rpms / bind

Clone
Source Code
GIT

Blame SOURCES/bind-9.16-CVE-2021-25220-test.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c9-beta
  2.   SOURCES
  3.   bind-9.16-CVE-2021-25220-test.patch
Blob History Raw
d2f388 
From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001
d2f388 
From: Mark Andrews <marka@isc.org>
d2f388 
Date: Tue, 18 Jan 2022 00:19:47 +1100
d2f388 
Subject: [PATCH] Add tests for forwarder cache poisoning scenarios
d2f388
d2f388 
- Check that an NS in an authority section returned from a forwarder
d2f388 
  which is above the name in a configured "forward first" or "forward
d2f388 
  only" zone (i.e., net/NS in a response from a forwarder configured for
d2f388 
  local.net) is not cached.
d2f388 
- Test that a DNAME for a parent domain will not be cached when sent
d2f388 
  in a response from a forwarder configured to answer for a child.
d2f388 
- Check that glue is rejected if its name falls below that of zone
d2f388 
  configured locally.
d2f388 
- Check that an extra out-of-bailiwick data in the answer section is
d2f388 
  not cached (this was already working correctly, but was not explicitly
d2f388 
  tested before).
d2f388
d2f388 
(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604)
d2f388 
(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739)
d2f388 
---
d2f388 
 bin/tests/system/forward/ans11/ans.py         | 136 ++++++++++++++++++
d2f388 
 bin/tests/system/forward/clean.sh             |   2 +
d2f388 
 bin/tests/system/forward/ns1/diditwork.net.db |  22 +++
d2f388 
 bin/tests/system/forward/ns1/named.conf.in    |  20 +++
d2f388 
 bin/tests/system/forward/ns1/net.example.lll  |  15 ++
d2f388 
 bin/tests/system/forward/ns1/spoofed.net.db   |  22 +++
d2f388 
 bin/tests/system/forward/ns1/sub.local.net.db |  22 +++
d2f388 
 bin/tests/system/forward/ns10/fakenet.zone    |  17 +++
d2f388 
 bin/tests/system/forward/ns10/fakenet2.zone   |  15 ++
d2f388 
 .../system/forward/ns10/fakesublocalnet.zone  |  15 ++
d2f388 
 .../system/forward/ns10/fakesublocaltld.zone  |  15 ++
d2f388 
 bin/tests/system/forward/ns10/named.conf.in   |  53 +++++++
d2f388 
 bin/tests/system/forward/ns10/net.example.lll |  15 ++
d2f388 
 bin/tests/system/forward/ns10/spoofednet.zone |  16 +++
d2f388 
 bin/tests/system/forward/ns2/tld.db           |   6 +
d2f388 
 bin/tests/system/forward/ns4/named.conf.in    |   5 +
d2f388 
 bin/tests/system/forward/ns4/sibling.tld.db   |  22 +++
d2f388 
 bin/tests/system/forward/ns8/named.conf.in    |   5 +
d2f388 
 bin/tests/system/forward/ns8/sub.local.tld.db |  15 ++
d2f388 
 bin/tests/system/forward/ns9/local.net.db     |  16 +++
d2f388 
 bin/tests/system/forward/ns9/local.tld.db     |  15 ++
d2f388 
 bin/tests/system/forward/ns9/named1.conf.in   |  67 +++++++++
d2f388 
 bin/tests/system/forward/ns9/named2.conf.in   |  70 +++++++++
d2f388 
 bin/tests/system/forward/ns9/named3.conf.in   |  50 +++++++
d2f388 
 bin/tests/system/forward/ns9/named4.conf.in   |  47 ++++++
d2f388 
 bin/tests/system/forward/ns9/root.db          |  13 ++
d2f388 
 bin/tests/system/forward/setup.sh             |   2 +
d2f388 
 bin/tests/system/forward/tests.sh             | 122 ++++++++++++++++
d2f388 
 bin/tests/system/ifconfig.sh                  |   8 +-
d2f388 
 29 files changed, 844 insertions(+), 4 deletions(-)
d2f388 
 create mode 100644 bin/tests/system/forward/ans11/ans.py
d2f388 
 create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns1/net.example.lll
d2f388 
 create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/fakenet.zone
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/named.conf.in
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/net.example.lll
d2f388 
 create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone
d2f388 
 create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/local.net.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/local.tld.db
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/named1.conf.in
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/named2.conf.in
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/named3.conf.in
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/named4.conf.in
d2f388 
 create mode 100644 bin/tests/system/forward/ns9/root.db
d2f388
d2f388 
diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
d2f388 
new file mode 100644
d2f388 
index 0000000000..1d35b3d3f1
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ans11/ans.py
d2f388 
@@ -0,0 +1,136 @@
d2f388 
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+#
d2f388 
+# SPDX-License-Identifier: MPL-2.0
d2f388 
+#
d2f388 
+# This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+#
d2f388 
+# See the COPYRIGHT file distributed with this work for additional
d2f388 
+# information regarding copyright ownership.
d2f388 
+
d2f388 
+from __future__ import print_function
d2f388 
+import os
d2f388 
+import sys
d2f388 
+import signal
d2f388 
+import socket
d2f388 
+import select
d2f388 
+from datetime import datetime, timedelta
d2f388 
+import time
d2f388 
+import functools
d2f388 
+
d2f388 
+import dns, dns.message, dns.query, dns.flags
d2f388 
+from dns.rdatatype import *
d2f388 
+from dns.rdataclass import *
d2f388 
+from dns.rcode import *
d2f388 
+from dns.name import *
d2f388 
+
d2f388 
+# Log query to file
d2f388 
+def logquery(type, qname):
d2f388 
+    with open("qlog", "a") as f:
d2f388 
+        f.write("%s %s\n", type, qname)
d2f388 
+
d2f388 
+############################################################################
d2f388 
+# Respond to a DNS query.
d2f388 
+############################################################################
d2f388 
+def create_response(msg):
d2f388 
+    m = dns.message.from_wire(msg)
d2f388 
+    qname = m.question[0].name.to_text()
d2f388 
+    rrtype = m.question[0].rdtype
d2f388 
+    typename = dns.rdatatype.to_text(rrtype)
d2f388 
+
d2f388 
+    with open("query.log", "a") as f:
d2f388 
+        f.write("%s %s\n" % (typename, qname))
d2f388 
+        print("%s %s" % (typename, qname), end=" ")
d2f388 
+
d2f388 
+    r = dns.message.make_response(m)
d2f388 
+    r.set_rcode(NOERROR)
d2f388 
+    if rrtype == A:
d2f388 
+        tld=qname.split('.')[-2] + '.'
d2f388 
+        ns="local." + tld
d2f388 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
d2f388 
+        r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
d2f388 
+        r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
d2f388 
+    elif rrtype == NS:
d2f388 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
d2f388 
+    elif rrtype == SOA:
d2f388 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
d2f388 
+    else:
d2f388 
+        r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
d2f388 
+    r.flags |= dns.flags.AA
d2f388 
+    return r
d2f388 
+
d2f388 
+def sigterm(signum, frame):
d2f388 
+    print ("Shutting down now...")
d2f388 
+    os.remove('ans.pid')
d2f388 
+    running = False
d2f388 
+    sys.exit(0)
d2f388 
+
d2f388 
+############################################################################
d2f388 
+# Main
d2f388 
+#
d2f388 
+# Set up responder and control channel, open the pid file, and start
d2f388 
+# the main loop, listening for queries on the query channel or commands
d2f388 
+# on the control channel and acting on them.
d2f388 
+############################################################################
d2f388 
+ip4 = "10.53.0.11"
d2f388 
+ip6 = "fd92:7065:b8e:ffff::11"
d2f388 
+
d2f388 
+try: port=int(os.environ['PORT'])
d2f388 
+except: port=5300
d2f388 
+
d2f388 
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
d2f388 
+query4_socket.bind((ip4, port))
d2f388 
+havev6 = True
d2f388 
+try:
d2f388 
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
d2f388 
+    try:
d2f388 
+        query6_socket.bind((ip6, port))
d2f388 
+    except:
d2f388 
+        query6_socket.close()
d2f388 
+        havev6 = False
d2f388 
+except:
d2f388 
+    havev6 = False
d2f388 
+signal.signal(signal.SIGTERM, sigterm)
d2f388 
+
d2f388 
+f = open('ans.pid', 'w')
d2f388 
+pid = os.getpid()
d2f388 
+print (pid, file=f)
d2f388 
+f.close()
d2f388 
+
d2f388 
+running = True
d2f388 
+
d2f388 
+print ("Listening on %s port %d" % (ip4, port))
d2f388 
+if havev6:
d2f388 
+    print ("Listening on %s port %d" % (ip6, port))
d2f388 
+print ("Ctrl-c to quit")
d2f388 
+
d2f388 
+if havev6:
d2f388 
+    input = [query4_socket, query6_socket]
d2f388 
+else:
d2f388 
+    input = [query4_socket]
d2f388 
+
d2f388 
+while running:
d2f388 
+    try:
d2f388 
+        inputready, outputready, exceptready = select.select(input, [], [])
d2f388 
+    except select.error as e:
d2f388 
+        break
d2f388 
+    except socket.error as e:
d2f388 
+        break
d2f388 
+    except KeyboardInterrupt:
d2f388 
+        break
d2f388 
+
d2f388 
+    for s in inputready:
d2f388 
+        if s == query4_socket or s == query6_socket:
d2f388 
+            print ("Query received on %s" %
d2f388 
+                    (ip4 if s == query4_socket else ip6), end=" ")
d2f388 
+            # Handle incoming queries
d2f388 
+            msg = s.recvfrom(65535)
d2f388 
+            rsp = create_response(msg[0])
d2f388 
+            if rsp:
d2f388 
+                print(dns.rcode.to_text(rsp.rcode()))
d2f388 
+                s.sendto(rsp.to_wire(), msg[1])
d2f388 
+            else:
d2f388 
+                print("NO RESPONSE")
d2f388 
+    if not running:
d2f388 
+        break
d2f388 
diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
d2f388 
index bc04eadb2c..b65b092680 100644
d2f388 
--- a/bin/tests/system/forward/clean.sh
d2f388 
+++ b/bin/tests/system/forward/clean.sh
d2f388 
@@ -10,10 +10,12 @@
d2f388 
 #
d2f388 
 # Clean up after forward tests.
d2f388 
 #
d2f388 
+rm -f ./ans11/query.log
d2f388 
 rm -f ./dig.out.*
d2f388 
 rm -f ./*/named.conf
d2f388 
 rm -f ./*/named.memstats
d2f388 
 rm -f ./*/named.run ./*/named.run.prev
d2f388 
+rm -f ./*/named_dump.db
d2f388 
 rm -f ./ns*/named.lock
d2f388 
 rm -f ./ns*/managed-keys.bind*
d2f388 
 rm -f ./ns1/root.db ./ns1/root.db.signed
d2f388 
diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..fd9a46eb0c
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns1/diditwork.net.db
d2f388 
@@ -0,0 +1,22 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 300	; 5 minutes
d2f388 
+@			IN SOA	ns root (
d2f388 
+				2000082401 ; serial
d2f388 
+				1800       ; refresh (30 minutes)
d2f388 
+				1800       ; retry (30 minutes)
d2f388 
+				1814400    ; expire (3 weeks)
d2f388 
+				3600       ; minimum (1 hour)
d2f388 
+				)
d2f388 
+			NS	ns
d2f388 
+			TXT	"recursed"
d2f388 
+ns			A	10.53.0.1
d2f388 
diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
d2f388 
index 4aef4e55e5..c5fb2eb172 100644
d2f388 
--- a/bin/tests/system/forward/ns1/named.conf.in
d2f388 
+++ b/bin/tests/system/forward/ns1/named.conf.in
d2f388 
@@ -63,3 +63,23 @@ zone "sld.tld" {
d2f388 
 zone "example6" {
d2f388 
 	type forward;
d2f388 
 };
d2f388 
+
d2f388 
+zone "diditwork.net" {
d2f388 
+	type primary;
d2f388 
+	file "diditwork.net.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "spoofed.net" {
d2f388 
+	type primary;
d2f388 
+	file "spoofed.net.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "sub.local.net" {
d2f388 
+	type primary;
d2f388 
+	file "sub.local.net.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "net.example.lll" {
d2f388 
+	type master;
d2f388 
+	file "net.example.lll";
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
d2f388 
new file mode 100644
d2f388 
index 0000000000..ba0804fd75
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns1/net.example.lll
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+net.example.lll.		SOA	. . 0 0 0 0 0
d2f388 
+net.example.lll.		NS	attackSecureDomain.net.
d2f388 
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
d2f388 
diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..eedc46f5c0
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns1/spoofed.net.db
d2f388 
@@ -0,0 +1,22 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 300	; 5 minutes
d2f388 
+@			IN SOA	ns root (
d2f388 
+				2000082401 ; serial
d2f388 
+				1800       ; refresh (30 minutes)
d2f388 
+				1800       ; retry (30 minutes)
d2f388 
+				1814400    ; expire (3 weeks)
d2f388 
+				3600       ; minimum (1 hour)
d2f388 
+				)
d2f388 
+			NS	ns
d2f388 
+ns			A	10.53.0.1
d2f388 
+sub			TXT	"recursed"
d2f388 
diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..fd9a46eb0c
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns1/sub.local.net.db
d2f388 
@@ -0,0 +1,22 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 300	; 5 minutes
d2f388 
+@			IN SOA	ns root (
d2f388 
+				2000082401 ; serial
d2f388 
+				1800       ; refresh (30 minutes)
d2f388 
+				1800       ; retry (30 minutes)
d2f388 
+				1814400    ; expire (3 weeks)
d2f388 
+				3600       ; minimum (1 hour)
d2f388 
+				)
d2f388 
+			NS	ns
d2f388 
+			TXT	"recursed"
d2f388 
+ns			A	10.53.0.1
d2f388 
diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
d2f388 
new file mode 100644
d2f388 
index 0000000000..b655a32459
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/fakenet.zone
d2f388 
@@ -0,0 +1,17 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+net.			SOA	. . 0 0 0 0 0
d2f388 
+net.			NS	attackSecureDomain.net.
d2f388 
+attackSecureDomain.net.	A	10.53.0.10
d2f388 
+didItWork.net.		TXT	"if you can see this record the attack worked"
d2f388 
+ns.spoofed.net.		A	10.53.0.10
d2f388 
diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
d2f388 
new file mode 100644
d2f388 
index 0000000000..cd1e6e9944
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/fakenet2.zone
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+net2.			SOA	. . 0 0 0 0 0
d2f388 
+net2.			NS	attackSecureDomain.net.
d2f388 
+net2.			DNAME	net.example.lll.
d2f388 
diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
d2f388 
new file mode 100644
d2f388 
index 0000000000..160b5332b2
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+sub.local.net.		SOA	. . 0 0 0 0 0
d2f388 
+sub.local.net.		NS	ns.spoofed.net.
d2f388 
+sub.local.net.		TXT	"if you see this attacker overrode local delegation"
d2f388 
diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
d2f388 
new file mode 100644
d2f388 
index 0000000000..f78cbc77f6
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
d2f388 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
d2f388 
+sub.local.tld.		3600	IN	TXT	bad
d2f388 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
d2f388 
diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
d2f388 
new file mode 100644
d2f388 
index 0000000000..1f318dd867
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/named.conf.in
d2f388 
@@ -0,0 +1,53 @@
d2f388 
+/*
d2f388 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+ *
d2f388 
+ * SPDX-License-Identifier: MPL-2.0
d2f388 
+ *
d2f388 
+ * This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+ *
d2f388 
+ * See the COPYRIGHT file distributed with this work for additional
d2f388 
+ * information regarding copyright ownership.
d2f388 
+ */
d2f388 
+
d2f388 
+options {
d2f388 
+	query-source address 10.53.0.10;
d2f388 
+	notify-source 10.53.0.10;
d2f388 
+	transfer-source 10.53.0.10;
d2f388 
+	port @PORT@;
d2f388 
+	pid-file "named.pid";
d2f388 
+	listen-on { 10.53.0.10; };
d2f388 
+	listen-on-v6 { none; };
d2f388 
+	minimal-responses no;
d2f388 
+};
d2f388 
+
d2f388 
+zone "net." {
d2f388 
+	type master;
d2f388 
+	file "fakenet.zone";
d2f388 
+};
d2f388 
+
d2f388 
+zone "spoofed.net." {
d2f388 
+	type master;
d2f388 
+	file "spoofednet.zone";
d2f388 
+};
d2f388 
+
d2f388 
+zone "sub.local.net." {
d2f388 
+	type master;
d2f388 
+	file "fakesublocalnet.zone";
d2f388 
+};
d2f388 
+
d2f388 
+zone "net2" {
d2f388 
+	type master;
d2f388 
+	file "fakenet2.zone";
d2f388 
+};
d2f388 
+
d2f388 
+zone "net.example.lll" {
d2f388 
+	type master;
d2f388 
+	file "net.example.lll";
d2f388 
+};
d2f388 
+
d2f388 
+zone "sub.local.tld." {
d2f388 
+	type master;
d2f388 
+	file "fakesublocaltld.zone";
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
d2f388 
new file mode 100644
d2f388 
index 0000000000..ba0804fd75
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/net.example.lll
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+net.example.lll.		SOA	. . 0 0 0 0 0
d2f388 
+net.example.lll.		NS	attackSecureDomain.net.
d2f388 
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
d2f388 
diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
d2f388 
new file mode 100644
d2f388 
index 0000000000..fb70a4372b
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns10/spoofednet.zone
d2f388 
@@ -0,0 +1,16 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL 86400
d2f388 
+spoofed.net.		SOA	. . 0 0 0 0 0
d2f388 
+spoofed.net.		NS	ns.spoofed.net.
d2f388 
+ns.spoofed.net.		A	10.53.0.10
d2f388 
+spoofed.net.		TXT	"this record is clearly spoofed"
d2f388 
diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db
d2f388 
index 61b6569b07..819210dc05 100644
d2f388 
--- a/bin/tests/system/forward/ns2/tld.db
d2f388 
+++ b/bin/tests/system/forward/ns2/tld.db
d2f388 
@@ -10,3 +10,9 @@ $TTL 300	; 5 minutes
d2f388 
 ns			A	10.53.0.2
d2f388 
 sld			NS	ns.sld
d2f388 
 ns.sld			A	10.53.0.1
d2f388 
+local			NS	ns.local
d2f388 
+ns.local		A	10.53.0.9
d2f388 
+sibling			NS	ns.sibling
d2f388 
+ns.sibling		A	10.53.0.4
d2f388 
+sibling			NS	ns.sub.local
d2f388 
+ns.sub.local		A	10.53.0.10
d2f388 
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
d2f388 
index 855b4bfb82..85349aa97e 100644
d2f388 
--- a/bin/tests/system/forward/ns4/named.conf.in
d2f388 
+++ b/bin/tests/system/forward/ns4/named.conf.in
d2f388 
@@ -60,3 +60,8 @@ zone "malicious." {
d2f388 
 	type primary;
d2f388 
 	file "malicious.db";
d2f388 
 };
d2f388 
+
d2f388 
+zone "sibling.tld" {
d2f388 
+	type primary;
d2f388 
+	file "sibling.tld.db";
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..fe080ae974
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns4/sibling.tld.db
d2f388 
@@ -0,0 +1,22 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+$TTL    86400
d2f388 
+@       IN      SOA     malicious. admin.malicious. (
d2f388 
+                              1         ; Serial
d2f388 
+                         604800         ; Refresh
d2f388 
+                          86400         ; Retry
d2f388 
+                        2419200         ; Expire
d2f388 
+                          86400 )       ; Negative Cache TTL
d2f388 
+
d2f388 
+@           IN    NS      ns
d2f388 
+
d2f388 
+ns          IN    A       10.53.0.4
d2f388 
diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
d2f388 
index 531ff59ece..f752eae885 100644
d2f388 
--- a/bin/tests/system/forward/ns8/named.conf.in
d2f388 
+++ b/bin/tests/system/forward/ns8/named.conf.in
d2f388 
@@ -26,3 +26,8 @@ zone "." {
d2f388 
 	type hint;
d2f388 
 	file "root.db";
d2f388 
 };
d2f388 
+
d2f388 
+zone "sub.local.tld" {
d2f388 
+	type primary;
d2f388 
+	file "sub.local.tld.db";
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..f2234c754e
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns8/sub.local.tld.db
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
d2f388 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
d2f388 
+sub.local.tld.		3600	IN	TXT	good
d2f388 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
d2f388 
diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..af0d2a5a67
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/local.net.db
d2f388 
@@ -0,0 +1,16 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+local.net.		3600	IN	SOA	. . 0 0 0 0 0
d2f388 
+local.net.		3600	IN	NS	localhost.
d2f388 
+ns.local.net.		3600	IN	A	10.53.0.9
d2f388 
+txt.local.net.		3600	IN	TXT	"something in the local auth zone"
d2f388 
+sub.local.net.		3600	IN	NS	ns.spoofed.net.  ; attacker will try to override this
d2f388 
diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..876a9139da
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/local.tld.db
d2f388 
@@ -0,0 +1,15 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+local.tld.		3600	IN	SOA	. . 0 0 0 0 0
d2f388 
+local.tld.		3600	IN	NS	localhost.
d2f388 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
d2f388 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
d2f388 
diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
d2f388 
new file mode 100644
d2f388 
index 0000000000..be9a43842f
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/named1.conf.in
d2f388 
@@ -0,0 +1,67 @@
d2f388 
+/*
d2f388 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+ *
d2f388 
+ * SPDX-License-Identifier: MPL-2.0
d2f388 
+ *
d2f388 
+ * This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+ *
d2f388 
+ * See the COPYRIGHT file distributed with this work for additional
d2f388 
+ * information regarding copyright ownership.
d2f388 
+ */
d2f388 
+
d2f388 
+options {
d2f388 
+	query-source address 10.53.0.9;
d2f388 
+	notify-source 10.53.0.9;
d2f388 
+	transfer-source 10.53.0.9;
d2f388 
+	port @PORT@;
d2f388 
+	pid-file "named.pid";
d2f388 
+	listen-on { 10.53.0.9; };
d2f388 
+	listen-on-v6 { none; };
d2f388 
+	dnssec-validation no;
d2f388 
+	edns-udp-size 1232;
d2f388 
+};
d2f388 
+
d2f388 
+key rndc_key {
d2f388 
+	secret "1234abcd8765";
d2f388 
+	algorithm hmac-sha256;
d2f388 
+};
d2f388 
+
d2f388 
+controls {
d2f388 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.10 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.11 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+zone "." {
d2f388 
+	type hint;
d2f388 
+	file "root.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net." {
d2f388 
+	type forward;
d2f388 
+	forwarders { 10.53.0.10; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net2." {
d2f388 
+	type forward;
d2f388 
+	forwarders { 10.53.0.10; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net3." {
d2f388 
+	type forward;
d2f388 
+	forwarders { 10.53.0.11; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "local.net." {
d2f388 
+	type primary;
d2f388 
+	file "local.net.db";
d2f388 
+	forwarders {};
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
d2f388 
new file mode 100644
d2f388 
index 0000000000..2c40b42a0c
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/named2.conf.in
d2f388 
@@ -0,0 +1,70 @@
d2f388 
+/*
d2f388 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+ *
d2f388 
+ * SPDX-License-Identifier: MPL-2.0
d2f388 
+ *
d2f388 
+ * This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+ *
d2f388 
+ * See the COPYRIGHT file distributed with this work for additional
d2f388 
+ * information regarding copyright ownership.
d2f388 
+ */
d2f388 
+
d2f388 
+options {
d2f388 
+	query-source address 10.53.0.9;
d2f388 
+	notify-source 10.53.0.9;
d2f388 
+	transfer-source 10.53.0.9;
d2f388 
+	port @PORT@;
d2f388 
+	pid-file "named.pid";
d2f388 
+	listen-on { 10.53.0.9; };
d2f388 
+	listen-on-v6 { none; };
d2f388 
+	dnssec-validation no;
d2f388 
+	edns-udp-size 1232;
d2f388 
+};
d2f388 
+
d2f388 
+key rndc_key {
d2f388 
+	secret "1234abcd8765";
d2f388 
+	algorithm hmac-sha256;
d2f388 
+};
d2f388 
+
d2f388 
+controls {
d2f388 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.10 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.11 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+zone "." {
d2f388 
+	type hint;
d2f388 
+	file "root.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net." {
d2f388 
+	type forward;
d2f388 
+	forward only;
d2f388 
+	forwarders { 10.53.0.10; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net2." {
d2f388 
+	type forward;
d2f388 
+	forward only;
d2f388 
+	forwarders { 10.53.0.10; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "attacksecuredomain.net3." {
d2f388 
+	type forward;
d2f388 
+	forward only;
d2f388 
+	forwarders { 10.53.0.11; };
d2f388 
+};
d2f388 
+
d2f388 
+zone "local.net." {
d2f388 
+	type primary;
d2f388 
+	file "local.net.db";
d2f388 
+	forwarders {};
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
d2f388 
new file mode 100644
d2f388 
index 0000000000..576f57c10b
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/named3.conf.in
d2f388 
@@ -0,0 +1,50 @@
d2f388 
+/*
d2f388 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+ *
d2f388 
+ * SPDX-License-Identifier: MPL-2.0
d2f388 
+ *
d2f388 
+ * This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+ *
d2f388 
+ * See the COPYRIGHT file distributed with this work for additional
d2f388 
+ * information regarding copyright ownership.
d2f388 
+ */
d2f388 
+
d2f388 
+options {
d2f388 
+	query-source address 10.53.0.9;
d2f388 
+	notify-source 10.53.0.9;
d2f388 
+	transfer-source 10.53.0.9;
d2f388 
+	port @PORT@;
d2f388 
+	pid-file "named.pid";
d2f388 
+	listen-on { 10.53.0.9; };
d2f388 
+	listen-on-v6 { none; };
d2f388 
+	dnssec-validation no;
d2f388 
+	edns-udp-size 1232;
d2f388 
+	forward only;
d2f388 
+	forwarders { 10.53.0.10; };
d2f388 
+};
d2f388 
+
d2f388 
+key rndc_key {
d2f388 
+	secret "1234abcd8765";
d2f388 
+	algorithm hmac-sha256;
d2f388 
+};
d2f388 
+
d2f388 
+controls {
d2f388 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.10 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+zone "." {
d2f388 
+	type hint;
d2f388 
+	file "root.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "local.net." {
d2f388 
+	type primary;
d2f388 
+	file "local.net.db";
d2f388 
+	forwarders {};
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
d2f388 
new file mode 100644
d2f388 
index 0000000000..5cd7d84109
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/named4.conf.in
d2f388 
@@ -0,0 +1,47 @@
d2f388 
+/*
d2f388 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+ *
d2f388 
+ * SPDX-License-Identifier: MPL-2.0
d2f388 
+ *
d2f388 
+ * This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+ *
d2f388 
+ * See the COPYRIGHT file distributed with this work for additional
d2f388 
+ * information regarding copyright ownership.
d2f388 
+ */
d2f388 
+
d2f388 
+options {
d2f388 
+	query-source address 10.53.0.9;
d2f388 
+	notify-source 10.53.0.9;
d2f388 
+	transfer-source 10.53.0.9;
d2f388 
+	port @PORT@;
d2f388 
+	pid-file "named.pid";
d2f388 
+	listen-on { 10.53.0.9; };
d2f388 
+	listen-on-v6 { none; };
d2f388 
+	dnssec-validation no;
d2f388 
+	edns-udp-size 1232;
d2f388 
+};
d2f388 
+
d2f388 
+key rndc_key {
d2f388 
+	secret "1234abcd8765";
d2f388 
+	algorithm hmac-sha256;
d2f388 
+};
d2f388 
+
d2f388 
+controls {
d2f388 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
d2f388 
+};
d2f388 
+
d2f388 
+server 10.53.0.10 {
d2f388 
+	edns no;
d2f388 
+};
d2f388 
+
d2f388 
+zone "." {
d2f388 
+	type hint;
d2f388 
+	file "root.db";
d2f388 
+};
d2f388 
+
d2f388 
+zone "local.tld." {
d2f388 
+	type primary;
d2f388 
+	file "local.tld.db";
d2f388 
+};
d2f388 
diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
d2f388 
new file mode 100644
d2f388 
index 0000000000..2cbdff5977
d2f388 
--- /dev/null
d2f388 
+++ b/bin/tests/system/forward/ns9/root.db
d2f388 
@@ -0,0 +1,13 @@
d2f388 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d2f388 
+;
d2f388 
+; SPDX-License-Identifier: MPL-2.0
d2f388 
+;
d2f388 
+; This Source Code Form is subject to the terms of the Mozilla Public
d2f388 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
d2f388 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
d2f388 
+;
d2f388 
+; See the COPYRIGHT file distributed with this work for additional
d2f388 
+; information regarding copyright ownership.
d2f388 
+
d2f388 
+.			NS	a.root-servers.nil.
d2f388 
+a.root-servers.nil.	A	10.53.0.1
d2f388 
diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
d2f388 
index 21cf67b782..a56dd3c03f 100644
d2f388 
--- a/bin/tests/system/forward/setup.sh
d2f388 
+++ b/bin/tests/system/forward/setup.sh
d2f388 
@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf
d2f388 
 copy_setports ns5/named.conf.in ns5/named.conf
d2f388 
 copy_setports ns7/named.conf.in ns7/named.conf
d2f388 
 copy_setports ns8/named.conf.in ns8/named.conf
d2f388 
+copy_setports ns9/named1.conf.in ns9/named.conf
d2f388 
+copy_setports ns10/named.conf.in ns10/named.conf
d2f388
d2f388 
 (
d2f388 
     cd ns1
d2f388 
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
d2f388 
index 6096b06ca7..dfbaf887f7 100644
d2f388 
--- a/bin/tests/system/forward/tests.sh
d2f388 
+++ b/bin/tests/system/forward/tests.sh
d2f388 
@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
d2f388 
 if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
 status=$((status+ret))
d2f388
d2f388 
+#
d2f388 
+# Check various spoofed response scenarios. The same tests will be
d2f388 
+# run twice, with "forward first" and "forward only" configurations.
d2f388 
+#
d2f388 
+run_spooftests () {
d2f388 
+    n=$((n+1))
d2f388 
+    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
d2f388 
+    ret=0
d2f388 
+    # prime
d2f388 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
d2f388 
+    # check 'net' is not poisoned.
d2f388 
+    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
d2f388 
+    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
d2f388 
+    # check 'sub.local.net' is not poisoned.
d2f388 
+    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
d2f388 
+    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
d2f388 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+    status=$((status+ret))
d2f388 
+
d2f388 
+    n=$((n+1))
d2f388 
+    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
d2f388 
+    ret=0
d2f388 
+    # prime
d2f388 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
d2f388 
+    # check that net2/DNAME is not cached
d2f388 
+    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
d2f388 
+    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
d2f388 
+    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
d2f388 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+    status=$((status+ret))
d2f388 
+
d2f388 
+    n=$((n+1))
d2f388 
+    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
d2f388 
+    ret=0
d2f388 
+    # prime
d2f388 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
d2f388 
+    # check extra net3 records are not cached
d2f388 
+    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
d2f388 
+    for try in 1 2 3 4 5; do
d2f388 
+        lines=$(grep "net3" ns9/named_dump.db | wc -l)
d2f388 
+        if [ ${lines} -eq 0 ]; then
d2f388 
+                sleep 1
d2f388 
+                continue
d2f388 
+        fi
d2f388 
+        [ ${lines} -eq 1 ] || ret=1
d2f388 
+        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
d2f388 
+        grep -q '^local.net3' ns9/named_dump.db && ret=1
d2f388 
+    done
d2f388 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+    status=$((status+ret))
d2f388 
+}
d2f388 
+
d2f388 
+echo_i "checking spoofed response scenarios with forward first zones"
d2f388 
+run_spooftests
d2f388 
+
d2f388 
+copy_setports ns9/named2.conf.in ns9/named.conf
d2f388 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+sleep 1
d2f388 
+
d2f388 
+echo_i "rechecking spoofed response scenarios with forward only zones"
d2f388 
+run_spooftests
d2f388 
+
d2f388 
+#
d2f388 
+# This scenario expects the spoofed response to succeed. The tests are
d2f388 
+# similar to the ones above, but not identical.
d2f388 
+#
d2f388 
+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
d2f388 
+copy_setports ns9/named3.conf.in ns9/named.conf
d2f388 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+sleep 1
d2f388 
+
d2f388 
+n=$((n+1))
d2f388 
+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
d2f388 
+ret=0
d2f388 
+# prime
d2f388 
+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
d2f388 
+# check 'net' is poisoned.
d2f388 
+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
d2f388 
+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
d2f388 
+# check 'sub.local.net' is poisoned.
d2f388 
+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
d2f388 
+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
d2f388 
+if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+status=$((status+ret))
d2f388 
+
d2f388 
+n=$((n+1))
d2f388 
+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
d2f388 
+ret=0
d2f388 
+# prime
d2f388 
+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
d2f388 
+# check that net2/DNAME is cached
d2f388 
+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
d2f388 
+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
d2f388 
+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
d2f388 
+if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+status=$((status+ret))
d2f388 
+
d2f388 
+#
d2f388 
+# This test doesn't use any forwarder clauses but is here because it
d2f388 
+# is similar to forwarders, as the set of servers that can populate
d2f388 
+# the namespace is defined by the zone content.
d2f388 
+#
d2f388 
+echo_i "rechecking spoofed response scenarios glue below local zone"
d2f388 
+copy_setports ns9/named4.conf.in ns9/named.conf
d2f388 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
d2f388 
+sleep 1
d2f388 
+
d2f388 
+n=$((n+1))
d2f388 
+echo_i "checking sibling glue below zone ($n)"
d2f388 
+ret=0
d2f388 
+# prime
d2f388 
+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
d2f388 
+# check for glue A record for sub.local.tld is not used
d2f388 
+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
d2f388 
+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
d2f388 
+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
d2f388 
+if [ $ret != 0 ]; then echo_i "failed"; fi
d2f388 
+status=$((status+ret))
d2f388 
+
d2f388 
 echo_i "exit status: $status"
d2f388 
 [ $status -eq 0 ] || exit 1
d2f388 
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
d2f388 
index e078f3313b..2a4d955caf 100755
d2f388 
--- a/bin/tests/system/ifconfig.sh
d2f388 
+++ b/bin/tests/system/ifconfig.sh
d2f388 
@@ -12,10 +12,10 @@
d2f388 
 #
d2f388 
 # Set up interface aliases for bind9 system tests.
d2f388 
 #
d2f388 
-# IPv4: 10.53.0.{1..10}				RFC 1918
d2f388 
+# IPv4: 10.53.0.{1..11}				RFC 1918
d2f388 
 #       10.53.1.{1..2}
d2f388 
 #       10.53.2.{1..2}
d2f388 
-# IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
d2f388 
+# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
d2f388 
 #       fd92:7065:b8e:99ff::{1..2}
d2f388 
 #       fd92:7065:b8e:ff::{1..2}
d2f388 
 #
d2f388 
@@ -55,7 +55,7 @@ case "$1" in
d2f388 
 		  2) ipv6="00" ;;
d2f388 
 		  *) ipv6="" ;;
d2f388 
 		esac
d2f388 
-		for ns in 1 2 3 4 5 6 7 8 9 10
d2f388 
+		for ns in 1 2 3 4 5 6 7 8 9 10 11
d2f388 
 		do
d2f388 
 			[ $i -gt 0 -a $ns -gt 2 ] && break
d2f388 
 			int=`expr $i \* 10 + $ns`
d2f388 
@@ -160,7 +160,7 @@ case "$1" in
d2f388 
 		  2) ipv6="00" ;;
d2f388 
 		  *) ipv6="" ;;
d2f388 
 		esac
d2f388 
-		for ns in 10 9 8 7 6 5 4 3 2 1
d2f388 
+		for ns in 11 10 9 8 7 6 5 4 3 2 1
d2f388 
 		do
d2f388 
 			[ $i -gt 0 -a $ns -gt 2 ] && continue
d2f388 
 			int=`expr $i \* 10 + $ns - 1`
d2f388 
--
d2f388 
2.34.1
d2f388

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation