: GSSAPI tests"
else
n=`expr $n + 1`
ret=0
echo_i "check krb5-self match ($n)"