Commit 76db58eb authored by Evan Hunt's avatar Evan Hunt
Browse files

3100. [security] Certain response policy zone configurations could

			trigger an INSIST when receiving a query of type
			RRSIG. [RT #24280]
parent 76c2a4e3
3100. [security] Certain response policy zone configurations could
trigger an INSIST when receiving a query of type
RRSIG. [RT #24280]
3099. [test] "dlz" system test now runs but gives R:SKIPPED if
not compiled with --with-dlz-filesystem. [RT #24146]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.361 2011/04/19 22:30:52 each Exp $ */
/* $Id: query.c,v 1.362 2011/04/27 17:46:46 each Exp $ */
/*! \file */
......@@ -4079,9 +4079,15 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
if (dns_rdataset_isassociated(*rdatasetp))
dns_rdataset_disassociate(*rdatasetp);
dns_db_detachnode(*dbp, nodep);
result = dns_db_find(*dbp, qnamef, version, qtype, 0,
client->now, nodep, found,
*rdatasetp, NULL);
if (qtype == dns_rdatatype_rrsig ||
qtype == dns_rdatatype_sig)
result = DNS_R_NXRRSET;
else
result = dns_db_find(*dbp, qnamef, version,
qtype, 0, client->now,
nodep, found, *rdatasetp,
NULL);
}
}
switch (result) {
......
......@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: base.db,v 1.3 2011/01/13 04:59:25 tbox Exp $
; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
; RPZ test
......@@ -29,3 +29,7 @@ $TTL 120
128.zz.3333.4444.0.7777.8888.rpz-ip CNAME .
128.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
127.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
; for testing rrset replacement
redirect IN A 127.0.0.1
*.redirect IN A 127.0.0.1
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.3 2011/01/13 04:59:24 tbox Exp $
# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
# test response policy zones (RPZ)
......@@ -215,6 +215,38 @@ if grep CNAME $DIGNM >/dev/null; then : ; else
fi
end_test
ret=0
echo "I:checking RRSIG queries"
# We don't actually care about the query results; the important
# thing is the server handles RRSIG queries okay
$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then
echo "I:failed";
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
fi
status=`expr $status + $ret`
ret=0
echo "I:checking SIG queries"
# We don't actually care about the query results; the important
# thing is the server handles SIG queries okay
$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then
echo "I:failed";
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
fi
status=`expr $status + $ret`
if test "$status" -eq 0; then
rm -f dig.out*
fi
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: start.pl,v 1.19 2011/03/05 23:52:29 tbox Exp $
# $Id: start.pl,v 1.20 2011/04/27 17:46:47 each Exp $
# Framework for starting test servers.
# Based on the type of server specified, check for port availability, remove
......@@ -36,9 +36,10 @@ use Getopt::Long;
# NOTE: options must be specified with '-- "<option list>"',
# for instance: start.pl . ns1 -- "-c n.conf -d 43"
my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
my $noclean;
GetOptions('noclean' => \$noclean);
my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
my $noclean = '';
my $restart = '';
GetOptions('noclean' => \$noclean, 'restart' => \$restart);
my $test = $ARGV[0];
my $server = $ARGV[1];
my $options = $ARGV[2];
......@@ -139,7 +140,11 @@ sub start_server {
if (-e "$testdir/$server/named.noaa");
$command .= "-c named.conf -d 99 -g";
}
$command .= " >named.run 2>&1 &";
if ($restart) {
$command .= " >>named.run 2>&1 &";
} else {
$command .= " >named.run 2>&1 &";
}
$pid_file = "named.pid";
} elsif ($server =~ /^lwresd/) {
$cleanup_files = "{lwresd.run}";
......@@ -152,7 +157,11 @@ sub start_server {
$command .= "-C resolv.conf -d 99 -g ";
$command .= "-i lwresd.pid -P 9210 -p 5300";
}
$command .= " >lwresd.run 2>&1 &";
if ($restart) {
$command .= " >>lwresd.run 2>&1 &";
} else {
$command .= " >lwresd.run 2>&1 &";
}
$pid_file = "lwresd.pid";
} elsif ($server =~ /^ans/) {
$cleanup_files = "{ans.run}";
......@@ -166,7 +175,11 @@ sub start_server {
} else {
$command .= "";
}
$command .= " >ans.run 2>&1 &";
if ($restart) {
$command .= " >>ans.run 2>&1 &";
} else {
$command .= " >ans.run 2>&1 &";
}
$pid_file = "ans.pid";
} else {
print "I:Unknown server type $server\n";
......@@ -206,8 +219,8 @@ sub verify_server {
while (1) {
my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
last if ($return == 0);
print `grep ";" dig.out`;
if (++$tries >= 30) {
print `grep ";" dig.out > /dev/null`;
print "I:no response from $server\n";
print "R:FAIL\n";
system("$PERL $topdir/stop.pl $testdir");
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment