Commit 85143202 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch 'security-dlz-axfr-deny-broken' into security-master

denied axfr requests were not effective for writable DLZ zones

See merge request isc-private/bind9!57
parents 5e7f1a8d 821f917d
...@@ -87,7 +87,9 @@ ...@@ -87,7 +87,9 @@
and "nsdname-enable" both now default to yes, and "nsdname-enable" both now default to yes,
regardless of compile-time settings. [GL #824] regardless of compile-time settings. [GL #824]
   
5141. [placeholder] 5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
   
5140. [bug] Don't immediately mark existing keys as inactive and 5140. [bug] Don't immediately mark existing keys as inactive and
deleted when running dnssec-keymgr for the first deleted when running dnssec-keymgr for the first
......
...@@ -536,10 +536,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, ...@@ -536,10 +536,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
*/ */
isc_result_t isc_result_t
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
UNUSED(client); isc_result_t result;
result = dlz_findzonedb(dbdata, name, NULL, NULL);
if (result != ISC_R_SUCCESS) {
return (result);
}
/* Just say yes for all our zones */ /*
return (dlz_findzonedb(dbdata, name, NULL, NULL)); * Exception for 10.53.0.5 so we can test that allow-transfer
* is effective.
*/
if (strcmp(client, "10.53.0.5") == 0) {
return (ISC_R_NOPERM);
}
return (ISC_R_SUCCESS);
} }
/* /*
......
...@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 ...@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=`expr $status + $ret` status=`expr $status + $ret`
newtest "testing AXFR from DLZ drivers" newtest "testing AXFR from DLZ drivers"
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n $DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
lines=`cat dig.out.ns1.test$n | wc -l` lines=`cat dig.out.example.ns1.test$n | wc -l`
[ ${lines:-0} -eq 4 ] || ret=1 [ ${lines:-0} -eq 4 ] || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n $DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
lines=`cat dig.out.ns1.test$n | wc -l` lines=`cat dig.out.alternate.ns1.test$n | wc -l`
[ ${lines:-0} -eq 5 ] || ret=1 [ ${lines:-0} -eq 5 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed" [ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret` status=`expr $status + $ret`
newtest "testing AXFR denied from DLZ drivers"
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
newtest "testing unsearched/unregistered DLZ zone is not found" newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
......
...@@ -157,6 +157,14 @@ ...@@ -157,6 +157,14 @@
[GL #772] [GL #772]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
......
...@@ -817,12 +817,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { ...@@ -817,12 +817,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
&zone); &zone);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
/* /*
* Normal zone table does not have a match. * The normal zone table does not have a match, or this is
* Try the DLZ database * marked in the zone table as a DLZ zone. Check the DLZ
* databases for a match.
*/ */
// Temporary: only searching the first DLZ database
if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
result = dns_dlzallowzonexfr(client->view, result = dns_dlzallowzonexfr(client->view,
question_name, question_name,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment