From: Mark Andrews Date: Wed, 29 Jul 2020 23:36:03 +1000 Subject: [2/3] Add a test for update-policy 'subdomain' Origin: https://gitlab.isc.org/isc-projects/bind9/commit/393e8f643c02215fa4e6d4edf67be7d77085da0e Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8624 The new test checks that 'update-policy subdomain' is properly enforced. --- bin/tests/system/nsupdate/ns1/named.conf.in | 6 ++++++ bin/tests/system/nsupdate/tests.sh | 25 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index 1d999ad..87904f4 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -36,6 +36,11 @@ key altkey { secret "1234abcd8765"; }; +key restricted.example.nil { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + include "ddns.key"; zone "example.nil" { @@ -45,6 +50,7 @@ zone "example.nil" { check-mx ignore; update-policy { grant ddns-key.example.nil subdomain example.nil ANY; + grant restricted.example.nil subdomain restricted.example.nil ANY; }; allow-transfer { any; }; }; diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index c72753b..432240e 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -635,6 +635,31 @@ then echo_i "failed"; status=1 fi +n=`expr $n + 1` +ret=0 +echo_i "check that 'update-policy subdomain' is properly enforced ($n)" +# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" +# and thus this UPDATE should succeed. +$NSUPDATE -d < nsupdate.out1-$n 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +key restricted.example.nil 1234abcd8765 +update add restricted.example.nil 0 IN TXT everywhere. +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 +grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 +# "example.nil" does not match "grant ... subdomain restricted.example.nil" and +# thus this UPDATE should fail. +$NSUPDATE -d < nsupdate.out2-$n 2>&1 && ret=1 +server 10.53.0.1 ${PORT} +key restricted.example.nil 1234abcd8765 +update add example.nil 0 IN TXT everywhere. +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + n=`expr $n + 1` ret=0 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"