ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Make NTAs work with validating forwarders

Browse Source 
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
This commit is contained in:
Michał Kępień
2019-04-24 11:17:15 +02:00
committed by Evan Hunt
parent 7d1a7c46f5
commit 5e80488270
8 changed files with 112 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
bin/tests/system/dnssec/tests.sh
View File

@@ -2300,9 +2300,31 @@ fi
# cleanup
rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi
status=$((status+ret))
echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)"
ret=0
# Sanity check behavior without an NTA in place.
dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1
grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1
grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1
# Add an NTA, expecting that to cause resolution to succeed.
rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1
dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1
grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1
grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1
grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1
# Remove the NTA, expecting that to cause resolution to fail again.
rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1
dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1
grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1
grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "completed NTA tests"