]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Add tests for broken glueless referrals
authorMichał Kępień <michal@isc.org>
Thu, 22 Sep 2022 12:03:17 +0000 (14:03 +0200)
committerMichał Kępień <michal@isc.org>
Thu, 22 Sep 2022 12:03:17 +0000 (14:03 +0200)
If an NS RRset at the parent side of a delegation point only contains
in-bailiwick NS records, at least one glue record should be included in
every referral response sent for such a delegation point or else clients
will need to send follow-up queries in order to determine name server
addresses.  In certain edge cases (when the total size of a referral
response without glue records was just below to the UDP packet size
limit), named failed to adhere to that rule by sending non-truncated,
glueless referral responses.

Add tests attempting to trigger that bug in several different scenarios,
covering all possible combinations of the following factors:

  - type of zone (signed, unsigned),
  - glue record type (A, AAAA, both).

bin/tests/system/glue/clean.sh
bin/tests/system/glue/ns1/named.conf.in
bin/tests/system/glue/ns1/sign.sh [new file with mode: 0644]
bin/tests/system/glue/ns1/tc-test-signed.db.in [new file with mode: 0644]
bin/tests/system/glue/ns1/tc-test-unsigned.db [new file with mode: 0644]
bin/tests/system/glue/setup.sh
bin/tests/system/glue/tests.sh

index d6ec3455d68b3303a77c0408f11485f3036051d1..138980e90a866309489540cc1b9cf69061b7868c 100644 (file)
@@ -19,5 +19,9 @@ rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run
 rm -f dig.out
+rm -f ns*/K*
+rm -f ns*/dsset-*
 rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
+rm -f ns*/tc-test-signed.db
+rm -f ns*/tc-test-signed.db.signed
index 4d1ef75611c99f1f46addeb50e2eceedf0d6e630..61195f9136478a23e778e977cfedeb6221df62d6 100644 (file)
@@ -32,7 +32,18 @@ zone "root-servers.nil" {
        type primary;
        file "root-servers.nil.db";
 };
+
 zone "net" {
        type primary;
        file "net.db";
 };
+
+zone "tc-test-unsigned" {
+       type master;
+       file "tc-test-unsigned.db";
+};
+
+zone "tc-test-signed" {
+       type master;
+       file "tc-test-signed.db.signed";
+};
diff --git a/bin/tests/system/glue/ns1/sign.sh b/bin/tests/system/glue/ns1/sign.sh
new file mode 100644 (file)
index 0000000..6425006
--- /dev/null
@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../../conf.sh
+
+zone=tc-test-signed
+infile=tc-test-signed.db.in
+zonefile=tc-test-signed.db
+
+# The signing algorithm and key sizes used here are NOT arbitrary - they have
+# been carefully chosen to ensure that the signed referral response checked in
+# the test will be around 512 bytes in size with glue records excluded.  Please
+# keep this in mind when updating signing algorithms used in system tests.
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/glue/ns1/tc-test-signed.db.in b/bin/tests/system/glue/ns1/tc-test-signed.db.in
new file mode 100644 (file)
index 0000000..5c0181d
--- /dev/null
@@ -0,0 +1,55 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; CAUTION: Contents of this zone were carefully crafted so that the responses
+; to the queries used in the "glue" system test have a very specific size.
+; Editing this zone is not recommended as it may break the relevant checks.
+
+$TTL 300
+@                              IN SOA  ns hostmaster (
+                                       1
+                                       3600
+                                       1800
+                                       1814400
+                                       3600
+                                       )
+                               NS      a
+a                              A       10.53.0.1
+
+subdomain-a                    NS      0123456789.subdomain-a
+                               NS      0123456.subdomain-a
+                               NS      0123.subdomain-a
+
+0123456789.subdomain-a         A       10.53.0.1
+0123456.subdomain-a            A       10.53.0.1
+0123.subdomain-a               A       10.53.0.1
+
+subdomain-aaaa                 NS      0123456789.subdomain-aaaa
+                               NS      0123456.subdomain-aaaa
+                               NS      0123.subdomain-aaaa
+
+0123456789.subdomain-aaaa      AAAA    fd92:7065:b8e:ffff::1
+0123456.subdomain-aaaa         AAAA    fd92:7065:b8e:ffff::1
+0123.subdomain-aaaa            AAAA    fd92:7065:b8e:ffff::1
+
+subdomain-both                 NS      0123456789.subdomain-both
+                               NS      0123456.subdomain-both
+                               NS      0123.subdomain-both
+                               NS      0.subdomain-both
+
+0123456789.subdomain-both      A       10.53.0.1
+                               AAAA    fd92:7065:b8e:ffff::1
+0123456.subdomain-both         A       10.53.0.1
+                               AAAA    fd92:7065:b8e:ffff::1
+0123.subdomain-both            A       10.53.0.1
+                               AAAA    fd92:7065:b8e:ffff::1
+0.subdomain-both               A       10.53.0.1
+                               AAAA    fd92:7065:b8e:ffff::1
diff --git a/bin/tests/system/glue/ns1/tc-test-unsigned.db b/bin/tests/system/glue/ns1/tc-test-unsigned.db
new file mode 100644 (file)
index 0000000..de326c0
--- /dev/null
@@ -0,0 +1,112 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; CAUTION: Contents of this zone were carefully crafted so that the responses
+; to the queries used in the "glue" system test have a very specific size.
+; Editing this zone is not recommended as it may break the relevant checks.
+
+$TTL 300
+@                      IN SOA  ns hostmaster (
+                               1
+                               3600
+                               1800
+                               1814400
+                               3600
+                               )
+                       NS      a
+a                      A       10.53.0.1
+
+subdomain-a            NS      abcdefghijklmnopqrstuvwxyz.subdomain-a
+                       NS      bcdefghijklmnopqrstuvwxyz.subdomain-a
+                       NS      cdefghijklmnopqrstuvwxyz.subdomain-a
+                       NS      defghijklmnopqrstuvwxyz.subdomain-a
+                       NS      efghijklmnopqrstuvwxyz.subdomain-a
+                       NS      fghijklmnopqrstuvwxyz.subdomain-a
+                       NS      ghijklmnopqrstuvwxyz.subdomain-a
+                       NS      hijklmnopqrstuvwxyz.subdomain-a
+                       NS      ijklmnopqrstuvwxyz.subdomain-a
+                       NS      jklmnopqrstuvwxyz.subdomain-a
+                       NS      klmnopqrstuvwxyz.subdomain-a
+                       NS      lmnopqrstuvwxyz.subdomain-a
+                       NS      mnopqrstuvwxyz.subdomain-a
+
+abcdefghijklmnopqrstuvwxyz.subdomain-a         A       10.53.0.1
+bcdefghijklmnopqrstuvwxyz.subdomain-a          A       10.53.0.1
+cdefghijklmnopqrstuvwxyz.subdomain-a           A       10.53.0.1
+defghijklmnopqrstuvwxyz.subdomain-a            A       10.53.0.1
+efghijklmnopqrstuvwxyz.subdomain-a             A       10.53.0.1
+fghijklmnopqrstuvwxyz.subdomain-a              A       10.53.0.1
+ghijklmnopqrstuvwxyz.subdomain-a               A       10.53.0.1
+hijklmnopqrstuvwxyz.subdomain-a                        A       10.53.0.1
+ijklmnopqrstuvwxyz.subdomain-a                 A       10.53.0.1
+jklmnopqrstuvwxyz.subdomain-a                  A       10.53.0.1
+klmnopqrstuvwxyz.subdomain-a                   A       10.53.0.1
+lmnopqrstuvwxyz.subdomain-a                    A       10.53.0.1
+mnopqrstuvwxyz.subdomain-a                     A       10.53.0.1
+
+subdomain-aaaa         NS      abcdefghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      bcdefghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      cdefghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      defghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      efghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      fghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      ghijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      hijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      ijklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      jklmnopqrstuvwxyz.subdomain-aaaa
+                       NS      klmnopqrstuvwxyz.subdomain-aaaa
+                       NS      lmnopqrstuvwxyz.subdomain-aaaa
+                       NS      mnopqrstuvwxyz.subdomain-aaaa
+
+abcdefghijklmnopqrstuvwxyz.subdomain-aaaa      AAAA    fd92:7065:b8e:ffff::1
+bcdefghijklmnopqrstuvwxyz.subdomain-aaaa       AAAA    fd92:7065:b8e:ffff::1
+cdefghijklmnopqrstuvwxyz.subdomain-aaaa                AAAA    fd92:7065:b8e:ffff::1
+defghijklmnopqrstuvwxyz.subdomain-aaaa         AAAA    fd92:7065:b8e:ffff::1
+efghijklmnopqrstuvwxyz.subdomain-aaaa          AAAA    fd92:7065:b8e:ffff::1
+fghijklmnopqrstuvwxyz.subdomain-aaaa           AAAA    fd92:7065:b8e:ffff::1
+ghijklmnopqrstuvwxyz.subdomain-aaaa            AAAA    fd92:7065:b8e:ffff::1
+hijklmnopqrstuvwxyz.subdomain-aaaa             AAAA    fd92:7065:b8e:ffff::1
+ijklmnopqrstuvwxyz.subdomain-aaaa              AAAA    fd92:7065:b8e:ffff::1
+jklmnopqrstuvwxyz.subdomain-aaaa               AAAA    fd92:7065:b8e:ffff::1
+klmnopqrstuvwxyz.subdomain-aaaa                        AAAA    fd92:7065:b8e:ffff::1
+lmnopqrstuvwxyz.subdomain-aaaa                 AAAA    fd92:7065:b8e:ffff::1
+mnopqrstuvwxyz.subdomain-aaaa                  AAAA    fd92:7065:b8e:ffff::1
+
+subdomain-both         NS      abcdefghijklmnopqrstuvwxyz.subdomain-both
+                       NS      bcdefghijklmnopqrstuvwxyz.subdomain-both
+                       NS      cdefghijklmnopqrstuvwxyz.subdomain-both
+                       NS      defghijklmnopqrstuvwxyz.subdomain-both
+                       NS      efghijklmnopqrstuvwxyz.subdomain-both
+                       NS      fghijklmnopqrstuvwxyz.subdomain-both
+                       NS      ghijklmnopqrstuvwxyz.subdomain-both
+                       NS      hijklmnopqrstuvwxyz.subdomain-both
+                       NS      ijklmnopqrstuvwxyz.subdomain-both
+                       NS      jklmnopqrstuvwxyz.subdomain-both
+                       NS      klmnopqrstuvwxyz.subdomain-both
+                       NS      lmnopqrstuvwxyz.subdomain-both
+                       NS      mnopqrstuvwxyz.subdomain-both
+
+abcdefghijklmnopqrstuvwxyz.subdomain-both      A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+bcdefghijklmnopqrstuvwxyz.subdomain-both       A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+cdefghijklmnopqrstuvwxyz.subdomain-both                A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+defghijklmnopqrstuvwxyz.subdomain-both         A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+efghijklmnopqrstuvwxyz.subdomain-both          A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+fghijklmnopqrstuvwxyz.subdomain-both           A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+ghijklmnopqrstuvwxyz.subdomain-both            A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
+hijklmnopqrstuvwxyz.subdomain-both             A       10.53.0.1
+                                               AAAA    fd92:7065:b8e:ffff::1
index 82240a7c1b9ee7a923cd09b9f2a29f7b0d8c377c..1cac6e7efcc69c617af79cb1a97e85b2ed5df22c 100644 (file)
@@ -14,3 +14,5 @@
 . ../conf.sh
 
 copy_setports ns1/named.conf.in ns1/named.conf
+
+( cd ns1 && $SHELL sign.sh )
index e761839a7717211c3b7a353e7e1638247b7b57a3..4d750b04bedc2a7eac7bf6961f9f31376f74cd5c 100644 (file)
@@ -38,5 +38,53 @@ digcomp noglue.good dig.out.$n || ret=1
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-a.tc-test-unsigned. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing truncation for unsigned referrals close to UDP packet size limit (AAAA glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-aaaa.tc-test-unsigned. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A+AAAA glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-both.tc-test-unsigned. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing truncation for signed referrals close to UDP packet size limit (A glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-a.tc-test-signed. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing truncation for signed referrals close to UDP packet size limit (AAAA glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-aaaa.tc-test-signed. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing truncation for signed referrals close to UDP packet size limit (A+AAAA glue) ($n)"
+ret=0
+dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-both.tc-test-signed. > dig.out.$n || ret=1
+grep -q "flags:[^;]* tc" dig.out.$n || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1