git.ipfire.org Git - thirdparty/bind9.git/commit

author	Petr Špaček <pspacek@isc.org>
	Mon, 28 Jul 2025 09:33:14 +0000 (11:33 +0200)
committer	Michał Kępień <michal@isc.org>
	Mon, 22 Dec 2025 10:58:39 +0000 (11:58 +0100)
commit	e223ee709765e6eff2bb6ae980ec5eec83d64390
tree	dd29b0dfd2ff9a47564d35fae135464a39a8a843	tree \| snapshot
parent	b5dc46fe6e0e8f05767377ae171c043ed72552d6	commit \| diff

Test that spoofed DNAME is not accepted via spoofable transport

A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer.  To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.test. IN A
    ;ANSWER
    trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
    test. 3600 IN DNAME attacker.net.
    ;AUTHORITY
    ;ADDITIONAL

This has been discovered internally.

Co-authored-by: Michał Kępień <michal@isc.org>

bin/tests/system/bailiwick/ans2/ans.py		diff \| blob \| blame \| history
bin/tests/system/bailiwick/tests_bailiwick.py		diff \| blob \| blame \| history