git.ipfire.org Git - thirdparty/bind9.git/commit

author	Petr Špaček <pspacek@isc.org>
	Wed, 23 Jul 2025 15:25:18 +0000 (17:25 +0200)
committer	Michał Kępień <michal@isc.org>
	Mon, 22 Dec 2025 10:58:39 +0000 (11:58 +0100)
commit	658d2e9f8ec8408f227af034bd87cf4ff3189a88
tree	b6eecae580de92cf6cd4c00a241dab5570ead91a	tree \| snapshot
parent	26eed16d619f9957d0d252ceda06a2b4ea67b6d4	commit \| diff

Test that unsolicited NS in positive answer cannot overwrite current NS

Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.

In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL

This attack was originally reported as "test case 1".

Co-authored-by: Michał Kępień <michal@isc.org>

bin/tests/system/bailiwick/ans2/ans.py		diff \| blob \| blame \| history
bin/tests/system/bailiwick/tests_bailiwick.py		diff \| blob \| blame \| history