Add test for the proposed fix

This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".

diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
new file mode 100644 (file)
index 0000000..b47208c
--- /dev/null
+++ b/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.

diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index 643e1271b53ae85e91a169413259afe84dfe1fee..fee76b41e5d46d5bfdb9fc10bd6e914436417a2b 100644 (file)
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -55,3 +55,8 @@ zone "grafted" {
        forward only;
        forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+       type master;
+       file "malicious.db";
+};

diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
index 0e65985d52634654cf3ebb757cd1f0296e5d9cb6..6742222d4d088807ce1765c1073ef8ba16768d9c 100644 (file)
--- a/bin/tests/system/forward/ns5/named.conf.in
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -19,9 +19,16 @@ options {
        listen-on-v6 { none; };
        forward only;
        forwarders { 10.53.0.4; };
+       deny-answer-aliases { "rebind"; };
+       dnssec-validation yes;
 };
 
 zone "." {
        type hint;
        file "root.db";
 };
+
+zone "rebind" {
+       type master;
+       file "rebind.db";
+};

diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
new file mode 100644 (file)
index 0000000..3e71327
--- /dev/null
+++ b/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1

diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index 8db1024b7972f0a64fb79f19574a2bb7f4e275cf..1e199e49d3c427f8fb2f4bd7898ffde98dde06c9 100644 (file)
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -210,5 +210,18 @@ sent=`grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/util/copyrights b/util/copyrights
index eba1b2a554f0310774073d4afca412a727d1af61..fa07f42aba055a42143aad38fc03061593b49e74 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -1433,9 +1433,11 @@
 ./bin/tests/system/forward/ns2/root.db         ZONE    2000,2001,2004,2007,2016,2018,2019,2020
 ./bin/tests/system/forward/ns3/named.conf.in   CONF-C  2018,2019,2020
 ./bin/tests/system/forward/ns3/root.db         ZONE    2000,2001,2004,2007,2016,2018,2019,2020
+./bin/tests/system/forward/ns4/malicious.db    ZONE    2020
 ./bin/tests/system/forward/ns4/named.conf.in   CONF-C  2018,2019,2020
 ./bin/tests/system/forward/ns4/root.db         ZONE    2000,2001,2004,2007,2016,2018,2019,2020
 ./bin/tests/system/forward/ns5/named.conf.in   CONF-C  2018,2019,2020
+./bin/tests/system/forward/ns5/rebind.db       ZONE    2020
 ./bin/tests/system/forward/ns5/root.db         ZONE    2011,2016,2018,2019,2020
 ./bin/tests/system/forward/ns7/named.conf.in   CONF-C  2019,2020
 ./bin/tests/system/forward/ns7/root.db         ZONE    2019,2020