From: Nicki Křížek Date: Fri, 3 Apr 2026 13:22:33 +0000 (+0000) Subject: Add NSEC3 excessive iterations test to dnssec_py X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=5a3d403a0bf083dd9f5cf5cd272fd011aa911efe;p=thirdparty%2Fbind9.git Add NSEC3 excessive iterations test to dnssec_py Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers. The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone (ns3), signing the parent with NSEC3 at 51 iterations. A validating resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the excessive iteration count is logged as a warning. The test verifies that the query still resolves successfully (insecure, not SERVFAIL) despite the high iteration count. Assisted-by: Claude:claude-opus-4-8 (cherry picked from commit fc5116ed9164c28a1c76c2a42f0f99834f47fc58) --- diff --git a/bin/tests/system/dnssec_py/tests_nsec3_iter_too_many.py b/bin/tests/system/dnssec_py/tests_nsec3_iter_too_many.py new file mode 100644 index 00000000000..51d655d700f --- /dev/null +++ b/bin/tests/system/dnssec_py/tests_nsec3_iter_too_many.py @@ -0,0 +1,52 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from re import compile as Re + +from dnssec_py.common import DNSSEC_PY_MARK +from isctest.template import NS2, NS3, zones +from isctest.zone import Zone, configure_root + +import isctest + +pytestmark = DNSSEC_PY_MARK + + +def bootstrap(): + sub = Zone("sub.nsec3-iter-too-many", NS3, signed=False) + sub.configure() + + parent = Zone("nsec3-iter-too-many", NS2, signed=True) + parent.delegations = [sub] + parent.configure(sign_params="-3 A1B2C3D4 -H too-many -H 51") + + root = configure_root([parent]) + + return { + "trust_anchors": root.trust_anchors(), + "zones": zones([root, parent, sub]), + } + + +def test_excessive_nsec3_iterations_delegation(ns9): + # reproducer for CVE-2026-1519 [GL#5708] + zone = "a.sub.nsec3-iter-too-many" + msg = isctest.query.create(zone, "A") + res = isctest.query.tcp(msg, ns9.ip) + + # an insecure response is expected regardless of the NSEC3 iteration limit, + # because the sub.nsec3-iter-too-many. zone is unsigned. the real + # difference is in the CPU usage required for generating such response, but + # that can't be easily and reliably tested in an automated fashion + isctest.check.noerror(res) + + with ns9.watch_log_from_start() as watcher: + watcher.wait_for_line(Re(f"validating {zone}/A:.*too many iterations")) diff --git a/bin/tests/system/nsec3_delegation/ns1/named.conf.j2 b/bin/tests/system/nsec3_delegation/ns1/named.conf.j2 deleted file mode 100644 index 65016d1c672..00000000000 --- a/bin/tests/system/nsec3_delegation/ns1/named.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; -}; - -controls { - inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -include "../../_common/rndc.key"; - -zone "." { - type primary; - file "root.db"; -}; diff --git a/bin/tests/system/nsec3_delegation/ns1/root.db b/bin/tests/system/nsec3_delegation/ns1/root.db deleted file mode 100644 index c3f80d0d4b8..00000000000 --- a/bin/tests/system/nsec3_delegation/ns1/root.db +++ /dev/null @@ -1,25 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -. IN SOA . . ( - 2025063000 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 600 ; minimum - ) -. NS a.root-servers.nil. - -a.root-servers.nil A 10.53.0.1 - -iter-too-many. NS ns2.iter-too-many. -ns2.iter-too-many. A 10.53.0.2 diff --git a/bin/tests/system/nsec3_delegation/ns2/iter-too-many.db.j2.manual b/bin/tests/system/nsec3_delegation/ns2/iter-too-many.db.j2.manual deleted file mode 100644 index fa5023d21b9..00000000000 --- a/bin/tests/system/nsec3_delegation/ns2/iter-too-many.db.j2.manual +++ /dev/null @@ -1,31 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -{% raw %} -$TTL 300 -@ IN SOA ns2.iter-too-many. hostmaster.iter-too-many. ( - 2026020300 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) -) - -@ IN NS ns2.iter-too-many. -ns2 IN A 10.53.0.2 - -sub IN NS ns2.sub.iter-too-many. -ns2.sub IN A 10.53.0.2 -{% endraw %} - -{% for dnskey in dnskeys %} -@dnskey@ -{% endfor %} diff --git a/bin/tests/system/nsec3_delegation/ns2/named.conf.j2 b/bin/tests/system/nsec3_delegation/ns2/named.conf.j2 deleted file mode 100644 index 2f4823574f1..00000000000 --- a/bin/tests/system/nsec3_delegation/ns2/named.conf.j2 +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; -}; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -include "../../_common/rndc.key"; - -zone "iter-too-many" { - type primary; - file "iter-too-many.signed.db"; -}; - -zone "sub.iter-too-many" { - type primary; - file "sub.iter-too-many.db"; -}; diff --git a/bin/tests/system/nsec3_delegation/ns2/sub.iter-too-many.db b/bin/tests/system/nsec3_delegation/ns2/sub.iter-too-many.db deleted file mode 100644 index 09b2bb6fb39..00000000000 --- a/bin/tests/system/nsec3_delegation/ns2/sub.iter-too-many.db +++ /dev/null @@ -1,24 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -@ IN SOA ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. ( - 2026020300 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) -) - -@ IN NS ns2.sub.iter-too-many. -ns2 IN A 10.53.0.2 - -example IN A 127.0.0.1 diff --git a/bin/tests/system/nsec3_delegation/ns3/named.conf.j2 b/bin/tests/system/nsec3_delegation/ns3/named.conf.j2 deleted file mode 100644 index e36b88c53ea..00000000000 --- a/bin/tests/system/nsec3_delegation/ns3/named.conf.j2 +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -include "../../_common/rndc.key"; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/nsec3_delegation/ns3/trusted.conf.j2 b/bin/tests/system/nsec3_delegation/ns3/trusted.conf.j2 deleted file mode 120000 index cb0be77b220..00000000000 --- a/bin/tests/system/nsec3_delegation/ns3/trusted.conf.j2 +++ /dev/null @@ -1 +0,0 @@ -../../_common/trusted.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/nsec3_delegation/tests_excessive_nsec3_iterations.py b/bin/tests/system/nsec3_delegation/tests_excessive_nsec3_iterations.py deleted file mode 100644 index 5bd17ed8743..00000000000 --- a/bin/tests/system/nsec3_delegation/tests_excessive_nsec3_iterations.py +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -from isctest.run import EnvCmd - -import isctest - - -def bootstrap(): - templates = isctest.template.TemplateEngine(".") - keygen = EnvCmd("KEYGEN", "-a ECDSA256") - signer = EnvCmd("SIGNER") - - isctest.log.info("setup iter-too-many.") - zonename = "iter-too-many." - ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip() - zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip() - ksk = isctest.kasp.Key(ksk_name, keydir="ns2") - zsk = isctest.kasp.Key(zsk_name, keydir="ns2") - dnskeys = [ksk.dnskey, zsk.dnskey] - - tdata = { - "dnskeys": dnskeys, - } - templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual") - signer( - f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 51 -S {zonename}db", - cwd="ns2", - ) - - return { - "trust_anchors": [ - ksk.into_ta("static-key"), - ], - } - - -def test_excessive_nsec3_iterations_delegation(ns3): - # reproducer for CVE-2026-1519 [GL#5708] - zone = "example.sub.iter-too-many" - msg = isctest.query.create(zone, "A") - res = isctest.query.tcp(msg, ns3.ip) - - # an insecure response is expected regardless of the NSEC3 iteration limit, - # because the sub.iter-too-many. zone is unsigned. the real difference is - # in the CPU usage required for generating such response, but that can't be - # easily and reliably tested in an automated fashion - isctest.check.noerror(res) - - with ns3.watch_log_from_start() as watcher: - watcher.wait_for_line( - f"validating {zone}/A: validator_callback_ds: too many iterations" - )