Check DNAME resolution via itself
This commit is contained in:
Mark Andrews
committed by
Michał Kępień
Michał Kępień
parent
715dc196e2
commit
cbdea694e8
@@ -80,6 +80,34 @@ sub reply_handler {
|
||||
$rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
|
||||
push @ans, $rr;
|
||||
$rcode = "NOERROR";
|
||||
# The following three code branches referring to the "example.dname"
|
||||
# zone are necessary for the resolver variant of the CVE-2021-25215
|
||||
# regression test to work. A named instance cannot be used for
|
||||
# serving the DNAME records below as a version of BIND vulnerable to
|
||||
# CVE-2021-25215 would crash while answering the queries asked by
|
||||
# the tested resolver.
|
||||
} elsif ($qname eq "ns3.example.dname") {
|
||||
if ($qtype eq "A") {
|
||||
my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3");
|
||||
push @ans, $rr;
|
||||
}
|
||||
if ($qtype eq "AAAA") {
|
||||
my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl");
|
||||
push @auth, $rr;
|
||||
}
|
||||
$rcode = "NOERROR";
|
||||
} elsif ($qname eq "self.example.self.example.dname") {
|
||||
my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname.");
|
||||
push @ans, $rr;
|
||||
$rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname.");
|
||||
push @ans, $rr;
|
||||
$rcode = "NOERROR";
|
||||
} elsif ($qname eq "self.example.dname") {
|
||||
if ($qtype eq "DNAME") {
|
||||
my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname.");
|
||||
push @ans, $rr;
|
||||
}
|
||||
$rcode = "NOERROR";
|
||||
} else {
|
||||
$rcode = "REFUSED";
|
||||
}
|
||||
|
||||
@@ -24,6 +24,10 @@ ns2.example. A 10.53.0.2
|
||||
example.broken. NS ns3.example.broken.
|
||||
ns3.example.broken. A 10.53.0.3
|
||||
|
||||
; for the resolver variant of the CVE-2021-25215 regression test
|
||||
example.dname. NS ns3.example.dname.
|
||||
ns3.example.dname. A 10.53.0.3
|
||||
|
||||
domain0.nil. NS ns2.domain0.nil
|
||||
domain1.nil. NS ns2.domain0.nil
|
||||
domain2.nil. NS ns2.domain0.nil
|
||||
|
||||
@@ -16,3 +16,5 @@ ns2 86400 AAAA fd92:7065:b8e:ffff::2
|
||||
@ 86400 AAAA 1:2:3::4
|
||||
* 86400 A 1.2.3.4
|
||||
* 86400 AAAA 1:2:3::4
|
||||
; CVE-2021-25215 regression test data
|
||||
self 86400 DNAME nil.
|
||||
|
||||
@@ -295,5 +295,23 @@ grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Regression test for CVE-2021-25215 (authoritative server).
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking DNAME resolution via itself (authoritative) ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
|
||||
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Regression test for CVE-2021-25215 (recursive resolver).
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking DNAME resolution via itself (recursive) ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
|
||||
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
Reference in New Issue
Block a user