diff --git a/SOURCES/bind-9.11-CVE-2021-25220-test.patch b/SOURCES/bind-9.11-CVE-2021-25220-test.patch new file mode 100644 index 0000000..bc6836f --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25220-test.patch @@ -0,0 +1,1192 @@ +From 557de3210e8d3d5da8c85dfc94042620049f4292 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 18 Jan 2022 00:19:47 +1100 +Subject: [PATCH] Add tests for forwarder cache poisoning scenarios + +- Check that an NS in an authority section returned from a forwarder + which is above the name in a configured "forward first" or "forward + only" zone (i.e., net/NS in a response from a forwarder configured for + local.net) is not cached. +- Test that a DNAME for a parent domain will not be cached when sent + in a response from a forwarder configured to answer for a child. +- Check that glue is rejected if its name falls below that of zone + configured locally. +- Check that an extra out-of-bailiwick data in the answer section is + not cached (this was already working correctly, but was not explicitly + tested before). + +- v9_11 backport: Revert primary/secondary to master/slave, + backport rndc helper, backport ns8 config. + +(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) +(cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7) +--- + bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ + bin/tests/system/forward/clean.sh | 2 + + bin/tests/system/forward/ns1/diditwork.net.db | 20 +++ + bin/tests/system/forward/ns1/named.conf.in | 20 +++ + bin/tests/system/forward/ns1/net.example.lll | 13 ++ + bin/tests/system/forward/ns1/spoofed.net.db | 20 +++ + bin/tests/system/forward/ns1/sub.local.net.db | 20 +++ + bin/tests/system/forward/ns10/fakenet.zone | 15 ++ + bin/tests/system/forward/ns10/fakenet2.zone | 13 ++ + .../system/forward/ns10/fakesublocalnet.zone | 13 ++ + .../system/forward/ns10/fakesublocaltld.zone | 13 ++ + bin/tests/system/forward/ns10/named.conf.in | 51 +++++++ + bin/tests/system/forward/ns10/net.example.lll | 13 ++ + bin/tests/system/forward/ns10/spoofednet.zone | 14 ++ + bin/tests/system/forward/ns4/named.conf.in | 5 + + bin/tests/system/forward/ns4/sibling.tld.db | 20 +++ + bin/tests/system/forward/ns8/named.conf.in | 33 +++++ + bin/tests/system/forward/ns8/root.db | 11 ++ + bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++ + bin/tests/system/forward/ns9/local.net.db | 14 ++ + bin/tests/system/forward/ns9/local.tld.db | 13 ++ + bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++ + bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++ + bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++ + bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++ + bin/tests/system/forward/ns9/root.db | 11 ++ + bin/tests/system/forward/prereq.sh | 35 +++++ + bin/tests/system/forward/setup.sh | 3 + + bin/tests/system/forward/tests.sh | 130 +++++++++++++++++ + bin/tests/system/ifconfig.sh | 8 +- + 30 files changed, 881 insertions(+), 4 deletions(-) + create mode 100644 bin/tests/system/forward/ans11/ans.py + create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db + create mode 100644 bin/tests/system/forward/ns1/net.example.lll + create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db + create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db + create mode 100644 bin/tests/system/forward/ns10/fakenet.zone + create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone + create mode 100644 bin/tests/system/forward/ns10/named.conf.in + create mode 100644 bin/tests/system/forward/ns10/net.example.lll + create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone + create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db + create mode 100644 bin/tests/system/forward/ns8/named.conf.in + create mode 100644 bin/tests/system/forward/ns8/root.db + create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db + create mode 100644 bin/tests/system/forward/ns9/local.net.db + create mode 100644 bin/tests/system/forward/ns9/local.tld.db + create mode 100644 bin/tests/system/forward/ns9/named1.conf.in + create mode 100644 bin/tests/system/forward/ns9/named2.conf.in + create mode 100644 bin/tests/system/forward/ns9/named3.conf.in + create mode 100644 bin/tests/system/forward/ns9/named4.conf.in + create mode 100644 bin/tests/system/forward/ns9/root.db + create mode 100644 bin/tests/system/forward/prereq.sh + +diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py +new file mode 100644 +index 0000000..2956cf6 +--- /dev/null ++++ b/bin/tests/system/forward/ans11/ans.py +@@ -0,0 +1,136 @@ ++############################################################################ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++############################################################################ ++ ++from __future__ import print_function ++import os ++import sys ++import signal ++import socket ++import select ++from datetime import datetime, timedelta ++import time ++import functools ++ ++import dns, dns.message, dns.query, dns.flags ++from dns.rdatatype import * ++from dns.rdataclass import * ++from dns.rcode import * ++from dns.name import * ++ ++# Log query to file ++def logquery(type, qname): ++ with open("qlog", "a") as f: ++ f.write("%s %s\n", type, qname) ++ ++############################################################################ ++# Respond to a DNS query. ++############################################################################ ++def create_response(msg): ++ m = dns.message.from_wire(msg) ++ qname = m.question[0].name.to_text() ++ rrtype = m.question[0].rdtype ++ typename = dns.rdatatype.to_text(rrtype) ++ ++ with open("query.log", "a") as f: ++ f.write("%s %s\n" % (typename, qname)) ++ print("%s %s" % (typename, qname), end=" ") ++ ++ r = dns.message.make_response(m) ++ r.set_rcode(NOERROR) ++ if rrtype == A: ++ tld=qname.split('.')[-2] + '.' ++ ns="local." + tld ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) ++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) ++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) ++ elif rrtype == NS: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) ++ elif rrtype == SOA: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ else: ++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ r.flags |= dns.flags.AA ++ return r ++ ++def sigterm(signum, frame): ++ print ("Shutting down now...") ++ os.remove('ans.pid') ++ running = False ++ sys.exit(0) ++ ++############################################################################ ++# Main ++# ++# Set up responder and control channel, open the pid file, and start ++# the main loop, listening for queries on the query channel or commands ++# on the control channel and acting on them. ++############################################################################ ++ip4 = "10.53.0.11" ++ip6 = "fd92:7065:b8e:ffff::11" ++ ++try: port=int(os.environ['PORT']) ++except: port=5300 ++ ++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++query4_socket.bind((ip4, port)) ++havev6 = True ++try: ++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) ++ try: ++ query6_socket.bind((ip6, port)) ++ except: ++ query6_socket.close() ++ havev6 = False ++except: ++ havev6 = False ++signal.signal(signal.SIGTERM, sigterm) ++ ++f = open('ans.pid', 'w') ++pid = os.getpid() ++print (pid, file=f) ++f.close() ++ ++running = True ++ ++print ("Listening on %s port %d" % (ip4, port)) ++if havev6: ++ print ("Listening on %s port %d" % (ip6, port)) ++print ("Ctrl-c to quit") ++ ++if havev6: ++ input = [query4_socket, query6_socket] ++else: ++ input = [query4_socket] ++ ++while running: ++ try: ++ inputready, outputready, exceptready = select.select(input, [], []) ++ except select.error as e: ++ break ++ except socket.error as e: ++ break ++ except KeyboardInterrupt: ++ break ++ ++ for s in inputready: ++ if s == query4_socket or s == query6_socket: ++ print ("Query received on %s" % ++ (ip4 if s == query4_socket else ip6), end=" ") ++ # Handle incoming queries ++ msg = s.recvfrom(65535) ++ rsp = create_response(msg[0]) ++ if rsp: ++ print(dns.rcode.to_text(rsp.rcode())) ++ s.sendto(rsp.to_wire(), msg[1]) ++ else: ++ print("NO RESPONSE") ++ if not running: ++ break +diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh +index 3052d27..4ab2a03 100644 +--- a/bin/tests/system/forward/clean.sh ++++ b/bin/tests/system/forward/clean.sh +@@ -10,8 +10,10 @@ + # + # Clean up after forward tests. + # ++rm -f ./ans11/query.log + rm -f dig.out.* + rm -f */named.conf + rm -f */named.memstats + rm -f */named.run ++rm -f ./*/named_dump.db + rm -f ns*/named.lock +diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db +new file mode 100644 +index 0000000..be9a7f7 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/diditwork.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in +index 7ce81dd..442b928 100644 +--- a/bin/tests/system/forward/ns1/named.conf.in ++++ b/bin/tests/system/forward/ns1/named.conf.in +@@ -54,3 +54,23 @@ zone "example5." { + zone "example6" { + type forward; + }; ++ ++zone "diditwork.net" { ++ type master; ++ file "diditwork.net.db"; ++}; ++ ++zone "spoofed.net" { ++ type master; ++ file "spoofed.net.db"; ++}; ++ ++zone "sub.local.net" { ++ type master; ++ file "sub.local.net.db"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; +diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll +new file mode 100644 +index 0000000..d179853 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/net.example.lll +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db +new file mode 100644 +index 0000000..d498d5f +--- /dev/null ++++ b/bin/tests/system/forward/ns1/spoofed.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.1 ++sub TXT "recursed" +diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db +new file mode 100644 +index 0000000..be9a7f7 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/sub.local.net.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone +new file mode 100644 +index 0000000..14e5c77 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net. SOA . . 0 0 0 0 0 ++net. NS attackSecureDomain.net. ++attackSecureDomain.net. A 10.53.0.10 ++didItWork.net. TXT "if you can see this record the attack worked" ++ns.spoofed.net. A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone +new file mode 100644 +index 0000000..7ca28a9 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet2.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net2. SOA . . 0 0 0 0 0 ++net2. NS attackSecureDomain.net. ++net2. DNAME net.example.lll. +diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone +new file mode 100644 +index 0000000..6caa071 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++sub.local.net. SOA . . 0 0 0 0 0 ++sub.local.net. NS ns.spoofed.net. ++sub.local.net. TXT "if you see this attacker overrode local delegation" +diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone +new file mode 100644 +index 0000000..6a431de +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT bad ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in +new file mode 100644 +index 0000000..025c108 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/named.conf.in +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.10; ++ notify-source 10.53.0.10; ++ transfer-source 10.53.0.10; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.10; }; ++ listen-on-v6 { none; }; ++ minimal-responses no; ++}; ++ ++zone "net." { ++ type master; ++ file "fakenet.zone"; ++}; ++ ++zone "spoofed.net." { ++ type master; ++ file "spoofednet.zone"; ++}; ++ ++zone "sub.local.net." { ++ type master; ++ file "fakesublocalnet.zone"; ++}; ++ ++zone "net2" { ++ type master; ++ file "fakenet2.zone"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; ++ ++zone "sub.local.tld." { ++ type master; ++ file "fakesublocaltld.zone"; ++}; +diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll +new file mode 100644 +index 0000000..d179853 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/net.example.lll +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone +new file mode 100644 +index 0000000..13921a0 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/spoofednet.zone +@@ -0,0 +1,14 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++spoofed.net. SOA . . 0 0 0 0 0 ++spoofed.net. NS ns.spoofed.net. ++ns.spoofed.net. A 10.53.0.10 ++spoofed.net. TXT "this record is clearly spoofed" +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index fee76b4..5fda95c 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -60,3 +60,8 @@ zone "malicious." { + type master; + file "malicious.db"; + }; ++ ++zone "sibling.tld" { ++ type master; ++ file "sibling.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db +new file mode 100644 +index 0000000..58037d0 +--- /dev/null ++++ b/bin/tests/system/forward/ns4/sibling.tld.db +@@ -0,0 +1,20 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 +diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in +new file mode 100644 +index 0000000..9260f69 +--- /dev/null ++++ b/bin/tests/system/forward/ns8/named.conf.in +@@ -0,0 +1,33 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.8; ++ notify-source 10.53.0.8; ++ transfer-source 10.53.0.8; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.8; }; ++ listen-on-v6 { none; }; ++ forwarders { 10.53.0.2; }; // returns referrals ++ forward first; ++ dnssec-validation yes; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "sub.local.tld" { ++ type master; ++ file "sub.local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db +new file mode 100644 +index 0000000..4f30322 +--- /dev/null ++++ b/bin/tests/system/forward/ns8/root.db +@@ -0,0 +1,11 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db +new file mode 100644 +index 0000000..eb20683 +--- /dev/null ++++ b/bin/tests/system/forward/ns8/sub.local.tld.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT good ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db +new file mode 100644 +index 0000000..2c971e1 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.net.db +@@ -0,0 +1,14 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.net. 3600 IN SOA . . 0 0 0 0 0 ++local.net. 3600 IN NS localhost. ++ns.local.net. 3600 IN A 10.53.0.9 ++txt.local.net. 3600 IN TXT "something in the local auth zone" ++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this +diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db +new file mode 100644 +index 0000000..5940391 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.tld.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.tld. 3600 IN SOA . . 0 0 0 0 0 ++local.tld. 3600 IN NS localhost. ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in +new file mode 100644 +index 0000000..943e037 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named1.conf.in +@@ -0,0 +1,65 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in +new file mode 100644 +index 0000000..5a17d19 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named2.conf.in +@@ -0,0 +1,68 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in +new file mode 100644 +index 0000000..1e70d1a +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named3.conf.in +@@ -0,0 +1,48 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.net." { ++ type master; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in +new file mode 100644 +index 0000000..6f7b107 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named4.conf.in +@@ -0,0 +1,45 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.tld." { ++ type master; ++ file "local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db +new file mode 100644 +index 0000000..4f30322 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/root.db +@@ -0,0 +1,11 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh +new file mode 100644 +index 0000000..53fb581 +--- /dev/null ++++ b/bin/tests/system/forward/prereq.sh +@@ -0,0 +1,35 @@ ++#!/bin/sh ++# ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++SYSTEMTESTTOP=.. ++. $SYSTEMTESTTOP/conf.sh ++ ++if test -n "$PYTHON" ++then ++ if $PYTHON -c "import dns" 2> /dev/null ++ then ++ : ++ else ++ echo_i "This test requires the dnspython module." >&2 ++ exit 1 ++ fi ++else ++ echo_i "This test requires Python and the dnspython module." >&2 ++ exit 1 ++fi ++ ++if $PERL -e 'use Net::DNS;' 2>/dev/null ++then ++ : ++else ++ echo_i "This test requires the Net::DNS library." >&2 ++ exit 1 ++fi +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index d64579e..b89cb30 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -19,3 +19,6 @@ copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf + copy_setports ns7/named.conf.in ns7/named.conf ++copy_setports ns8/named.conf.in ns8/named.conf ++copy_setports ns9/named1.conf.in ns9/named.conf ++copy_setports ns10/named.conf.in ns10/named.conf +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index 1da4136..f0907f2 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -12,6 +12,14 @@ SYSTEMTESTTOP=.. + + DIGOPTS="-p ${PORT}" + ++dig_with_opts() ( ++ "$DIG" -p "$PORT" "$@" ++) ++ ++rndccmd() { ++ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" ++} ++ + root=10.53.0.1 + hidden=10.53.0.2 + f1=10.53.0.3 +@@ -156,5 +164,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + ++# ++# Check various spoofed response scenarios. The same tests will be ++# run twice, with "forward first" and "forward only" configurations. ++# ++run_spooftests () { ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++ # check 'net' is not poisoned. ++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 ++ # check 'sub.local.net' is not poisoned. ++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++ # check that net2/DNAME is not cached ++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 ++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 3 - extra answer ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 ++ # check extra net3 records are not cached ++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i ++ for try in 1 2 3 4 5; do ++ lines=$(grep "net3" ns9/named_dump.db | wc -l) ++ if [ ${lines} -eq 0 ]; then ++ sleep 1 ++ continue ++ fi ++ [ ${lines} -eq 1 ] || ret=1 ++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 ++ grep -q '^local.net3' ns9/named_dump.db && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++} ++ ++echo_i "checking spoofed response scenarios with forward first zones" ++run_spooftests ++ ++copy_setports ns9/named2.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++echo_i "rechecking spoofed response scenarios with forward only zones" ++run_spooftests ++ ++# ++# This scenario expects the spoofed response to succeed. The tests are ++# similar to the ones above, but not identical. ++# ++echo_i "rechecking spoofed response scenarios with 'forward only' set globally" ++copy_setports ns9/named3.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++# check 'net' is poisoned. ++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 ++# check 'sub.local.net' is poisoned. ++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++# check that net2/DNAME is cached ++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 ++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++# ++# This test doesn't use any forwarder clauses but is here because it ++# is similar to forwarders, as the set of servers that can populate ++# the namespace is defined by the zone content. ++# ++echo_i "rechecking spoofed response scenarios glue below local zone" ++copy_setports ns9/named4.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking sibling glue below zone ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 ++# check for glue A record for sub.local.tld is not used ++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 ++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 ++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh +index ed45417..03a24fc 100755 +--- a/bin/tests/system/ifconfig.sh ++++ b/bin/tests/system/ifconfig.sh +@@ -12,10 +12,10 @@ + # + # Set up interface aliases for bind9 system tests. + # +-# IPv4: 10.53.0.{1..8} RFC 1918 ++# IPv4: 10.53.0.{1..11} RFC 1918 + # 10.53.1.{0..2} + # 10.53.2.{0..2} +-# IPv6: fd92:7065:b8e:ffff::{1..8} ULA ++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA + # fd92:7065:b8e:99ff::{1..2} + # fd92:7065:b8e:ff::{1..2} + # +@@ -73,7 +73,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 1 2 3 4 5 6 7 8 ++ for ns in 1 2 3 4 5 6 7 8 9 10 11 + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=`expr $i \* 10 + $ns - 1` +@@ -179,7 +179,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 8 7 6 5 4 3 2 1 ++ for ns in 11 10 9 8 7 6 5 4 3 2 1 + do + [ $i -gt 0 -a $ns -gt 2 ] && continue + int=`expr $i \* 10 + $ns - 1` +-- +2.38.1 + diff --git a/SOURCES/bind-9.11-CVE-2021-25220.patch b/SOURCES/bind-9.11-CVE-2021-25220.patch new file mode 100644 index 0000000..3cf13c4 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25220.patch @@ -0,0 +1,254 @@ +From 3c22fb00593e78ff27210b2cb708128940077a49 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 1 Mar 2022 09:48:05 +1100 +Subject: [PATCH] Add additional name checks when using a forwarder + +When using a forwarder, check that the owner name of response +records are within the bailiwick of the forwarded name space. + +(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028) + +Check that the forward declaration is unchanged and not overridden + +If we are using a fowarder, in addition to checking that names to +be cached are subdomains of the forwarded namespace, we must also +check that there are no subsidiary forwarded namespaces which would +take precedence. To be safe, we don't cache any responses if the +forwarding configuration has changed since the query was sent. + +(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972) + +Check cached names for possible "forward only" clause + +When caching additional and glue data *not* from a forwarder, we must +check that there is no "forward only" clause covering the owner name +that would take precedence. Such names would normally be allowed by +baliwick rules, but a "forward only" zone introduces a new baliwick +scope. + +(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe) + +Look for zones deeper than the current domain or forward name + +When caching glue, we need to ensure that there is no closer +source of truth for the name. If the owner name for the glue +record would be answered by a locally configured zone, do not +cache. + +(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754) + +Avoid use of compound literals + +Compound literals are not used in BIND 9.11, in order to ensure backward +compatibility with ancient compilers. Rework the relevant parts of the +BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals +are not used. + +(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15) +--- + lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 125 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 7231e25..a55b5fd 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -66,6 +66,7 @@ + #include + #include + #include ++#include + + #ifdef WANT_QUERYTRACE + #define RTRACE(m) isc_log_write(dns_lctx, \ +@@ -318,6 +319,8 @@ struct fetchctx { + isc_boolean_t ns_ttl_ok; + isc_uint32_t ns_ttl; + isc_counter_t * qc; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3331,6 +3334,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) { + fcount_decr(fctx); +@@ -4363,6 +4367,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -4415,8 +4422,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + domain = dns_fixedname_initname(&fixed); + result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, + domain, &forwarders); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); ++ } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { + /* +@@ -6165,6 +6174,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, + rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline isc_boolean_t ++name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ /* ++ * The following two variables do not influence code flow; they are ++ * only necessary for calling dns_name_fullcompare(). ++ */ ++ int _orderp = 0; ++ unsigned int _nlabelsp = 0; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (ISC_TRUE); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (ISC_FALSE); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &_orderp, ++ &_nlabelsp) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (ISC_TRUE); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (ISC_TRUE); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (ISC_TRUE); ++ } ++ ++ return (ISC_FALSE); ++} ++ + static isc_result_t + check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) +@@ -6191,7 +6306,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(fctx->rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); ++ external = ISC_TF(name_external(name, type, fctx)); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -7041,6 +7156,13 @@ answer_response(fetchctx_t *fctx) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -7269,11 +7391,9 @@ answer_response(fetchctx_t *fctx) { + */ + result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { +- isc_boolean_t external; + name = NULL; + dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); +- external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + /* + * We expect to find NS or SIG NS rdatasets, and + * nothing else. +-- +2.38.1 + diff --git a/SOURCES/bind-9.11-CVE-2022-2795.patch b/SOURCES/bind-9.11-CVE-2022-2795.patch new file mode 100644 index 0000000..2ff9042 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2022-2795.patch @@ -0,0 +1,61 @@ +From 6fd12f9a7886ab534ed89849b828270c6ce48a5e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 36f6b6c..7231e25 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -182,6 +182,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3250,6 +3256,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + isc_boolean_t need_alternate = ISC_FALSE; + isc_boolean_t all_spilled = ISC_TRUE; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3433,6 +3440,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) + return (result); +-- +2.38.1 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index a2f19a5..7105344 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.10 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.13 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -185,6 +185,9 @@ Patch197: bind-9.11-rh2011220.patch Patch198: bind-9.11-rh1935152.patch Patch200: bind-9.16-CVE-2022-38177.patch Patch201: bind-9.16-CVE-2022-38178.patch +Patch202: bind-9.11-CVE-2022-2795.patch +Patch203: bind-9.11-CVE-2021-25220-test.patch +Patch204: bind-9.11-CVE-2021-25220.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -562,6 +565,9 @@ are used for building ISC DHCP. %patch198 -p1 -b .rh1935152 %patch200 -p1 -b .CVE-2022-38177 %patch201 -p1 -b .CVE-2022-38178 +%patch202 -p1 -b .CVE-2022-2795 +%patch203 -p1 -b .CVE-2021-25220-test +%patch204 -p1 -b .CVE-2021-25220 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1543,6 +1549,16 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed Dec 14 2022 Petr Menšík - 32:9.11.4-26.P2.13 +- Tighten cache protection against record from forwarders (CVE-2021-25220) + +* Wed Dec 14 2022 Petr Menšík - 32:9.11.4-26.P2.12 +- Include test of forwarders (CVE-2021-25220) + +* Thu Sep 29 2022 Petr Menšík - 32:9.11.4-26.P2.11 +- Prevent excessive resource use while processing large delegations. + (CVE-2022-2795) + * Thu Sep 22 2022 Petr Menšík - 32:9.11.4-26.P2.10 - Fix memory leak in ECDSA verify processing (CVE-2022-38177) - Fix memory leak in EdDSA verify processing (CVE-2022-38178)