--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from re import compile as Re
+
+from dnssec_py.common import DNSSEC_PY_MARK
+from isctest.template import NS2, NS3, zones
+from isctest.zone import Zone, configure_root
+
+import isctest
+
+pytestmark = DNSSEC_PY_MARK
+
+
+def bootstrap():
+ sub = Zone("sub.nsec3-iter-too-many", NS3, signed=False)
+ sub.configure()
+
+ parent = Zone("nsec3-iter-too-many", NS2, signed=True)
+ parent.delegations = [sub]
+ parent.configure(sign_params="-3 A1B2C3D4 -H too-many -H 51")
+
+ root = configure_root([parent])
+
+ return {
+ "trust_anchors": root.trust_anchors(),
+ "zones": zones([root, parent, sub]),
+ }
+
+
+def test_excessive_nsec3_iterations_delegation(ns9):
+ # reproducer for CVE-2026-1519 [GL#5708]
+ zone = "a.sub.nsec3-iter-too-many"
+ msg = isctest.query.create(zone, "A")
+ res = isctest.query.tcp(msg, ns9.ip)
+
+ # an insecure response is expected regardless of the NSEC3 iteration limit,
+ # because the sub.nsec3-iter-too-many. zone is unsigned. the real
+ # difference is in the CPU usage required for generating such response, but
+ # that can't be easily and reliably tested in an automated fashion
+ isctest.check.noerror(res)
+
+ with ns9.watch_log_from_start() as watcher:
+ watcher.wait_for_line(Re(f"validating {zone}/A:.*too many iterations"))
+++ /dev/null
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- dnssec-validation no;
-};
-
-controls {
- inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "." {
- type primary;
- file "root.db";
-};
+++ /dev/null
-$TTL 300
-. IN SOA . . (
- 2025063000 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
- )
-. NS a.root-servers.nil.
-
-a.root-servers.nil A 10.53.0.1
-
-iter-too-many. NS ns2.iter-too-many.
-ns2.iter-too-many. A 10.53.0.2
+++ /dev/null
-{% raw %}
-$TTL 300
-@ IN SOA ns2.iter-too-many. hostmaster.iter-too-many. (
- 2026020300 ; serial
- 20 ; refresh (20 seconds)
- 20 ; retry (20 seconds)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
-)
-
-@ IN NS ns2.iter-too-many.
-ns2 IN A 10.53.0.2
-
-sub IN NS ns2.sub.iter-too-many.
-ns2.sub IN A 10.53.0.2
-{% endraw %}
-
-{% for dnskey in dnskeys %}
-@dnskey@
-{% endfor %}
+++ /dev/null
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- recursion no;
- dnssec-validation no;
-};
-
-controls {
- inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "iter-too-many" {
- type primary;
- file "iter-too-many.signed.db";
-};
-
-zone "sub.iter-too-many" {
- type primary;
- file "sub.iter-too-many.db";
-};
+++ /dev/null
-$TTL 300
-@ IN SOA ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. (
- 2026020300 ; serial
- 20 ; refresh (20 seconds)
- 20 ; retry (20 seconds)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
-)
-
-@ IN NS ns2.sub.iter-too-many.
-ns2 IN A 10.53.0.2
-
-example IN A 127.0.0.1
+++ /dev/null
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- recursion yes;
- dnssec-validation yes;
-};
-
-controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "." {
- type hint;
- file "../../_common/root.hint";
-};
-
-include "trusted.conf";
+++ /dev/null
-../../_common/trusted.conf.j2
\ No newline at end of file
+++ /dev/null
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-from isctest.run import EnvCmd
-
-import isctest
-
-
-def bootstrap():
- templates = isctest.template.TemplateEngine(".")
- keygen = EnvCmd("KEYGEN", "-a ECDSA256")
- signer = EnvCmd("SIGNER")
-
- isctest.log.info("setup iter-too-many.")
- zonename = "iter-too-many."
- ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip()
- zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip()
- ksk = isctest.kasp.Key(ksk_name, keydir="ns2")
- zsk = isctest.kasp.Key(zsk_name, keydir="ns2")
- dnskeys = [ksk.dnskey, zsk.dnskey]
-
- tdata = {
- "dnskeys": dnskeys,
- }
- templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual")
- signer(
- f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 51 -S {zonename}db",
- cwd="ns2",
- )
-
- return {
- "trust_anchors": [
- ksk.into_ta("static-key"),
- ],
- }
-
-
-def test_excessive_nsec3_iterations_delegation(ns3):
- # reproducer for CVE-2026-1519 [GL#5708]
- zone = "example.sub.iter-too-many"
- msg = isctest.query.create(zone, "A")
- res = isctest.query.tcp(msg, ns3.ip)
-
- # an insecure response is expected regardless of the NSEC3 iteration limit,
- # because the sub.iter-too-many. zone is unsigned. the real difference is
- # in the CPU usage required for generating such response, but that can't be
- # easily and reliably tested in an automated fashion
- isctest.check.noerror(res)
-
- with ns3.watch_log_from_start() as watcher:
- watcher.wait_for_line(
- f"validating {zone}/A: validator_callback_ds: too many iterations"
- )
projects / thirdparty / bind9.git / commitdiff
