git.ipfire.org Git - thirdparty/bind9.git/commit

author	Petr Špaček <pspacek@isc.org>
	Fri, 11 Jul 2025 16:37:57 +0000 (18:37 +0200)
committer	Michał Kępień <michal@isc.org>
	Mon, 22 Dec 2025 10:58:39 +0000 (11:58 +0100)
commit	26eed16d619f9957d0d252ceda06a2b4ea67b6d4
tree	5ad13369d17c8628743ad5803d873e9813ce3913	tree \| snapshot
parent	607974b1bcb08334f2f5ab0efcc069ba69eb3130	commit \| diff

Test that positive answer cannot overwrite sibling NS RRs

Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs.  The answer had to be a positive AA=1 answer
with a fake NS along with it.  This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.

If it were some other answer, named from the main branch would detect
the attempt and log:

    DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM. IN A
    ;ANSWER
    trigger$RANDOM. 3600 IN A 10.53.0.3
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL
    ns.attacker. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 1c".

Co-authored-by: Michał Kępień <michal@isc.org>

bin/tests/system/bailiwick/ans1/ans.py		diff \| blob \| blame \| history
bin/tests/system/bailiwick/tests_bailiwick.py		diff \| blob \| blame \| history