From 1d9581fc31aa8fa8a6a45d074eff6cd8d94ce864 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 24 2022 08:08:57 +0000 Subject: import bind-9.11.36-7.el8 --- diff --git a/SOURCES/bind-9.11-CVE-2021-25220-test.patch b/SOURCES/bind-9.11-CVE-2021-25220-test.patch new file mode 100644 index 0000000..a13f81a --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25220-test.patch @@ -0,0 +1,1171 @@ +From 800ef75553881527e2406f22887e976bb1ba3bfe Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 18 Jan 2022 00:19:47 +1100 +Subject: [PATCH] Add tests for forwarder cache poisoning scenarios + +- Check that an NS in an authority section returned from a forwarder + which is above the name in a configured "forward first" or "forward + only" zone (i.e., net/NS in a response from a forwarder configured for + local.net) is not cached. +- Test that a DNAME for a parent domain will not be cached when sent + in a response from a forwarder configured to answer for a child. +- Check that glue is rejected if its name falls below that of zone + configured locally. +- Check that an extra out-of-bailiwick data in the answer section is + not cached (this was already working correctly, but was not explicitly + tested before). + +- v9_11 backport: Revert primary/secondary to master/slave, + backport rndc helper, backport ns8 config. + +(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) +(cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7) +--- + bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ + bin/tests/system/forward/clean.sh | 2 + + bin/tests/system/forward/ns1/diditwork.net.db | 20 +++ + bin/tests/system/forward/ns1/named.conf.in | 20 +++ + bin/tests/system/forward/ns1/net.example.lll | 13 ++ + bin/tests/system/forward/ns1/spoofed.net.db | 20 +++ + bin/tests/system/forward/ns1/sub.local.net.db | 20 +++ + bin/tests/system/forward/ns10/fakenet.zone | 15 ++ + bin/tests/system/forward/ns10/fakenet2.zone | 13 ++ + .../system/forward/ns10/fakesublocalnet.zone | 13 ++ + .../system/forward/ns10/fakesublocaltld.zone | 13 ++ + bin/tests/system/forward/ns10/named.conf.in | 51 +++++++ + bin/tests/system/forward/ns10/net.example.lll | 13 ++ + bin/tests/system/forward/ns10/spoofednet.zone | 14 ++ + bin/tests/system/forward/ns4/named.conf.in | 5 + + bin/tests/system/forward/ns4/sibling.tld.db | 20 +++ + bin/tests/system/forward/ns8/named.conf.in | 33 +++++ + bin/tests/system/forward/ns8/root.db | 11 ++ + bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++ + bin/tests/system/forward/ns9/local.net.db | 14 ++ + bin/tests/system/forward/ns9/local.tld.db | 13 ++ + bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++ + bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++ + bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++ + bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++ + bin/tests/system/forward/ns9/root.db | 11 ++ + bin/tests/system/forward/prereq.sh | 14 ++ + bin/tests/system/forward/setup.sh | 3 + + bin/tests/system/forward/tests.sh | 126 ++++++++++++++++ + bin/tests/system/ifconfig.sh | 8 +- + 30 files changed, 856 insertions(+), 4 deletions(-) + create mode 100644 bin/tests/system/forward/ans11/ans.py + create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db + create mode 100644 bin/tests/system/forward/ns1/net.example.lll + create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db + create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db + create mode 100644 bin/tests/system/forward/ns10/fakenet.zone + create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone + create mode 100644 bin/tests/system/forward/ns10/named.conf.in + create mode 100644 bin/tests/system/forward/ns10/net.example.lll + create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone + create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db + create mode 100644 bin/tests/system/forward/ns8/named.conf.in + create mode 100644 bin/tests/system/forward/ns8/root.db + create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db + create mode 100644 bin/tests/system/forward/ns9/local.net.db + create mode 100644 bin/tests/system/forward/ns9/local.tld.db + create mode 100644 bin/tests/system/forward/ns9/named1.conf.in + create mode 100644 bin/tests/system/forward/ns9/named2.conf.in + create mode 100644 bin/tests/system/forward/ns9/named3.conf.in + create mode 100644 bin/tests/system/forward/ns9/named4.conf.in + create mode 100644 bin/tests/system/forward/ns9/root.db + +diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py +new file mode 100644 +index 0000000000..2956cf6eff +--- /dev/null ++++ b/bin/tests/system/forward/ans11/ans.py +@@ -0,0 +1,136 @@ ++############################################################################ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++############################################################################ ++ ++from __future__ import print_function ++import os ++import sys ++import signal ++import socket ++import select ++from datetime import datetime, timedelta ++import time ++import functools ++ ++import dns, dns.message, dns.query, dns.flags ++from dns.rdatatype import * ++from dns.rdataclass import * ++from dns.rcode import * ++from dns.name import * ++ ++# Log query to file ++def logquery(type, qname): ++ with open("qlog", "a") as f: ++ f.write("%s %s\n", type, qname) ++ ++############################################################################ ++# Respond to a DNS query. ++############################################################################ ++def create_response(msg): ++ m = dns.message.from_wire(msg) ++ qname = m.question[0].name.to_text() ++ rrtype = m.question[0].rdtype ++ typename = dns.rdatatype.to_text(rrtype) ++ ++ with open("query.log", "a") as f: ++ f.write("%s %s\n" % (typename, qname)) ++ print("%s %s" % (typename, qname), end=" ") ++ ++ r = dns.message.make_response(m) ++ r.set_rcode(NOERROR) ++ if rrtype == A: ++ tld=qname.split('.')[-2] + '.' ++ ns="local." + tld ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) ++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) ++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) ++ elif rrtype == NS: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) ++ elif rrtype == SOA: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ else: ++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ r.flags |= dns.flags.AA ++ return r ++ ++def sigterm(signum, frame): ++ print ("Shutting down now...") ++ os.remove('ans.pid') ++ running = False ++ sys.exit(0) ++ ++############################################################################ ++# Main ++# ++# Set up responder and control channel, open the pid file, and start ++# the main loop, listening for queries on the query channel or commands ++# on the control channel and acting on them. ++############################################################################ ++ip4 = "10.53.0.11" ++ip6 = "fd92:7065:b8e:ffff::11" ++ ++try: port=int(os.environ['PORT']) ++except: port=5300 ++ ++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++query4_socket.bind((ip4, port)) ++havev6 = True ++try: ++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) ++ try: ++ query6_socket.bind((ip6, port)) ++ except: ++ query6_socket.close() ++ havev6 = False ++except: ++ havev6 = False ++signal.signal(signal.SIGTERM, sigterm) ++ ++f = open('ans.pid', 'w') ++pid = os.getpid() ++print (pid, file=f) ++f.close() ++ ++running = True ++ ++print ("Listening on %s port %d" % (ip4, port)) ++if havev6: ++ print ("Listening on %s port %d" % (ip6, port)) ++print ("Ctrl-c to quit") ++ ++if havev6: ++ input = [query4_socket, query6_socket] ++else: ++ input = [query4_socket] ++ ++while running: ++ try: ++ inputready, outputready, exceptready = select.select(input, [], []) ++ except select.error as e: ++ break ++ except socket.error as e: ++ break ++ except KeyboardInterrupt: ++ break ++ ++ for s in inputready: ++ if s == query4_socket or s == query6_socket: ++ print ("Query received on %s" % ++ (ip4 if s == query4_socket else ip6), end=" ") ++ # Handle incoming queries ++ msg = s.recvfrom(65535) ++ rsp = create_response(msg[0]) ++ if rsp: ++ print(dns.rcode.to_text(rsp.rcode())) ++ s.sendto(rsp.to_wire(), msg[1]) ++ else: ++ print("NO RESPONSE") ++ if not running: ++ break +diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh +index 26e4e76db6..26a550db49 100644 +--- a/bin/tests/system/forward/clean.sh ++++ b/bin/tests/system/forward/clean.sh +@@ -10,8 +10,10 @@ + # + # Clean up after forward tests. + # ++rm -f ./ans11/query.log + rm -f ./dig.out.* + rm -f ./*/named.conf + rm -f ./*/named.memstats + rm -f ./*/named.run ./*/named.run.prev ++rm -f ./*/named_dump.db + rm -f ./ns*/named.lock +diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db +new file mode 100644 +index 0000000000..be9a7f72bc +--- /dev/null ++++ b/bin/tests/system/forward/ns1/diditwork.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in +index 9904f37ef5..1c31d84608 100644 +--- a/bin/tests/system/forward/ns1/named.conf.in ++++ b/bin/tests/system/forward/ns1/named.conf.in +@@ -54,3 +54,23 @@ zone "example5." { + zone "example6" { + type forward; + }; ++ ++zone "diditwork.net" { ++ type master; ++ file "diditwork.net.db"; ++}; ++ ++zone "spoofed.net" { ++ type master; ++ file "spoofed.net.db"; ++}; ++ ++zone "sub.local.net" { ++ type master; ++ file "sub.local.net.db"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; +diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll +new file mode 100644 +index 0000000000..d179853fa5 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/net.example.lll +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db +new file mode 100644 +index 0000000000..d498d5fa0d +--- /dev/null ++++ b/bin/tests/system/forward/ns1/spoofed.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.1 ++sub TXT "recursed" +diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db +new file mode 100644 +index 0000000000..be9a7f72bc +--- /dev/null ++++ b/bin/tests/system/forward/ns1/sub.local.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone +new file mode 100644 +index 0000000000..14e5c777cb +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net. SOA . . 0 0 0 0 0 ++net. NS attackSecureDomain.net. ++attackSecureDomain.net. A 10.53.0.10 ++didItWork.net. TXT "if you can see this record the attack worked" ++ns.spoofed.net. A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone +new file mode 100644 +index 0000000000..7ca28a934e +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet2.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net2. SOA . . 0 0 0 0 0 ++net2. NS attackSecureDomain.net. ++net2. DNAME net.example.lll. +diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone +new file mode 100644 +index 0000000000..6caa071891 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++sub.local.net. SOA . . 0 0 0 0 0 ++sub.local.net. NS ns.spoofed.net. ++sub.local.net. TXT "if you see this attacker overrode local delegation" +diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone +new file mode 100644 +index 0000000000..6a431de47f +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT bad ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in +new file mode 100644 +index 0000000000..025c108418 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/named.conf.in +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.10; ++ notify-source 10.53.0.10; ++ transfer-source 10.53.0.10; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.10; }; ++ listen-on-v6 { none; }; ++ minimal-responses no; ++}; ++ ++zone "net." { ++ type master; ++ file "fakenet.zone"; ++}; ++ ++zone "spoofed.net." { ++ type master; ++ file "spoofednet.zone"; ++}; ++ ++zone "sub.local.net." { ++ type master; ++ file "fakesublocalnet.zone"; ++}; ++ ++zone "net2" { ++ type master; ++ file "fakenet2.zone"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; ++ ++zone "sub.local.tld." { ++ type master; ++ file "fakesublocaltld.zone"; ++}; +diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll +new file mode 100644 +index 0000000000..d179853fa5 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/net.example.lll +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone +new file mode 100644 +index 0000000000..13921a08cd +--- /dev/null ++++ b/bin/tests/system/forward/ns10/spoofednet.zone +@@ -0,0 +1,14 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++spoofed.net. SOA . . 0 0 0 0 0 ++spoofed.net. NS ns.spoofed.net. ++ns.spoofed.net. A 10.53.0.10 ++spoofed.net. TXT "this record is clearly spoofed" +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index d42a9eb797..6db65e71bc 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -60,3 +60,8 @@ zone "malicious." { + type master; + file "malicious.db"; + }; ++ ++zone "sibling.tld" { ++ type master; ++ file "sibling.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db +new file mode 100644 +index 0000000000..58037d093b +--- /dev/null ++++ b/bin/tests/system/forward/ns4/sibling.tld.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 +diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in +new file mode 100644 +index 0000000000..9260f69ded +--- /dev/null ++++ b/bin/tests/system/forward/ns8/named.conf.in +@@ -0,0 +1,33 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.8; ++ notify-source 10.53.0.8; ++ transfer-source 10.53.0.8; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.8; }; ++ listen-on-v6 { none; }; ++ forwarders { 10.53.0.2; }; // returns referrals ++ forward first; ++ dnssec-validation yes; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "sub.local.tld" { ++ type master; ++ file "sub.local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db +new file mode 100644 +index 0000000000..4f30322270 +--- /dev/null ++++ b/bin/tests/system/forward/ns8/root.db +@@ -0,0 +1,11 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db +new file mode 100644 +index 0000000000..eb20683ae9 +--- /dev/null ++++ b/bin/tests/system/forward/ns8/sub.local.tld.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT good ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db +new file mode 100644 +index 0000000000..2c971e1e93 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.net.db +@@ -0,0 +1,14 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.net. 3600 IN SOA . . 0 0 0 0 0 ++local.net. 3600 IN NS localhost. ++ns.local.net. 3600 IN A 10.53.0.9 ++txt.local.net. 3600 IN TXT "something in the local auth zone" ++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this +diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db +new file mode 100644 +index 0000000000..59403915fb +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.tld.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.tld. 3600 IN SOA . . 0 0 0 0 0 ++local.tld. 3600 IN NS localhost. ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in +new file mode 100644 +index 0000000000..943e037d09 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named1.conf.in +@@ -0,0 +1,65 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in +new file mode 100644 +index 0000000000..5a17d1998a +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named2.conf.in +@@ -0,0 +1,68 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in +new file mode 100644 +index 0000000000..1e70d1ae51 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named3.conf.in +@@ -0,0 +1,48 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in +new file mode 100644 +index 0000000000..6f7b1075b5 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named4.conf.in +@@ -0,0 +1,45 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.tld." { ++ type master; ++ file "local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db +new file mode 100644 +index 0000000000..4f30322270 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/root.db +@@ -0,0 +1,11 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh +index d2ca8fc2bf..53fb5817df 100644 +--- a/bin/tests/system/forward/prereq.sh ++++ b/bin/tests/system/forward/prereq.sh +@@ -12,6 +12,20 @@ + SYSTEMTESTTOP=.. + . $SYSTEMTESTTOP/conf.sh + ++if test -n "$PYTHON" ++then ++ if $PYTHON -c "import dns" 2> /dev/null ++ then ++ : ++ else ++ echo_i "This test requires the dnspython module." >&2 ++ exit 1 ++ fi ++else ++ echo_i "This test requires Python and the dnspython module." >&2 ++ exit 1 ++fi ++ + if $PERL -e 'use Net::DNS;' 2>/dev/null + then + : +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index 87452b9a88..18e81d277d 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -18,3 +18,6 @@ copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf + copy_setports ns7/named.conf.in ns7/named.conf ++copy_setports ns8/named.conf.in ns8/named.conf ++copy_setports ns9/named1.conf.in ns9/named.conf ++copy_setports ns10/named.conf.in ns10/named.conf +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index e3549c5bc7..ce9b309a27 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -19,6 +19,10 @@ sendcmd() ( + "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" + ) + ++rndccmd() { ++ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" ++} ++ + root=10.53.0.1 + hidden=10.53.0.2 + f1=10.53.0.3 +@@ -223,5 +227,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + ++# ++# Check various spoofed response scenarios. The same tests will be ++# run twice, with "forward first" and "forward only" configurations. ++# ++run_spooftests () { ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++ # check 'net' is not poisoned. ++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 ++ # check 'sub.local.net' is not poisoned. ++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++ # check that net2/DNAME is not cached ++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 ++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 3 - extra answer ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 ++ # check extra net3 records are not cached ++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i ++ for try in 1 2 3 4 5; do ++ lines=$(grep "net3" ns9/named_dump.db | wc -l) ++ if [ ${lines} -eq 0 ]; then ++ sleep 1 ++ continue ++ fi ++ [ ${lines} -eq 1 ] || ret=1 ++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 ++ grep -q '^local.net3' ns9/named_dump.db && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++} ++ ++echo_i "checking spoofed response scenarios with forward first zones" ++run_spooftests ++ ++copy_setports ns9/named2.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++echo_i "rechecking spoofed response scenarios with forward only zones" ++run_spooftests ++ ++# ++# This scenario expects the spoofed response to succeed. The tests are ++# similar to the ones above, but not identical. ++# ++echo_i "rechecking spoofed response scenarios with 'forward only' set globally" ++copy_setports ns9/named3.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++# check 'net' is poisoned. ++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 ++# check 'sub.local.net' is poisoned. ++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++# check that net2/DNAME is cached ++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 ++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++# ++# This test doesn't use any forwarder clauses but is here because it ++# is similar to forwarders, as the set of servers that can populate ++# the namespace is defined by the zone content. ++# ++echo_i "rechecking spoofed response scenarios glue below local zone" ++copy_setports ns9/named4.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking sibling glue below zone ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 ++# check for glue A record for sub.local.tld is not used ++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 ++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 ++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh +index d0eb9fa61d..8b9212c3e0 100755 +--- a/bin/tests/system/ifconfig.sh ++++ b/bin/tests/system/ifconfig.sh +@@ -12,10 +12,10 @@ + # + # Set up interface aliases for bind9 system tests. + # +-# IPv4: 10.53.0.{1..10} RFC 1918 ++# IPv4: 10.53.0.{1..11} RFC 1918 + # 10.53.1.{1..2} + # 10.53.2.{1..2} +-# IPv6: fd92:7065:b8e:ffff::{1..10} ULA ++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA + # fd92:7065:b8e:99ff::{1..2} + # fd92:7065:b8e:ff::{1..2} + # +@@ -65,7 +65,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 1 2 3 4 5 6 7 8 9 10 ++ for ns in 1 2 3 4 5 6 7 8 9 10 11 + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=`expr $i \* 10 + $ns` +@@ -165,7 +165,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 10 9 8 7 6 5 4 3 2 1 ++ for ns in 11 10 9 8 7 6 5 4 3 2 1 + do + [ $i -gt 0 -a $ns -gt 2 ] && continue + int=`expr $i \* 10 + $ns - 1` +-- +2.34.1 + diff --git a/SOURCES/bind-9.11-CVE-2021-25220.patch b/SOURCES/bind-9.11-CVE-2021-25220.patch new file mode 100644 index 0000000..37f3c41 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25220.patch @@ -0,0 +1,254 @@ +From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 1 Mar 2022 09:48:05 +1100 +Subject: [PATCH] Add additional name checks when using a forwarder + +When using a forwarder, check that the owner name of response +records are within the bailiwick of the forwarded name space. + +(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028) + +Check that the forward declaration is unchanged and not overridden + +If we are using a fowarder, in addition to checking that names to +be cached are subdomains of the forwarded namespace, we must also +check that there are no subsidiary forwarded namespaces which would +take precedence. To be safe, we don't cache any responses if the +forwarding configuration has changed since the query was sent. + +(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972) + +Check cached names for possible "forward only" clause + +When caching additional and glue data *not* from a forwarder, we must +check that there is no "forward only" clause covering the owner name +that would take precedence. Such names would normally be allowed by +baliwick rules, but a "forward only" zone introduces a new baliwick +scope. + +(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe) + +Look for zones deeper than the current domain or forward name + +When caching glue, we need to ensure that there is no closer +source of truth for the name. If the owner name for the glue +record would be answered by a locally configured zone, do not +cache. + +(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754) + +Avoid use of compound literals + +Compound literals are not used in BIND 9.11, in order to ensure backward +compatibility with ancient compilers. Rework the relevant parts of the +BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals +are not used. + +(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15) +--- + lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 125 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index c912f3aea8..2c68973899 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #ifdef WANT_QUERYTRACE + #define RTRACE(m) isc_log_write(dns_lctx, \ +@@ -312,6 +313,8 @@ struct fetchctx { + bool ns_ttl_ok; + uint32_t ns_ttl; + isc_counter_t * qc; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) { + fcount_decr(fctx); +@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + domain = dns_fixedname_initname(&fixed); + result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, + domain, &forwarders); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); ++ } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { + /* +@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, + rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline bool ++name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ /* ++ * The following two variables do not influence code flow; they are ++ * only necessary for calling dns_name_fullcompare(). ++ */ ++ int _orderp = 0; ++ unsigned int _nlabelsp = 0; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (true); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (false); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &_orderp, ++ &_nlabelsp) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (true); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (true); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (true); ++ } ++ ++ return (false); ++} ++ + static isc_result_t + check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) +@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = !dns_name_issubdomain(name, &fctx->domain); ++ external = name_external(name, type, fctx); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { + */ + result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { +- bool external; + name = NULL; + dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); +- external = !dns_name_issubdomain(name, &fctx->domain); +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + /* + * We expect to find NS or SIG NS rdatasets, and + * nothing else. +-- +2.34.1 + diff --git a/SOURCES/bind-9.11-CVE-2022-2795.patch b/SOURCES/bind-9.11-CVE-2022-2795.patch new file mode 100644 index 0000000..2175637 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2022-2795.patch @@ -0,0 +1,61 @@ +From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8ae9a993bb..ac9a9ef5d0 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/SOURCES/bind-9.11-rh2133889.patch b/SOURCES/bind-9.11-rh2133889.patch deleted file mode 100644 index c61d902..0000000 --- a/SOURCES/bind-9.11-rh2133889.patch +++ /dev/null @@ -1,26 +0,0 @@ -From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Thu, 13 Oct 2022 15:35:46 +0200 -Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h - -It got broken as part of bug #2101712 fix. Introduced new definition, -which passes during bind build, but breaks bind-dyndb-ldap build. ---- - lib/dns/include/dns/zt.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h -index 9421225..64c24d6 100644 ---- a/lib/dns/include/dns/zt.h -+++ b/lib/dns/include/dns/zt.h -@@ -18,6 +18,7 @@ - #include - - #include -+#include - - #include - --- -2.37.3 - diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 84c42cf..99544ee 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.36 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3 +Release: 7%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -158,11 +158,13 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch Patch183:bind-9.11-rh1980757.patch # modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067 Patch184: bind-9.15-resolver-ntasks.patch +Patch185: bind-9.11-CVE-2021-25220.patch +Patch186: bind-9.11-CVE-2021-25220-test.patch Patch188: bind-9.16-CVE-2022-38177.patch Patch189: bind-9.16-CVE-2022-38178.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695 Patch190: bind-9.11-rh2101712.patch -Patch192: bind-9.11-rh2133889.patch +Patch191: bind-9.11-CVE-2022-2795.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -558,10 +560,12 @@ are used for building ISC DHCP. %patch178 -p1 -b .time-monotonic %patch183 -p1 -b .rh1980757 %patch184 -p1 -b .rh2030239 +%patch185 -p1 -b .CVE-2021-25220 +%patch186 -p1 -b .CVE-2021-25220-test %patch188 -p1 -b .CVE-2022-38177 %patch189 -p1 -b .CVE-2022-38178 %patch190 -p1 -b .rh2101712 -%patch192 -p1 -b .rh2133889 +%patch191 -p1 -b .CVE-2022-2795 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1614,17 +1618,22 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog -* Thu Oct 13 2022 Petr Menšík - 32:9.11.36-3.3 -- Correct regression preventing bind-dyndb-ldap build (#2101712) +* Thu Sep 29 2022 Petr Menšík - 32:9.11.36-7 +- Prevent excessive resource use while processing large delegations. + (CVE-2022-2795) -* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-3.2 +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-6 - Prevent freeing zone during statistics rendering (#2101712) -* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-3.1 +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-5 - Fix memory leak in ECDSA verify processing (CVE-2022-38177) - Fix memory leak in EdDSA verify processing (CVE-2022-38178) -* Thu Feb 10 2022 Petr Menšík - 32:9.11.36-3 +* Wed Apr 13 2022 Petr Menšík - 32:9.11.36-4 +- Tighten cache protection against record from forwarders (CVE-2021-25220) +- Include test of forwarders + +* Thu Feb 10 2022 Petr Menšík - 32:9.11.36-2 - Reduce memory used per-view on machine with few processors (#2030239) * Tue Dec 21 2021 Petr Menšík - 32:9.11.36-2