diff options
Diffstat (limited to 'debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch')
-rw-r--r-- | debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch b/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch new file mode 100644 index 0000000..adcc70d --- /dev/null +++ b/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch @@ -0,0 +1,73 @@ +From: Mark Andrews <marka@isc.org> +Date: Wed, 29 Jul 2020 23:36:03 +1000 +Subject: [2/3] Add a test for update-policy 'subdomain' + +Origin: https://gitlab.isc.org/isc-projects/bind9/commit/393e8f643c02215fa4e6d4edf67be7d77085da0e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8624 + +The new test checks that 'update-policy subdomain' is properly enforced. +--- + bin/tests/system/nsupdate/ns1/named.conf.in | 6 ++++++ + bin/tests/system/nsupdate/tests.sh | 25 +++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 1d999ad..87904f4 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -36,6 +36,11 @@ key altkey { + secret "1234abcd8765"; + }; + ++key restricted.example.nil { ++ algorithm hmac-md5; ++ secret "1234abcd8765"; ++}; ++ + include "ddns.key"; + + zone "example.nil" { +@@ -45,6 +50,7 @@ zone "example.nil" { + check-mx ignore; + update-policy { + grant ddns-key.example.nil subdomain example.nil ANY; ++ grant restricted.example.nil subdomain restricted.example.nil ANY; + }; + allow-transfer { any; }; + }; +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index c72753b..432240e 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -635,6 +635,31 @@ then + echo_i "failed"; status=1 + fi + ++n=`expr $n + 1` ++ret=0 ++echo_i "check that 'update-policy subdomain' is properly enforced ($n)" ++# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" ++# and thus this UPDATE should succeed. ++$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1 ++server 10.53.0.1 ${PORT} ++key restricted.example.nil 1234abcd8765 ++update add restricted.example.nil 0 IN TXT everywhere. ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 ++grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 ++# "example.nil" does not match "grant ... subdomain restricted.example.nil" and ++# thus this UPDATE should fail. ++$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1 ++server 10.53.0.1 ${PORT} ++key restricted.example.nil 1234abcd8765 ++update add example.nil 0 IN TXT everywhere. ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 ++grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + n=`expr $n + 1` + ret=0 + echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" |