ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Verify mirror zone AXFRs

Browse Source 
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used.  If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
This commit is contained in:
Michał Kępień
2018-06-28 13:38:39 +02:00
parent eaf1c0f6eb
commit d86f1d00ad
10 changed files with 184 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
bin/tests/system/mirror/ns3/named.conf.in
View File

@@ -9,6 +9,15 @@
* information regarding copyright ownership.
*/
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
@@ -24,3 +33,26 @@ zone "." {
type hint;
file "../../common/root.hint";
};
zone "verify-axfr" {
type slave;
masters { 10.53.0.2; };
mirror yes;
file "verify-axfr.db.mirror";
};
zone "verify-unsigned" {
type slave;
masters { 10.53.0.2; };
mirror yes;
file "verify-unsigned.db.mirror";
};
zone "verify-untrusted" {
type slave;
masters { 10.53.0.2; };
mirror yes;
file "verify-untrusted.db.mirror";
};
include "../ns2/trusted-mirror.conf";