From: Michał Kępień Date: Thu, 22 Sep 2022 12:03:17 +0000 (+0200) Subject: Add tests for broken glueless referrals X-Git-Tag: v9.19.6~44^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=18143493744234eee02e5334bfd717d7d62ff1a0;p=thirdparty%2Fbind9.git Add tests for broken glueless referrals If an NS RRset at the parent side of a delegation point only contains in-bailiwick NS records, at least one glue record should be included in every referral response sent for such a delegation point or else clients will need to send follow-up queries in order to determine name server addresses. In certain edge cases (when the total size of a referral response without glue records was just below to the UDP packet size limit), named failed to adhere to that rule by sending non-truncated, glueless referral responses. Add tests attempting to trigger that bug in several different scenarios, covering all possible combinations of the following factors: - type of zone (signed, unsigned), - glue record type (A, AAAA, both). --- diff --git a/bin/tests/system/glue/clean.sh b/bin/tests/system/glue/clean.sh index d6ec3455d68..138980e90a8 100644 --- a/bin/tests/system/glue/clean.sh +++ b/bin/tests/system/glue/clean.sh @@ -19,5 +19,9 @@ rm -f */named.conf rm -f */named.memstats rm -f */named.run rm -f dig.out +rm -f ns*/K* +rm -f ns*/dsset-* rm -f ns*/managed-keys.bind* rm -f ns*/named.lock +rm -f ns*/tc-test-signed.db +rm -f ns*/tc-test-signed.db.signed diff --git a/bin/tests/system/glue/ns1/named.conf.in b/bin/tests/system/glue/ns1/named.conf.in index 4d1ef75611c..61195f91364 100644 --- a/bin/tests/system/glue/ns1/named.conf.in +++ b/bin/tests/system/glue/ns1/named.conf.in @@ -32,7 +32,18 @@ zone "root-servers.nil" { type primary; file "root-servers.nil.db"; }; + zone "net" { type primary; file "net.db"; }; + +zone "tc-test-unsigned" { + type master; + file "tc-test-unsigned.db"; +}; + +zone "tc-test-signed" { + type master; + file "tc-test-signed.db.signed"; +}; diff --git a/bin/tests/system/glue/ns1/sign.sh b/bin/tests/system/glue/ns1/sign.sh new file mode 100644 index 00000000000..64250065e61 --- /dev/null +++ b/bin/tests/system/glue/ns1/sign.sh @@ -0,0 +1,27 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=tc-test-signed +infile=tc-test-signed.db.in +zonefile=tc-test-signed.db + +# The signing algorithm and key sizes used here are NOT arbitrary - they have +# been carefully chosen to ensure that the signed referral response checked in +# the test will be around 512 bytes in size with glue records excluded. Please +# keep this in mind when updating signing algorithms used in system tests. +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/glue/ns1/tc-test-signed.db.in b/bin/tests/system/glue/ns1/tc-test-signed.db.in new file mode 100644 index 00000000000..5c0181dc3aa --- /dev/null +++ b/bin/tests/system/glue/ns1/tc-test-signed.db.in @@ -0,0 +1,55 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; CAUTION: Contents of this zone were carefully crafted so that the responses +; to the queries used in the "glue" system test have a very specific size. +; Editing this zone is not recommended as it may break the relevant checks. + +$TTL 300 +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3600 + ) + NS a +a A 10.53.0.1 + +subdomain-a NS 0123456789.subdomain-a + NS 0123456.subdomain-a + NS 0123.subdomain-a + +0123456789.subdomain-a A 10.53.0.1 +0123456.subdomain-a A 10.53.0.1 +0123.subdomain-a A 10.53.0.1 + +subdomain-aaaa NS 0123456789.subdomain-aaaa + NS 0123456.subdomain-aaaa + NS 0123.subdomain-aaaa + +0123456789.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +0123456.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +0123.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 + +subdomain-both NS 0123456789.subdomain-both + NS 0123456.subdomain-both + NS 0123.subdomain-both + NS 0.subdomain-both + +0123456789.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +0123456.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +0123.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +0.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/glue/ns1/tc-test-unsigned.db b/bin/tests/system/glue/ns1/tc-test-unsigned.db new file mode 100644 index 00000000000..de326c0acc0 --- /dev/null +++ b/bin/tests/system/glue/ns1/tc-test-unsigned.db @@ -0,0 +1,112 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; CAUTION: Contents of this zone were carefully crafted so that the responses +; to the queries used in the "glue" system test have a very specific size. +; Editing this zone is not recommended as it may break the relevant checks. + +$TTL 300 +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3600 + ) + NS a +a A 10.53.0.1 + +subdomain-a NS abcdefghijklmnopqrstuvwxyz.subdomain-a + NS bcdefghijklmnopqrstuvwxyz.subdomain-a + NS cdefghijklmnopqrstuvwxyz.subdomain-a + NS defghijklmnopqrstuvwxyz.subdomain-a + NS efghijklmnopqrstuvwxyz.subdomain-a + NS fghijklmnopqrstuvwxyz.subdomain-a + NS ghijklmnopqrstuvwxyz.subdomain-a + NS hijklmnopqrstuvwxyz.subdomain-a + NS ijklmnopqrstuvwxyz.subdomain-a + NS jklmnopqrstuvwxyz.subdomain-a + NS klmnopqrstuvwxyz.subdomain-a + NS lmnopqrstuvwxyz.subdomain-a + NS mnopqrstuvwxyz.subdomain-a + +abcdefghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +bcdefghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +cdefghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +defghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +efghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +fghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +ghijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +hijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +ijklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +jklmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +klmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +lmnopqrstuvwxyz.subdomain-a A 10.53.0.1 +mnopqrstuvwxyz.subdomain-a A 10.53.0.1 + +subdomain-aaaa NS abcdefghijklmnopqrstuvwxyz.subdomain-aaaa + NS bcdefghijklmnopqrstuvwxyz.subdomain-aaaa + NS cdefghijklmnopqrstuvwxyz.subdomain-aaaa + NS defghijklmnopqrstuvwxyz.subdomain-aaaa + NS efghijklmnopqrstuvwxyz.subdomain-aaaa + NS fghijklmnopqrstuvwxyz.subdomain-aaaa + NS ghijklmnopqrstuvwxyz.subdomain-aaaa + NS hijklmnopqrstuvwxyz.subdomain-aaaa + NS ijklmnopqrstuvwxyz.subdomain-aaaa + NS jklmnopqrstuvwxyz.subdomain-aaaa + NS klmnopqrstuvwxyz.subdomain-aaaa + NS lmnopqrstuvwxyz.subdomain-aaaa + NS mnopqrstuvwxyz.subdomain-aaaa + +abcdefghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +bcdefghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +cdefghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +defghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +efghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +fghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +ghijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +hijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +ijklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +jklmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +klmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +lmnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 +mnopqrstuvwxyz.subdomain-aaaa AAAA fd92:7065:b8e:ffff::1 + +subdomain-both NS abcdefghijklmnopqrstuvwxyz.subdomain-both + NS bcdefghijklmnopqrstuvwxyz.subdomain-both + NS cdefghijklmnopqrstuvwxyz.subdomain-both + NS defghijklmnopqrstuvwxyz.subdomain-both + NS efghijklmnopqrstuvwxyz.subdomain-both + NS fghijklmnopqrstuvwxyz.subdomain-both + NS ghijklmnopqrstuvwxyz.subdomain-both + NS hijklmnopqrstuvwxyz.subdomain-both + NS ijklmnopqrstuvwxyz.subdomain-both + NS jklmnopqrstuvwxyz.subdomain-both + NS klmnopqrstuvwxyz.subdomain-both + NS lmnopqrstuvwxyz.subdomain-both + NS mnopqrstuvwxyz.subdomain-both + +abcdefghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +bcdefghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +cdefghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +defghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +efghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +fghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +ghijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 +hijklmnopqrstuvwxyz.subdomain-both A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/glue/setup.sh b/bin/tests/system/glue/setup.sh index 82240a7c1b9..1cac6e7efcc 100644 --- a/bin/tests/system/glue/setup.sh +++ b/bin/tests/system/glue/setup.sh @@ -14,3 +14,5 @@ . ../conf.sh copy_setports ns1/named.conf.in ns1/named.conf + +( cd ns1 && $SHELL sign.sh ) diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh index e761839a771..4d750b04bed 100644 --- a/bin/tests/system/glue/tests.sh +++ b/bin/tests/system/glue/tests.sh @@ -38,5 +38,53 @@ digcomp noglue.good dig.out.$n || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-a.tc-test-unsigned. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing truncation for unsigned referrals close to UDP packet size limit (AAAA glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-aaaa.tc-test-unsigned. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A+AAAA glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-both.tc-test-unsigned. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing truncation for signed referrals close to UDP packet size limit (A glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-a.tc-test-signed. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing truncation for signed referrals close to UDP packet size limit (AAAA glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-aaaa.tc-test-signed. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing truncation for signed referrals close to UDP packet size limit (A+AAAA glue) ($n)" +ret=0 +dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-both.tc-test-signed. > dig.out.$n || ret=1 +grep -q "flags:[^;]* tc" dig.out.$n || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1