1 files changed, 73 insertions, 0 deletions

diff --git a/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch b/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch
new file mode 100644
index 0000000..adcc70d
--- /dev/null
+++ b/debian/patches/0025-Add-a-test-for-update-policy-subdomain.patch
@@ -0,0 +1,73 @@
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 29 Jul 2020 23:36:03 +1000
+Subject: [2/3] Add a test for update-policy 'subdomain'
+
+Origin: https://gitlab.isc.org/isc-projects/bind9/commit/393e8f643c02215fa4e6d4edf67be7d77085da0e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8624
+
+The new test checks that 'update-policy subdomain' is properly enforced.
+---
+ bin/tests/system/nsupdate/ns1/named.conf.in |  6 ++++++
+ bin/tests/system/nsupdate/tests.sh          | 25 +++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index 1d999ad..87904f4 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -36,6 +36,11 @@ key altkey {
+ 	secret "1234abcd8765";
+ };
+ 
++key restricted.example.nil {
++	algorithm hmac-md5;
++	secret "1234abcd8765";
++};
++
+ include "ddns.key";
+ 
+ zone "example.nil" {
+@@ -45,6 +50,7 @@ zone "example.nil" {
+ 	check-mx ignore;
+ 	update-policy {
+ 		grant ddns-key.example.nil subdomain example.nil ANY;
++		grant restricted.example.nil subdomain restricted.example.nil ANY;
+ 	};
+ 	allow-transfer { any; };
+ };
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index c72753b..432240e 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -635,6 +635,31 @@ then
+ echo_i "failed"; status=1
+ fi
+ 
++n=`expr $n + 1`
++ret=0
++echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
++# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
++# and thus this UPDATE should succeed.
++$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
++server 10.53.0.1 ${PORT}
++key restricted.example.nil 1234abcd8765
++update add restricted.example.nil 0 IN TXT everywhere.
++send
++END
++$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
++grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
++# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
++# thus this UPDATE should fail.
++$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
++server 10.53.0.1 ${PORT}
++key restricted.example.nil 1234abcd8765
++update add example.nil 0 IN TXT everywhere.
++send
++END
++$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
++grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"