ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

3126. [security] Using DNAME record to generate replacements caused

Browse Source 
RPZ to exit with a assertion failure. [RT #23766]
This commit is contained in:
Mark Andrews
2011-06-09 03:10:17 +00:00
parent 3b2040fb15
commit 475b1ed9cc
5 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
3126. [security] Using DNAME record to generate replacements caused
RPZ to exit with a assertion failure. [RT #23766]
3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]

11
bin/named/query.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */
/* $Id: query.c,v 1.367 2011/06/09 03:10:17 marka Exp $ */
/*! \file */
@@ -4105,8 +4105,13 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
}
break;
case DNS_R_DNAME:
policy = DNS_RPZ_POLICY_RECORD;
break;
/*
* DNAME policy RRs have very few if any uses that are not
* better served with simple wildcards. Making the work would
* require complications to get the number of labels matched
* in the name or the found name itself to the main DNS_R_DNAME
* case in query_find(). So fall through to treat them as NODATA.
*/
case DNS_R_NXRRSET:
policy = DNS_RPZ_POLICY_NODATA;
break;

10
bin/tests/system/rpz/test1
View File

@@ -12,13 +12,19 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: test1,v 1.4 2011/01/13 19:30:41 each Exp $
; $Id: test1,v 1.5 2011/06/09 03:10:17 marka Exp $
server 10.53.0.3 5300
; NXDOMAIN
update add a0-1.tld2.bl. 300 CNAME .
update add a3-1.tld2.bl. 300 CNAME *.
; NODATA
update add a1-1.tld2.bl. 300 CNAME *.
; and no assert-botch
update add a1-2.tld2.bl. 300 DNAME example.com.
update add *.sub1.tld2.bl. 300 A 12.12.12.12
send

7
bin/tests/system/rpz/tests.sh
View File

@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $
# $Id: tests.sh,v 1.6 2011/06/09 03:10:17 marka Exp $
# test response policy zones (RPZ)
@@ -152,7 +152,9 @@ status=0
start_test "RPZ QNAME rewrites" test1
nxdomain a0-1.tld2
nodata a3-1.tld2
nodata a1-1.tld2
nodata a1-2.tld2
nodata sub.a1-2.tld2
a12 a4-1.sub1.tld2
end_test
@@ -266,6 +268,7 @@ if [ $ret != 0 ]; then
fi
status=`expr $status + $ret`
if test "$status" -eq 0; then
rm -f dig.out*
fi

9
doc/arm/Bv9ARM-book.xml
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.493 2011/05/23 20:11:14 each Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.494 2011/06/09 03:10:17 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -9317,8 +9317,8 @@ deny-answer-aliases { "example.net"; };
<para>
The rules encoded in a response policy zone (RPZ) are applied
only to responses to queries that ask for recursion (RD=1).
RPZs are normal DNS zones containing largely valid RRsets
that can be queried normal if allowed.
RPZs are normal DNS zones containing RRsets
that can be queried normally if allowed.
It is usually best to restrict those queries with something like
<command>allow-query {none; };</command> or
<command>allow-query { 127.0.0.1; };</command>.
@@ -9330,6 +9330,8 @@ deny-answer-aliases { "example.net"; };
records resolved in the process of generating the response.
The owner name of a QNAME rule is the query name relativized
to the RPZ.
The records in a rewrite rule are usually A, AAAA, or special
CNAMEs, but can be any type except DNAME.
</para>
<para>
@@ -9429,6 +9431,7 @@ nodata.domain.com CNAME *.
bad.domain.com A 10.0.0.1
AAAA 2001:2::1
ok.domain.com CNAME ok.domain.com.
*.badzone.domain.com CNAME garden.example.com.
; IP rules rewriting all answers for 127/8 except 127.0.0.1
8.0.0.0.127.ip CNAME .