blob: adcc70d666d9cdfc94b4f3c67e1b26e59638cdba (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jul 2020 23:36:03 +1000
Subject: [2/3] Add a test for update-policy 'subdomain'
Origin: https://gitlab.isc.org/isc-projects/bind9/commit/393e8f643c02215fa4e6d4edf67be7d77085da0e
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8624
The new test checks that 'update-policy subdomain' is properly enforced.
---
bin/tests/system/nsupdate/ns1/named.conf.in | 6 ++++++
bin/tests/system/nsupdate/tests.sh | 25 +++++++++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 1d999ad..87904f4 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -36,6 +36,11 @@ key altkey {
secret "1234abcd8765";
};
+key restricted.example.nil {
+ algorithm hmac-md5;
+ secret "1234abcd8765";
+};
+
include "ddns.key";
zone "example.nil" {
@@ -45,6 +50,7 @@ zone "example.nil" {
check-mx ignore;
update-policy {
grant ddns-key.example.nil subdomain example.nil ANY;
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
};
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index c72753b..432240e 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -635,6 +635,31 @@ then
echo_i "failed"; status=1
fi
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
n=`expr $n + 1`
ret=0
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
