ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Fix MX checks for dynamic updates

Browse Source 
The check_mx() function in lib/ns/update.c incorrectly tests whether the
DNS_RDATA_CHECKMX/DNS_RDATA_CHECKMXFAIL flags are set for each applied
MX record update as these flags are never set in code paths related to
dynamic updates; they can only be set when loading a zone from a master
file (DNS_ZONEOPT_CHECKMX -> DNS_MASTER_CHECKMX -> DNS_RDATA_CHECKMX).
This flaw allows MX records containing IP addresses to be added to a
zone even when "check-mx fail;" is used.

Ensure correct behavior by modifying the relevant tests in check_mx() so
that they use DNS_ZONEOPT_CHECKMX/DNS_ZONEOPT_CHECKMXFAIL instead.
This commit is contained in:
Michał Kępień
2018-02-26 12:30:48 +01:00
parent e1d6c9a663
commit 857a40c87b
3 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
bin/tests/system/nsupdate/tests.sh
View File

@@ -162,6 +162,38 @@ grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
ret=0
echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1
server 10.53.0.1 ${PORT}
update add mx03.example.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
ret=0
echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
update add mx03.other.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
ret=0
echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
$NSUPDATE > nsupdate.out 2>&1 << END && ret=1
server 10.53.0.1 ${PORT}
update add mx03.update.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
ret=0
echo_i "check SIG(0) key is accepted"
key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`