From: W.C.A. Wijngaards Date: Mon, 1 Aug 2022 11:26:22 +0000 (+0200) Subject: - Tests for ghost domain fixes. X-Git-Tag: release-1.16.2^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbed768b8ff9bfcf11089a5f1699b7e5707f1ea5;p=thirdparty%2Funbound.git - Tests for ghost domain fixes. --- diff --git a/doc/Changelog b/doc/Changelog index 0dc8418fc..13f0f1174 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 1 August 2022: Wouter - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. + - Tests for ghost domain fixes. 19 July 2022: George - Update documentation for 'outbound-msg-retry:'. diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl new file mode 100644 index 000000000..ccd6b2984 --- /dev/null +++ b/testdata/iter_ghost_sub.rpl @@ -0,0 +1,309 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain of another subdomain. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 200 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +SECTION ADDITIONAL +s.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +SECTION ADDITIONAL +s.s.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; time passes +STEP 25 TIME_PASSES ELAPSE 1800 + +; get another delegation in cache +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +ENTRY_END + +; time passes, 1800 + 1000 = 2800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 45 TIME_PASSES ELAPSE 1000 + +; get another delegation in cache +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.s.example.com. IN A +ENTRY_END + +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +ENTRY_END + + +; time passes, 1800 + 2000 = 3800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 75 TIME_PASSES ELAPSE 1000 + +; domain no longer delegated +; is the domain still up? + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.example.com. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 120 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.s.example.com. IN A +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl new file mode 100644 index 000000000..566be82a9 --- /dev/null +++ b/testdata/iter_ghost_timewindow.rpl @@ -0,0 +1,391 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain with extension reply in timewindow. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 300 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION ANSWER +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. 3610 IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN AAAA +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. 3610 IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; get example2 in cache too to check other response type +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example2.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com IN A 1.2.3.5 +ENTRY_END + +; time passes +STEP 95 TIME_PASSES ELAPSE 3595 + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example.com. IN A +ENTRY_END + +; ns.example.com RANGE does not answer, only until step 100, +; so we provide an answer, but first, let time pass beyond the TTL. +; it is going to time 3605, just passed the 3600 expire TTL, but the +; query started at 3595 before the TTL expired. +STEP 110 TIME_PASSES ELAPSE 10 + +; provide the answer to the query sent. +STEP 120 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; check if the domain is still live. +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +; example2 is valid with TTL of 3610, it is time 3605 +STEP 160 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example2.com. IN A +ENTRY_END + +; move to time 3615 +STEP 170 TIME_PASSES ELAPSE 10 + +STEP 180 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. IN A 1.2.3.5 +ENTRY_END + +STEP 190 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ENTRY_END + +; check if the domain is still live. +STEP 200 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example2.com. IN A +ENTRY_END + +STEP 210 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example2.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END