From: Mark Andrews Date: Mon, 1 Mar 2021 05:38:36 +0000 (+1100) Subject: Check DNAME resolution via itself X-Git-Tag: v9.17.14~8^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbdea694e84e9ce7d112dd64230c8d1e2208b211;p=thirdparty%2Fbind9.git Check DNAME resolution via itself --- diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl index 13ee65edc46..31d22d807b7 100644 --- a/bin/tests/system/chain/ans3/ans.pl +++ b/bin/tests/system/chain/ans3/ans.pl @@ -80,6 +80,34 @@ sub reply_handler { $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); push @ans, $rr; $rcode = "NOERROR"; + # The following three code branches referring to the "example.dname" + # zone are necessary for the resolver variant of the CVE-2021-25215 + # regression test to work. A named instance cannot be used for + # serving the DNAME records below as a version of BIND vulnerable to + # CVE-2021-25215 would crash while answering the queries asked by + # the tested resolver. + } elsif ($qname eq "ns3.example.dname") { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3"); + push @ans, $rr; + } + if ($qtype eq "AAAA") { + my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl"); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "self.example.self.example.dname") { + my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname."); + push @ans, $rr; + $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname."); + push @ans, $rr; + $rcode = "NOERROR"; + } elsif ($qname eq "self.example.dname") { + if ($qtype eq "DNAME") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname."); + push @ans, $rr; + } + $rcode = "NOERROR"; } else { $rcode = "REFUSED"; } diff --git a/bin/tests/system/chain/ns1/root.db b/bin/tests/system/chain/ns1/root.db index bc70f8c2a0d..c076a77a1e1 100644 --- a/bin/tests/system/chain/ns1/root.db +++ b/bin/tests/system/chain/ns1/root.db @@ -24,6 +24,10 @@ ns2.example. A 10.53.0.2 example.broken. NS ns3.example.broken. ns3.example.broken. A 10.53.0.3 +; for the resolver variant of the CVE-2021-25215 regression test +example.dname. NS ns3.example.dname. +ns3.example.dname. A 10.53.0.3 + domain0.nil. NS ns2.domain0.nil domain1.nil. NS ns2.domain0.nil domain2.nil. NS ns2.domain0.nil diff --git a/bin/tests/system/chain/ns2/generic.db b/bin/tests/system/chain/ns2/generic.db index 8b9d2207dd9..566d22265b1 100644 --- a/bin/tests/system/chain/ns2/generic.db +++ b/bin/tests/system/chain/ns2/generic.db @@ -16,3 +16,5 @@ ns2 86400 AAAA fd92:7065:b8e:ffff::2 @ 86400 AAAA 1:2:3::4 * 86400 A 1.2.3.4 * 86400 AAAA 1:2:3::4 +; CVE-2021-25215 regression test data +self 86400 DNAME nil. diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index a7b2bf5d9f2..dc7622be6f0 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -295,5 +295,23 @@ grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +# Regression test for CVE-2021-25215 (authoritative server). +n=`expr $n + 1` +echo_i "checking DNAME resolution via itself (authoritative) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Regression test for CVE-2021-25215 (recursive resolver). +n=`expr $n + 1` +echo_i "checking DNAME resolution via itself (recursive) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1