GitLab

[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_11]

See merge request !6108

Mark Andrews authored Jan 18, 2022 and Petr Špaček committed Apr 08, 2022

- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

- v9_11 backport: Revert primary/secondary to master/slave,
  backport rndc helper, backport ns8 config.

(cherry picked from commit bf3fffff)

Save parsed tsan files with .txt extension

See merge request !6022

When the parse tsan files have text extension they can be viewed
directly in the GitLab web UI without downloading them locally.

(cherry picked from commit 80582073)

Merge 9.11.37 release branch

See merge request !5992

Prepare documentation for BIND 9.11.37

See merge request isc-private/bind9!394

[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses

See merge request isc-private/bind9!381

Petr Špaček authored Mar 03, 2022 and Michał Kępień committed Mar 03, 2022

Compound literals are not used in BIND 9.11, in order to ensure backward
compatibility with ancient compilers.  Rework the relevant parts of the
BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
are not used.

Mark Andrews authored Feb 02, 2022 and Michał Kępień committed Mar 03, 2022

When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.

Mark Andrews authored Mar 01, 2022 and Michał Kępień committed Mar 03, 2022

When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence.  Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.

Mark Andrews authored Jan 21, 2022 and Michał Kępień committed Mar 03, 2022

If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.

Mark Andrews authored Mar 01, 2022 and Michał Kępień committed Mar 03, 2022

When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.

[v9_11] Run spatch jobs in parallel

See merge request !5834

Also make the script more verbose to identify which patch is being
processed and check for failures in spatch standard error output.

(cherry picked from commit 48c44fe6)

[v9_11] Update Coverity Scan CI job to 2021.12.1

See merge request !5831

(cherry picked from commit f0edf07f)

[v9_11] Update copyrights to 2022

See merge request !5683

(cherry picked from commit befd654e)

[v9_11] Make bullseye the base image

See merge request !5671

This prevents resolver timeouts for the reference (BIND 9.11) servers
used in respdiff tests run on Debian 11 "bullseye".

--with-randomdev=/dev/urandom is part of the "configure" template.

(cherry picked from commit 4d7e3438)

"buster" jobs are now only going to be run in scheduled pipelines.

"--without-gssapi" ./configure option of "bullseye" before it became the
base image is dropped from "bullseye"-the-base-image because it reduces
gcov coverage by 0.38 % (651 lines) and is used in Debian 9 "stretch".

"--enable-openssl-hash" is on purpose not being tested because it fails
linking when either of --with-ecdsa, --with-gost, --with-eddsa, or
--with-aes is used as well because it can't find f.e. HMAC_CTX_new() as
"-lcrypto" is missing:

    /usr/bin/ld: ../../lib/isc/libisc.a(hmacmd5.o): in function `isc_hmacmd5_init':
    /root/bind9/lib/isc/hmacmd5.c:49: undefined reference to `HMAC_CTX_new'
    /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `EVP_md5'
    /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `HMAC_Init_ex'

BIND 9.11 is in security-fixes-only-mode and configure.ac code should
not be fixed to include "-lcrypto" in this corner case; better eliminate
a pairwise hint.

(cherry picked from commit 910d595f)

[v9_11] Execute respdiff jobs out-of-order

See merge request !5667

Commit 9aa1c580 dropped dependency of "respdiff" and
"respdiff-third-party" jobs on "tarball-create" job because these jobs
don't need to depend on in (e.g., for its artifacts). This, however,
caused that respdiff jobs weren't started out-of-order and artifacts
from all the "Build" stage jobs plus "unit:gcc:buster:amd64" job were
downloaded to project directory and caused problems with compilation:

Originally, the dependency on "tarball-create" has been added in
45d59c50 to indicate that respdiff "is meant to operate on two different
BIND versions". It seems that the intent didn't work out, and we better
make it obvious that respdiff jobs don't depend on any other job and
should be run out-of-order.

(cherry picked from commit 87578efc)

[v9_11] Add respdiff job with third-party recursors

See merge request !5663

The order of directories with reference and test BIND 9 are now reversed
for respdiff.sh.

The data.mdb file has more than 10 GB and makes artifact download take
an unnecessarily long time.

(cherry picked from commit 2ececf2c)

Suppress OpenSSL 3.0 deprecated declarations warning

See merge request !5550

Alpine Linux image has OpenSSL 3.0.0 from the "edge" repository to test
OpenSSL 3.0.0 support in the BIND 9 "main" branch. However, this breaks
compilation of branches without OpenSSL 3.0.0 support and therefore
OpenSSL deprecated declarations need to be suppressed with
-DOPENSSL_SUPPRESS_DEPRECATED.

[v9_11] Add FreeBSD 12.3

See merge request !5660

(cherry picked from commit a4d8571f)

[v9_11] Add Fedora 35

See merge request !5658

(cherry picked from commit 668be429)

[v9_11] Drop FreeBSD 11

See merge request !5655

Support for FreeBSD 11.4, the last FreeBSD 11.x release, ended on
September 30, 2021.

Link: https://www.freebsd.org/security/unsupported/

Also drop $WITH_READLINE_LIBEDIT from clang:freebsd13:amd64, it should
not have been added in the first place.

(cherry picked from commit 981579f3)

[v9_11] Add Alpine Linux 3.15

See merge request !5652

(cherry picked from commit d43127a3)