git.ipfire.org Git - thirdparty/bind9.git/commit

author	Petr Špaček <pspacek@isc.org>
	Wed, 23 Jul 2025 15:25:18 +0000 (17:25 +0200)
committer	Michał Kępień (GitLab job 6660033) <michal@isc.org>
	Mon, 22 Dec 2025 11:47:26 +0000 (11:47 +0000)
commit	ae0afc1d424e56893b24c625b00cb636ff83dd3f
tree	c574427cb828b43251f5eeaad071941f339fdbdb	tree \| snapshot
parent	0a00d3c2c928199b3d9c8010e378a8c51900f94c	commit \| diff

Test that unsolicited NS in positive answer cannot overwrite current NS

Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.

In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL

This attack was originally reported as "test case 1".

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 658d2e9f8ec8408f227af034bd87cf4ff3189a88)

bin/tests/system/bailiwick/ans2/ans.py		diff \| blob \| blame \| history
bin/tests/system/bailiwick/tests_bailiwick.py		diff \| blob \| blame \| history