Commit 5b1c236c authored by JINMEI Tatuya's avatar JINMEI Tatuya
Browse files

[1938] reject 'notauth' notifies immediately from b10-auth.

parent db06972d
......@@ -769,8 +769,21 @@ AuthSrvImpl::processNotify(const IOMessage& io_message, Message& message,
// on, but we don't check these conditions. This behavior is compatible
// with BIND 9.
// TODO check with the conf-mgr whether current server is the auth of the
// zone
// See if we have the specified zone in our data sources; if not return
// NOTAUTH, following BIND 9 (this is not specified in RFC 1996).
bool is_auth = false;
{
auth::DataSrcClientsMgr::Holder datasrc_holder(datasrc_clients_mgr_);
const shared_ptr<datasrc::ClientList> dsrc_clients =
datasrc_holder.findClientList(question->getClass());
is_auth = dsrc_clients &&
dsrc_clients->find(question->getName(), true, false).exact_match_;
}
if (!is_auth) {
makeErrorMessage(renderer_, message, buffer, Rcode::NOTAUTH(),
stats_attrs, tsig_context);
return (true);
}
// In the code that follows, we simply ignore the notify if any internal
// error happens rather than returning (e.g.) SERVFAIL. RFC 1996 is
......
......@@ -947,6 +947,53 @@ TEST_F(AuthSrvTest, notifyWithSessionMessageError) {
&dnsserv);
EXPECT_FALSE(dnsserv.hasAnswer());
}
TEST_F(AuthSrvTest, notifyNotAuth) {
// If the server doesn't have authority of the specified zone in NOTIFY,
// it will return NOTAUTH
updateInMemory(server, "example.", CONFIG_INMEMORY_EXAMPLE, false);
UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(),
default_qid, Name("example.com"),
RRClass::IN(), RRType::SOA());
request_message.setHeaderFlag(Message::HEADERFLAG_AA);
createRequestPacket(request_message, IPPROTO_UDP);
server.processMessage(*io_message, *parse_message, *response_obuffer,
&dnsserv);
EXPECT_TRUE(dnsserv.hasAnswer());
headerCheck(*parse_message, default_qid, Rcode::NOTAUTH(),
Opcode::NOTIFY().getCode(), QR_FLAG /* no AA */, 1, 0, 0, 0);
}
TEST_F(AuthSrvTest, notifyNotAuthSubDomain) {
// Similar to the previous case, but checking partial match doesn't confuse
// the processing.
updateInMemory(server, "example.", CONFIG_INMEMORY_EXAMPLE, false);
UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(),
default_qid, Name("child.example"),
RRClass::IN(), RRType::SOA());
createRequestPacket(request_message, IPPROTO_UDP);
server.processMessage(*io_message, *parse_message, *response_obuffer,
&dnsserv);
headerCheck(*parse_message, default_qid, Rcode::NOTAUTH(),
Opcode::NOTIFY().getCode(), QR_FLAG, 1, 0, 0, 0);
}
TEST_F(AuthSrvTest, notifyNotAuthNoClass) {
// Likewise, and there's not even a data source in the specified class.
updateInMemory(server, "example.", CONFIG_INMEMORY_EXAMPLE, false);
UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(),
default_qid, Name("example"),
RRClass::CH(), RRType::SOA());
createRequestPacket(request_message, IPPROTO_UDP);
server.processMessage(*io_message, *parse_message, *response_obuffer,
&dnsserv);
headerCheck(*parse_message, default_qid, Rcode::NOTAUTH(),
Opcode::NOTIFY().getCode(), QR_FLAG, 1, 0, 0, 0);
}
// Try giving the server a TSIG signed request and see it can anwer signed as
// well
#ifdef USE_STATIC_LINK
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment