--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+; This basic file is copied to several zone files before being used.
+; Its contents are also changed with nsupdate
+
+
+$TTL 300
+@ SOA evil-cname. hostmaster.ns.evil-cname. ( 1 3600 1200 604800 60 )
+ NS ns.tld3.
+
+evil.tld2 CNAME a12.tld2.
zone "bl.tld2";
zone "manual-update-rpz" ede forged;
zone "mixed-case-rpz";
+ zone "evil-cname" policy cname a12.tld2. ede blocked;
+ zone "wild-cname" ede blocked;
}
add-soa yes
min-ns-dots 0
server-addresses { 10.53.0.10; };
};
+zone "evil-cname" {
+ type primary;
+ file "evil-cname.db";
+};
+
+zone "wild-cname" {
+ type primary;
+ file "wild-cname.db";
+};
+
# A faulty dlz configuration to check if named with response policy zones
# survives a certain class of failed configuration attempts (see GL #3880).
# "dlz" is used because the dlz processing code is located in an ideal place in
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+; This basic file is copied to several zone files before being used.
+; Its contents are also changed with nsupdate
+
+
+$TTL 300
+@ SOA wild-cname. hostmaster.ns.wild-cname. ( 1 3600 1200 604800 60 )
+ NS ns.tld3.
+
+*.evil.tld2 CNAME *.wc.tld4.
a3-9.sub9.tld2 A 59.59.59.59
a3-10.tld2 A 60.60.60.60
+
+*.wc A 61.61.61.61
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
+cp ns3/evil-cname.db.in ns3/evil-cname.db
+cp ns3/wild-cname.db.in ns3/wild-cname.db
+
cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
# a zone that expires quickly and then can't be refreshed
$DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, wildcard CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 foo.evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
# reload a RPZ zone that is now deliberately broken.
t=$((t + 1))
echo_i "checking rpz failed update will keep previous rpz rules (${t})"
"ns3/bl-wildcname.db",
"ns3/bl.db",
"ns3/bl.tld2.db",
+ "ns3/evil-cname.db",
"ns3/fast-expire.db",
"ns3/manual-update-rpz.db",
"ns3/mixed-case-rpz.db",
"ns3/named.conf.tmp",
"ns3/named.stats",
+ "ns3/wild-cname.db",
"ns5/bl.db",
"ns5/empty.db",
"ns5/empty.db.jnl",
projects / thirdparty / bind9.git / commitdiff
