Commit d26f9024 authored by Mark Andrews's avatar Mark Andrews
Browse files

4880. [bug] Named wasn't returning the target of a cross zone

                        CNAME between to served zones when recursion was
                        desired and available (RD=1, RA=1). Don't return
                        the CNAME target otherwise to prevent accidental
                        cache poisoning. [RT #47078]
parent 3ae586b8
4880. [bug] Named wasn't returning the target of a cross zone
CNAME between to served zones when recursion was
desired and available (RD=1, RA=1). Don't return
the CNAME target otherwise to prevent accidental
cache poisoning. [RT #47078]
4879. [bug] dns_rdata_caa:value_len is was small. [RT #47086]
 
4878. [bug] List 'ply' as a requirement for the 'isc' python
......@@ -32,8 +38,8 @@
the ATF tool. [RT #46967]
 
4869. [bug] Address some cases where NULL with zero length could
be passed to memmove which is undefined behaviour and
can lead to bad optimisation. [RT #46888]
be passed to memmove which is undefined behavior and
can lead to bad optimization. [RT #46888]
 
4868. [func] dnssec-keygen can no longer generate HMAC keys.
Use tsig-keygen instead. [RT #46404]
......@@ -109,7 +115,7 @@
as synonyms for "master" and "slave" in named.conf.
[RT #46713]
 
4847. [bug] dnssec-dnskey-kskonly was not being honoured for
4847. [bug] dnssec-dnskey-kskonly was not being honored for
CDS and CDNSKEY. [RT #46755]
 
4846. [test] Adjust timing values in runtime system test. Address
......
rm -f */named.memstats
rm -f */named.run
rm -f dig.out.test*
rm -f ns2/example.com.bk
rm -f ns2/example.net.bk
; Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 300 ; 5 minutes
@ IN SOA ns root (
2018010100 ; serial
1800 ; refresh (30 minutes)
1800 ; retry (30 minutes)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.1
www CNAME server.example.net.
inzone CNAME a.example.com.
a A 10.53.0.1
; Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 300 ; 5 minutes
@ IN SOA ns root (
2018010100 ; serial
1800 ; refresh (30 minutes)
1800 ; retry (30 minutes)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.1
server A 10.53.0.100
/*
* Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone example.net {
type master;
file "example.net.db";
};
zone example.com {
type master;
file "example.com.db";
};
/*
* Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify no;
};
zone example.net {
type slave;
masters { 10.53.0.1; };
file "example.net.bk";
};
zone example.com {
type slave;
masters { 10.53.0.1; };
file "example.com.bk";
};
#!/bin/sh
#
# Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp"
status=0
n=0
n=`expr $n + 1`
echo "I:wait for zones to finish transfering to ns2 ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
for zone in example.com example.net
do
$DIG $DIGOPTS -p 5300 @10.53.0.2 soa $zone > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
done
[ $ret -eq 0 ] && break
sleep 1
done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
#
# If recursion is unrequested or unavailable, then cross-zone CNAME records
# should not be followed. If both requested and available, they should be.
#
n=`expr $n + 1`
echo "I:check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec -p 5300 @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec -p 5300 @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec -p 5300 @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that cross-zone CNAME records returns target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS -p 5300 @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
#
# In-zone CNAME records should always be followed regardless of RD and RA.
#
n=`expr $n + 1`
echo "I:check that in-zone CNAME records returns target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec -p 5300 @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec -p 5300 @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that in-zone CNAME records returns target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec -p 5300 @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that in-zone CNAME records returns target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS -p 5300 @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -72,7 +72,7 @@ KRB5_CONFIG=/dev/null
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin
SUBDIRS="acl additional addzone allow_query auth autosign builtin
cacheclean case catz cds chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlz dlzexternal
......
......@@ -1012,9 +1012,11 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
* This limits our searching to the zone where the first name
* (the query target) was looked for. This prevents following
* CNAMES or DNAMES into other zones and prevents returning
* additional data from other zones.
* additional data from other zones. This does not apply if we're
* answering a query where recursion is requested and allowed.
*/
if (client->query.rpz_st == NULL &&
!(WANTRECURSION(client) && RECURSIONOK(client)) &&
client->query.authdbset && db != client->query.authdb)
{
return (DNS_R_REFUSED);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment