From 26344a74eafc60cdecce7c4d5c888cf0746a4fab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 4 Jul 2024 12:09:21 +0200 Subject: [PATCH] Update to 9.16.50 Use more recent isc-keyblock.asc as PGP key store. Remove upstream patches that are already contained in rebased version. Resolves: RHEL-6454 --- .gitignore | 2 + bind-9.11-feature-test-named.patch | 16 +- bind-9.11-fips-tests.patch | 765 +++------ bind-9.11-tests-variants.patch | 65 - bind-9.16-CVE-2021-25220-test.patch | 1144 -------------- bind-9.16-CVE-2021-25220.patch | 251 --- bind-9.16-CVE-2022-0396.patch | 81 - bind-9.16-CVE-2022-2795.patch | 60 - bind-9.16-CVE-2022-3080.patch | 116 -- bind-9.16-CVE-2022-3094-1.patch | 240 --- bind-9.16-CVE-2022-3094-2.patch | 266 ---- bind-9.16-CVE-2022-3094-3.patch | 470 ------ bind-9.16-CVE-2022-3094-test.patch | 272 ---- bind-9.16-CVE-2022-3736.patch | 53 - bind-9.16-CVE-2022-38177.patch | 27 - bind-9.16-CVE-2022-38178.patch | 32 - bind-9.16-CVE-2022-3924.patch | 128 -- bind-9.16-CVE-2023-2911-1.patch | 37 - bind-9.16-CVE-2023-2911-2.patch | 72 - bind-9.16-CVE-2023-2911-3.patch | 60 - bind-9.16-CVE-2023-3341.patch | 168 -- bind-9.16-CVE-2023-4408-test1.patch | 88 -- bind-9.16-CVE-2023-4408-test2.patch | 75 - bind-9.16-CVE-2023-4408.patch | 1735 --------------------- bind-9.16-CVE-2023-50387.patch | 478 ------ bind-9.16-CVE-2023-5517.patch | 111 -- bind-9.16-CVE-2023-5679.patch | 37 - bind-9.16-CVE-2023-6516-test.patch | 52 - bind-9.16-CVE-2023-6516.patch | 283 ---- bind-9.16-isc-mempool-attach.patch | 40 - bind-9.16-isc_hp-CVE-2023-50387.patch | 66 - bind-9.16-isc_hp-additional.patch | 34 - bind-9.16-rh2101712.patch | 216 --- bind-9.16-rh2133889.patch | 31 - bind-9.16-update-b.root-servers.net.patch | 53 - bind.spec | 64 +- codesign2021.txt | 534 ------- isc-keyblock.asc | 175 +++ sources | 4 +- 39 files changed, 446 insertions(+), 7955 deletions(-) delete mode 100644 bind-9.11-tests-variants.patch delete mode 100644 bind-9.16-CVE-2021-25220-test.patch delete mode 100644 bind-9.16-CVE-2021-25220.patch delete mode 100644 bind-9.16-CVE-2022-0396.patch delete mode 100644 bind-9.16-CVE-2022-2795.patch delete mode 100644 bind-9.16-CVE-2022-3080.patch delete mode 100644 bind-9.16-CVE-2022-3094-1.patch delete mode 100644 bind-9.16-CVE-2022-3094-2.patch delete mode 100644 bind-9.16-CVE-2022-3094-3.patch delete mode 100644 bind-9.16-CVE-2022-3094-test.patch delete mode 100644 bind-9.16-CVE-2022-3736.patch delete mode 100644 bind-9.16-CVE-2022-38177.patch delete mode 100644 bind-9.16-CVE-2022-38178.patch delete mode 100644 bind-9.16-CVE-2022-3924.patch delete mode 100644 bind-9.16-CVE-2023-2911-1.patch delete mode 100644 bind-9.16-CVE-2023-2911-2.patch delete mode 100644 bind-9.16-CVE-2023-2911-3.patch delete mode 100644 bind-9.16-CVE-2023-3341.patch delete mode 100644 bind-9.16-CVE-2023-4408-test1.patch delete mode 100644 bind-9.16-CVE-2023-4408-test2.patch delete mode 100644 bind-9.16-CVE-2023-4408.patch delete mode 100644 bind-9.16-CVE-2023-50387.patch delete mode 100644 bind-9.16-CVE-2023-5517.patch delete mode 100644 bind-9.16-CVE-2023-5679.patch delete mode 100644 bind-9.16-CVE-2023-6516-test.patch delete mode 100644 bind-9.16-CVE-2023-6516.patch delete mode 100644 bind-9.16-isc-mempool-attach.patch delete mode 100644 bind-9.16-isc_hp-CVE-2023-50387.patch delete mode 100644 bind-9.16-isc_hp-additional.patch delete mode 100644 bind-9.16-rh2101712.patch delete mode 100644 bind-9.16-rh2133889.patch delete mode 100644 bind-9.16-update-b.root-servers.net.patch delete mode 100644 codesign2021.txt create mode 100644 isc-keyblock.asc diff --git a/.gitignore b/.gitignore index 1dcf5ec..00b088e 100644 --- a/.gitignore +++ b/.gitignore @@ -154,3 +154,5 @@ bind-9.7.2b1.tar.gz /bind-9.16.20.tar.xz.asc /bind-9.16.23.tar.xz /bind-9.16.23.tar.xz.asc +/bind-9.16.50.tar.xz +/bind-9.16.50.tar.xz.asc diff --git a/bind-9.11-feature-test-named.patch b/bind-9.11-feature-test-named.patch index 3072063..bf15156 100644 --- a/bind-9.11-feature-test-named.patch +++ b/bind-9.11-feature-test-named.patch @@ -57,14 +57,14 @@ index 9a61622143..f69c5be334 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -38,7 +38,7 @@ DELV=$TOP/bin/delv/delv - DIG=$TOP/bin/dig/dig - DNSTAPREAD=$TOP/bin/tools/dnstap-read - DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey --FEATURETEST=$TOP/bin/tests/system/feature-test -+FEATURETEST=$TOP/bin/named/feature-test - FSTRM_CAPTURE=@FSTRM_CAPTURE@ - HOST=$TOP/bin/dig/host - IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey + export DIG=$TOP/bin/dig/dig + export DNSTAPREAD=$TOP/bin/tools/dnstap-read + export DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-export FEATURETEST=$TOP/bin/tests/system/feature-test ++export FEATURETEST=$TOP/bin/named/feature-test + export FSTRM_CAPTURE=@FSTRM_CAPTURE@ + export HOST=$TOP/bin/dig/host + export IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey -- 2.45.2 diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 51927a4..b59fe04 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 +From 56ad05f50e59a7c5befc939e5f38c0ef7fcfeedb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -58,47 +58,37 @@ Date: Wed Mar 7 10:44:23 2018 +0100 Use hmac-sha256 instead of default hmac-md5 for allow-query --- - bin/tests/system/acl/ns2/named1.conf.in | 4 +- - bin/tests/system/acl/ns2/named2.conf.in | 4 +- - bin/tests/system/acl/ns2/named3.conf.in | 6 +- - bin/tests/system/acl/ns2/named4.conf.in | 4 +- - bin/tests/system/acl/ns2/named5.conf.in | 4 +- - bin/tests/system/acl/tests.sh | 32 ++++----- + bin/tests/system/acl/ns2/named1.conf.in | 4 +-- + bin/tests/system/acl/ns2/named2.conf.in | 4 +-- + bin/tests/system/acl/ns2/named3.conf.in | 6 ++-- + bin/tests/system/acl/ns2/named4.conf.in | 4 +-- + bin/tests/system/acl/ns2/named5.conf.in | 4 +-- + bin/tests/system/acl/tests.sh | 30 +++++++++---------- .../system/allow-query/ns2/named10.conf.in | 2 +- - .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named11.conf.in | 4 +-- .../system/allow-query/ns2/named12.conf.in | 2 +- .../system/allow-query/ns2/named30.conf.in | 2 +- - .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named31.conf.in | 4 +-- .../system/allow-query/ns2/named32.conf.in | 2 +- - .../system/allow-query/ns2/named40.conf.in | 4 +- - bin/tests/system/allow-query/tests.sh | 18 ++--- - bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +-- + bin/tests/system/allow-query/tests.sh | 18 +++++------ bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/feature-test.c | 14 ++++ - bin/tests/system/notify/ns5/named.conf.in | 6 +- - bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/feature-test.c | 13 ++++++++ + bin/tests/system/notify/ns5/named.conf.in | 6 ++-- + bin/tests/system/notify/tests.sh | 6 ++-- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 15 +++-- - bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++--- - bin/tests/system/tsig/ns1/named.conf.in | 10 +-- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ - bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/nsupdate/tests.sh | 4 +-- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 33 files changed, 162 insertions(+), 108 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + 24 files changed, 72 insertions(+), 59 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 60f22e1..249f672 100644 +index 745048a..93cb411 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -114,10 +104,10 @@ index 60f22e1..249f672 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index ada97bc..f82d858 100644 +index 21aa991..78e71cc 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -133,10 +123,10 @@ index ada97bc..f82d858 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 97684e4..de6a2e9 100644 +index 3208c92..bed6325 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -33,17 +33,17 @@ options { +@@ -35,17 +35,17 @@ options { }; key one { @@ -158,28 +148,9 @@ index 97684e4..de6a2e9 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 462b3fa..994b35c 100644 +index 14e82ed..a22cafe 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 728da58..8f00d09 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -35,12 +35,12 @@ options { }; @@ -195,137 +166,169 @@ index 728da58..8f00d09 100644 secret "1234abcd8765"; }; +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index f43f33c..f4a865a 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -37,12 +37,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index be59d64..13d5bdc 100644 +index bdac1d2..020a7a1 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh -@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" +@@ -24,7 +24,7 @@ echo_i "testing basic ACL processing" # key "one" should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -33,7 +33,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # any other key should be fine - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - copy_setports ns2/named2.conf.in ns2/named.conf -@@ -39,18 +39,18 @@ sleep 5 +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -46,7 +46,7 @@ sleep 5 # prefix 10/8 should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -55,7 +55,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # any other address should work, as long as it sends key "one" - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -63,7 +63,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - echo_i "testing nested ACL processing" -@@ -62,31 +62,31 @@ sleep 5 +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -78,7 +78,7 @@ sleep 5 # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -87,7 +87,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -96,7 +96,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -105,7 +105,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -114,7 +114,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # but only one or the other should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` -@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 - # and other values? right out - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -108,31 +108,31 @@ sleep 5 +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -145,7 +145,7 @@ sleep 5 # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -154,7 +154,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +@@ -163,7 +163,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -172,7 +172,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +@@ -181,7 +181,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # should fail - t=`expr $t + 1` + t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - echo_i "testing allow-query-on ACL processing" +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} + grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 7d43e36..f7b25f9 100644 +index b91d19a..7d777c2 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -335,10 +338,10 @@ index 7d43e36..f7b25f9 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 2952518..121557e 100644 +index 308c4ca..00f6f40 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -354,10 +357,10 @@ index 2952518..121557e 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 0c01071..ceabbb5 100644 +index 6b0fe55..491e514 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -367,10 +370,10 @@ index 0c01071..ceabbb5 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 4c17292..9cd9d1f 100644 +index aefc474..7c06596 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -380,10 +383,10 @@ index 4c17292..9cd9d1f 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index a2690a4..f488730 100644 +index 27eccc2..eecb990 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -399,10 +402,10 @@ index a2690a4..f488730 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index a0708c8..51fa457 100644 +index adbb203..744d122 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -412,10 +415,10 @@ index a0708c8..51fa457 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 687768e..d24d6d2 100644 +index 364f94b..9518f82 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { @@ -431,117 +434,95 @@ index 687768e..d24d6d2 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fe40635..543c663 100644 +index 1cb7da3..96f6545 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh -@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 +@@ -183,7 +183,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 +@@ -196,7 +196,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 +@@ -209,7 +209,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 +@@ -342,7 +342,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 +@@ -355,7 +355,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 +@@ -368,7 +368,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -500,7 +500,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` +@@ -501,7 +501,7 @@ status=$(expr $status + $ret) + n=$(expr $n + 1) echo_i "test $n: zone key allowed - query allowed" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -510,7 +510,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` +@@ -511,7 +511,7 @@ status=$(expr $status + $ret) + n=$(expr $n + 1) echo_i "test $n: zone key not allowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -520,7 +520,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` +@@ -521,7 +521,7 @@ status=$(expr $status + $ret) + n=$(expr $n + 1) echo_i "test $n: zone key disallowed - query refused" ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 1218669..e62715e 100644 ---- a/bin/tests/system/catz/ns1/named.conf.in -+++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -61,5 +61,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index 30333e6..4005152 100644 ---- a/bin/tests/system/catz/ns2/named.conf.in -+++ b/bin/tests/system/catz/ns2/named.conf.in -@@ -70,5 +70,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e..e57c308 100644 +index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -11,7 +11,7 @@ +@@ -13,7 +13,7 @@ /* Bad secret */ key "badtsig" { @@ -551,10 +532,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index e09b9e8..2e824b3 100644 +index 0ecdb68..90b8ab3 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -210,6 +210,6 @@ dyndb "name" "library.so" { +@@ -284,6 +284,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -563,18 +544,10 @@ index e09b9e8..2e824b3 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 877504f..577660a 100644 +index e502ee9..cdbc92f 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c -@@ -14,6 +14,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -186,6 +187,19 @@ main(int argc, char **argv) { +@@ -211,6 +211,19 @@ main(int argc, char **argv) { #endif /* ifdef DLZ_FILESYSTEM */ } @@ -595,10 +568,10 @@ index 877504f..577660a 100644 #ifdef HAVE_LIBIDN2 return (0); diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 1ee8df4..2b75d9a 100644 +index 5cab276..d4a7bf3 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -10,17 +10,17 @@ +@@ -12,17 +12,17 @@ */ key "a" { @@ -620,34 +593,33 @@ index 1ee8df4..2b75d9a 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 3d7e0b7..ec4d9a7 100644 +index fcc51d5..0ab99db 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh -@@ -212,16 +212,16 @@ ret=0 - $NSUPDATE << EOF +@@ -210,15 +210,15 @@ ret=0 + $NSUPDATE < dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && + for i in 1 2 3 4 5 6 7 8 9; do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y ${DEFAULT_HMAC}:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt >dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y ${DEFAULT_HMAC}:c:cccccccccccccccccccc @10.53.0.5 \ + txt >dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n >/dev/null \ + && grep "test string" dig.out.c.ns5.test$n >/dev/null \ diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index b51e700..436c97d 100644 +index a5cc36d..7bb8923 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -37,7 +37,7 @@ controls { +@@ -40,7 +40,7 @@ controls { }; key altkey { @@ -657,10 +629,10 @@ index b51e700..436c97d 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index da6b3b4..c547e47 100644 +index f1a1735..da2b3d1 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -32,7 +32,7 @@ controls { +@@ -34,7 +34,7 @@ controls { }; key altkey { @@ -669,270 +641,33 @@ index da6b3b4..c547e47 100644 secret "1234abcd8765"; }; -diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index c055da3..4e1242b 100644 ---- a/bin/tests/system/nsupdate/setup.sh -+++ b/bin/tests/system/nsupdate/setup.sh -@@ -56,7 +56,11 @@ EOF - - $DDNSCONFGEN -q -z example.nil > ns1/ddns.key - --$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+else -+ echo -n > ns1/md5.key -+fi - $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index b35d797..41c128e 100755 +index def99c4..00d2987 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -797,7 +797,14 @@ fi - n=`expr $n + 1` - ret=0 - echo_i "check TSIG key algorithms (nsupdate -k) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+if $FEATURETEST --md5 -+then -+ ALGS="md5 sha1 sha224 sha256 sha384 sha512" -+else -+ ALGS="sha1 sha224 sha256 sha384 sha512" -+ echo_i "skipping disabled md5 algorithm" -+fi -+for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 - server 10.53.0.1 ${PORT} - update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -805,7 +812,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -@@ -816,7 +823,7 @@ fi - n=`expr $n + 1` +@@ -1033,7 +1033,7 @@ fi + n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -y) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" </dev/null || ret=1 server 10.53.0.1 ${PORT} -@@ -825,7 +832,7 @@ send +@@ -1042,7 +1042,7 @@ send END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then -diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index b59e7a7..04d5f5a 100644 ---- a/bin/tests/system/rndc/setup.sh -+++ b/bin/tests/system/rndc/setup.sh -@@ -33,7 +33,7 @@ make_key () { - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf - } - --make_key 1 ${EXTRAPORT1} hmac-md5 -+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 - make_key 2 ${EXTRAPORT2} hmac-sha1 - make_key 3 ${EXTRAPORT3} hmac-sha224 - make_key 4 ${EXTRAPORT4} hmac-sha256 -diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 9fd84ed..d0b188f 100644 ---- a/bin/tests/system/rndc/tests.sh -+++ b/bin/tests/system/rndc/tests.sh -@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - n=`expr $n + 1` --echo_i "testing rndc with hmac-md5 ($n)" --ret=0 --$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 --for i in 2 3 4 5 6 --do -- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 --done --if [ $ret != 0 ]; then echo_i "failed"; fi --status=`expr $status + $ret` -+if $FEATURETEST --md5 -+then -+ echo_i "testing rndc with hmac-md5 ($n)" -+ ret=0 -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -+ for i in 2 3 4 5 6 -+ do -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=`expr $status + $ret` -+else -+ echo_i "skipping rndc with hmac-md5 ($n)" -+fi - - n=`expr $n + 1` - echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 3470c4f..cf539cd 100644 ---- a/bin/tests/system/tsig/ns1/named.conf.in -+++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -21,10 +21,7 @@ options { - notify no; - }; - --key "md5" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5; --}; -+# md5 key appended by setup.sh at the end - - key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -51,10 +48,7 @@ key "sha512" { - algorithm hmac-sha512; - }; - --key "md5-trunc" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5-80; --}; -+# md5-trunc key appended by setup.sh at the end - - key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index e3b4a45..ae21d04 100644 ---- a/bin/tests/system/tsig/setup.sh -+++ b/bin/tests/system/tsig/setup.sh -@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. - $SHELL clean.sh - - copy_setports ns1/named.conf.in ns1/named.conf -+ -+if $FEATURETEST --md5 -+then -+ cat ns1/rndc5.conf.in >> ns1/named.conf -+fi -diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index 38d842a..668aa6f 100644 ---- a/bin/tests/system/tsig/tests.sh -+++ b/bin/tests/system/tsig/tests.sh -@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f - - status=0 - --echo_i "fetching using hmac-md5 (old form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 --fi -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (old form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi - --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+ echo_i "fetching using hmac-md5 (new form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5" - fi - - echo_i "fetching using hmac-sha1" -@@ -87,12 +92,17 @@ fi - # Truncated TSIG - # - # --echo_i "fetching using hmac-md5 (trunc)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 --grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (trunc)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5 (trunc)" - fi - - echo_i "fetching using hmac-sha1 (trunc)" -@@ -141,12 +151,17 @@ fi - # Check for bad truncation. - # - # --echo_i "fetching using hmac-md5-80 (BADTRUNC)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 --grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5-80 (BADTRUNC)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5-80 (BADTRUNC)" - fi - - echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index 3873c7c..b359a5a 100644 +index c2b57dd..cb13aa1 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key "update.example." { @@ -942,18 +677,18 @@ index 3873c7c..b359a5a 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index a50c896..8062d68 100644 +index 9165ba9..063e28d 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh -@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +@@ -92,7 +92,7 @@ fi echo_i "updating zone (signed) ($n)" ret=0 -$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < -Date: Fri, 1 Mar 2019 15:48:20 +0100 -Subject: [PATCH] Make alternative named builds testable in system tests - -Red Hat has alternative variant builds of named, which are not ever -tested by system tests. New variables make it relatively easy to test -alternative variants. - -For sdb variant use: -export NAMED_VARIANT=-sdb DNSSEC_VARIANT= - -For pkcs variant use: -export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 ---- - bin/tests/system/conf.sh.in | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in -index d859909..9152f07 100644 ---- a/bin/tests/system/conf.sh.in -+++ b/bin/tests/system/conf.sh.in -@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen - DELV=$TOP/bin/delv/delv - DIG=$TOP/bin/dig/dig - DNSTAPREAD=$TOP/bin/tools/dnstap-read --DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey --FEATURETEST=$TOP/bin/named/feature-test -+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} -+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT} - FSTRM_CAPTURE=@FSTRM_CAPTURE@ - HOST=$TOP/bin/dig/host --IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey -+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} - JOURNALPRINT=$TOP/bin/tools/named-journalprint --KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel --KEYGEN=$TOP/bin/dnssec/dnssec-keygen -+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} -+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} - KEYMGR=$TOP/bin/python/dnssec-keymgr - MDIG=$TOP/bin/tools/mdig --NAMED=$TOP/bin/named/named -+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT} - NSEC3HASH=$TOP/bin/tools/nsec3hash - NSLOOKUP=$TOP/bin/dig/nslookup - NSUPDATE=$TOP/bin/nsupdate/nsupdate -@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" - PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" - PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" - RESOLVE=$TOP/bin/tests/system/resolve --REVOKE=$TOP/bin/dnssec/dnssec-revoke -+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} - RNDC=$TOP/bin/rndc/rndc - RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen - RRCHECKER=$TOP/bin/tools/named-rrchecker --SETTIME=$TOP/bin/dnssec/dnssec-settime --SIGNER=$TOP/bin/dnssec/dnssec-signzone -+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} -+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} - TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen - VERIFY=$TOP/bin/dnssec/dnssec-verify - WIRETEST=$TOP/bin/tests/wire_test --- -2.26.3 - diff --git a/bind-9.16-CVE-2021-25220-test.patch b/bind-9.16-CVE-2021-25220-test.patch deleted file mode 100644 index 150aa87..0000000 --- a/bind-9.16-CVE-2021-25220-test.patch +++ /dev/null @@ -1,1144 +0,0 @@ -From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 18 Jan 2022 00:19:47 +1100 -Subject: [PATCH] Add tests for forwarder cache poisoning scenarios - -- Check that an NS in an authority section returned from a forwarder - which is above the name in a configured "forward first" or "forward - only" zone (i.e., net/NS in a response from a forwarder configured for - local.net) is not cached. -- Test that a DNAME for a parent domain will not be cached when sent - in a response from a forwarder configured to answer for a child. -- Check that glue is rejected if its name falls below that of zone - configured locally. -- Check that an extra out-of-bailiwick data in the answer section is - not cached (this was already working correctly, but was not explicitly - tested before). - -(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) -(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) ---- - bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ - bin/tests/system/forward/clean.sh | 2 + - bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ - bin/tests/system/forward/ns1/named.conf.in | 20 +++ - bin/tests/system/forward/ns1/net.example.lll | 15 ++ - bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ - bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ - bin/tests/system/forward/ns10/fakenet.zone | 17 +++ - bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ - .../system/forward/ns10/fakesublocalnet.zone | 15 ++ - .../system/forward/ns10/fakesublocaltld.zone | 15 ++ - bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ - bin/tests/system/forward/ns10/net.example.lll | 15 ++ - bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ - bin/tests/system/forward/ns2/tld.db | 6 + - bin/tests/system/forward/ns4/named.conf.in | 5 + - bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ - bin/tests/system/forward/ns8/named.conf.in | 5 + - bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ - bin/tests/system/forward/ns9/local.net.db | 16 +++ - bin/tests/system/forward/ns9/local.tld.db | 15 ++ - bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ - bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ - bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ - bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ - bin/tests/system/forward/ns9/root.db | 13 ++ - bin/tests/system/forward/setup.sh | 2 + - bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ - bin/tests/system/ifconfig.sh | 8 +- - 29 files changed, 844 insertions(+), 4 deletions(-) - create mode 100644 bin/tests/system/forward/ans11/ans.py - create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db - create mode 100644 bin/tests/system/forward/ns1/net.example.lll - create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db - create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db - create mode 100644 bin/tests/system/forward/ns10/fakenet.zone - create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone - create mode 100644 bin/tests/system/forward/ns10/named.conf.in - create mode 100644 bin/tests/system/forward/ns10/net.example.lll - create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone - create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db - create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db - create mode 100644 bin/tests/system/forward/ns9/local.net.db - create mode 100644 bin/tests/system/forward/ns9/local.tld.db - create mode 100644 bin/tests/system/forward/ns9/named1.conf.in - create mode 100644 bin/tests/system/forward/ns9/named2.conf.in - create mode 100644 bin/tests/system/forward/ns9/named3.conf.in - create mode 100644 bin/tests/system/forward/ns9/named4.conf.in - create mode 100644 bin/tests/system/forward/ns9/root.db - -diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py -new file mode 100644 -index 0000000000..1d35b3d3f1 ---- /dev/null -+++ b/bin/tests/system/forward/ans11/ans.py -@@ -0,0 +1,136 @@ -+# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+# -+# SPDX-License-Identifier: MPL-2.0 -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, you can obtain one at https://mozilla.org/MPL/2.0/. -+# -+# See the COPYRIGHT file distributed with this work for additional -+# information regarding copyright ownership. -+ -+from __future__ import print_function -+import os -+import sys -+import signal -+import socket -+import select -+from datetime import datetime, timedelta -+import time -+import functools -+ -+import dns, dns.message, dns.query, dns.flags -+from dns.rdatatype import * -+from dns.rdataclass import * -+from dns.rcode import * -+from dns.name import * -+ -+# Log query to file -+def logquery(type, qname): -+ with open("qlog", "a") as f: -+ f.write("%s %s\n", type, qname) -+ -+############################################################################ -+# Respond to a DNS query. -+############################################################################ -+def create_response(msg): -+ m = dns.message.from_wire(msg) -+ qname = m.question[0].name.to_text() -+ rrtype = m.question[0].rdtype -+ typename = dns.rdatatype.to_text(rrtype) -+ -+ with open("query.log", "a") as f: -+ f.write("%s %s\n" % (typename, qname)) -+ print("%s %s" % (typename, qname), end=" ") -+ -+ r = dns.message.make_response(m) -+ r.set_rcode(NOERROR) -+ if rrtype == A: -+ tld=qname.split('.')[-2] + '.' -+ ns="local." + tld -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) -+ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) -+ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) -+ elif rrtype == NS: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) -+ elif rrtype == SOA: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ else: -+ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ r.flags |= dns.flags.AA -+ return r -+ -+def sigterm(signum, frame): -+ print ("Shutting down now...") -+ os.remove('ans.pid') -+ running = False -+ sys.exit(0) -+ -+############################################################################ -+# Main -+# -+# Set up responder and control channel, open the pid file, and start -+# the main loop, listening for queries on the query channel or commands -+# on the control channel and acting on them. -+############################################################################ -+ip4 = "10.53.0.11" -+ip6 = "fd92:7065:b8e:ffff::11" -+ -+try: port=int(os.environ['PORT']) -+except: port=5300 -+ -+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) -+query4_socket.bind((ip4, port)) -+havev6 = True -+try: -+ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) -+ try: -+ query6_socket.bind((ip6, port)) -+ except: -+ query6_socket.close() -+ havev6 = False -+except: -+ havev6 = False -+signal.signal(signal.SIGTERM, sigterm) -+ -+f = open('ans.pid', 'w') -+pid = os.getpid() -+print (pid, file=f) -+f.close() -+ -+running = True -+ -+print ("Listening on %s port %d" % (ip4, port)) -+if havev6: -+ print ("Listening on %s port %d" % (ip6, port)) -+print ("Ctrl-c to quit") -+ -+if havev6: -+ input = [query4_socket, query6_socket] -+else: -+ input = [query4_socket] -+ -+while running: -+ try: -+ inputready, outputready, exceptready = select.select(input, [], []) -+ except select.error as e: -+ break -+ except socket.error as e: -+ break -+ except KeyboardInterrupt: -+ break -+ -+ for s in inputready: -+ if s == query4_socket or s == query6_socket: -+ print ("Query received on %s" % -+ (ip4 if s == query4_socket else ip6), end=" ") -+ # Handle incoming queries -+ msg = s.recvfrom(65535) -+ rsp = create_response(msg[0]) -+ if rsp: -+ print(dns.rcode.to_text(rsp.rcode())) -+ s.sendto(rsp.to_wire(), msg[1]) -+ else: -+ print("NO RESPONSE") -+ if not running: -+ break -diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh -index bc04eadb2c..b65b092680 100644 ---- a/bin/tests/system/forward/clean.sh -+++ b/bin/tests/system/forward/clean.sh -@@ -10,10 +10,12 @@ - # - # Clean up after forward tests. - # -+rm -f ./ans11/query.log - rm -f ./dig.out.* - rm -f ./*/named.conf - rm -f ./*/named.memstats - rm -f ./*/named.run ./*/named.run.prev -+rm -f ./*/named_dump.db - rm -f ./ns*/named.lock - rm -f ./ns*/managed-keys.bind* - rm -f ./ns1/root.db ./ns1/root.db.signed -diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db -new file mode 100644 -index 0000000000..fd9a46eb0c ---- /dev/null -+++ b/bin/tests/system/forward/ns1/diditwork.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in -index 4aef4e55e5..c5fb2eb172 100644 ---- a/bin/tests/system/forward/ns1/named.conf.in -+++ b/bin/tests/system/forward/ns1/named.conf.in -@@ -63,3 +63,23 @@ zone "sld.tld" { - zone "example6" { - type forward; - }; -+ -+zone "diditwork.net" { -+ type primary; -+ file "diditwork.net.db"; -+}; -+ -+zone "spoofed.net" { -+ type primary; -+ file "spoofed.net.db"; -+}; -+ -+zone "sub.local.net" { -+ type primary; -+ file "sub.local.net.db"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll -new file mode 100644 -index 0000000000..ba0804fd75 ---- /dev/null -+++ b/bin/tests/system/forward/ns1/net.example.lll -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db -new file mode 100644 -index 0000000000..eedc46f5c0 ---- /dev/null -+++ b/bin/tests/system/forward/ns1/spoofed.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ns A 10.53.0.1 -+sub TXT "recursed" -diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db -new file mode 100644 -index 0000000000..fd9a46eb0c ---- /dev/null -+++ b/bin/tests/system/forward/ns1/sub.local.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone -new file mode 100644 -index 0000000000..b655a32459 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet.zone -@@ -0,0 +1,17 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net. SOA . . 0 0 0 0 0 -+net. NS attackSecureDomain.net. -+attackSecureDomain.net. A 10.53.0.10 -+didItWork.net. TXT "if you can see this record the attack worked" -+ns.spoofed.net. A 10.53.0.10 -diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone -new file mode 100644 -index 0000000000..cd1e6e9944 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet2.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net2. SOA . . 0 0 0 0 0 -+net2. NS attackSecureDomain.net. -+net2. DNAME net.example.lll. -diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone -new file mode 100644 -index 0000000000..160b5332b2 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+sub.local.net. SOA . . 0 0 0 0 0 -+sub.local.net. NS ns.spoofed.net. -+sub.local.net. TXT "if you see this attacker overrode local delegation" -diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone -new file mode 100644 -index 0000000000..f78cbc77f6 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT bad -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in -new file mode 100644 -index 0000000000..1f318dd867 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/named.conf.in -@@ -0,0 +1,53 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.10; -+ notify-source 10.53.0.10; -+ transfer-source 10.53.0.10; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.10; }; -+ listen-on-v6 { none; }; -+ minimal-responses no; -+}; -+ -+zone "net." { -+ type master; -+ file "fakenet.zone"; -+}; -+ -+zone "spoofed.net." { -+ type master; -+ file "spoofednet.zone"; -+}; -+ -+zone "sub.local.net." { -+ type master; -+ file "fakesublocalnet.zone"; -+}; -+ -+zone "net2" { -+ type master; -+ file "fakenet2.zone"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -+ -+zone "sub.local.tld." { -+ type master; -+ file "fakesublocaltld.zone"; -+}; -diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll -new file mode 100644 -index 0000000000..ba0804fd75 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/net.example.lll -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone -new file mode 100644 -index 0000000000..fb70a4372b ---- /dev/null -+++ b/bin/tests/system/forward/ns10/spoofednet.zone -@@ -0,0 +1,16 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+spoofed.net. SOA . . 0 0 0 0 0 -+spoofed.net. NS ns.spoofed.net. -+ns.spoofed.net. A 10.53.0.10 -+spoofed.net. TXT "this record is clearly spoofed" -diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db -index 61b6569b07..819210dc05 100644 ---- a/bin/tests/system/forward/ns2/tld.db -+++ b/bin/tests/system/forward/ns2/tld.db -@@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes - ns A 10.53.0.2 - sld NS ns.sld - ns.sld A 10.53.0.1 -+local NS ns.local -+ns.local A 10.53.0.9 -+sibling NS ns.sibling -+ns.sibling A 10.53.0.4 -+sibling NS ns.sub.local -+ns.sub.local A 10.53.0.10 -diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in -index 855b4bfb82..85349aa97e 100644 ---- a/bin/tests/system/forward/ns4/named.conf.in -+++ b/bin/tests/system/forward/ns4/named.conf.in -@@ -60,3 +60,8 @@ zone "malicious." { - type primary; - file "malicious.db"; - }; -+ -+zone "sibling.tld" { -+ type primary; -+ file "sibling.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db -new file mode 100644 -index 0000000000..fe080ae974 ---- /dev/null -+++ b/bin/tests/system/forward/ns4/sibling.tld.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+@ IN SOA malicious. admin.malicious. ( -+ 1 ; Serial -+ 604800 ; Refresh -+ 86400 ; Retry -+ 2419200 ; Expire -+ 86400 ) ; Negative Cache TTL -+ -+@ IN NS ns -+ -+ns IN A 10.53.0.4 -diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in -index 531ff59ece..f752eae885 100644 ---- a/bin/tests/system/forward/ns8/named.conf.in -+++ b/bin/tests/system/forward/ns8/named.conf.in -@@ -26,3 +26,8 @@ zone "." { - type hint; - file "root.db"; - }; -+ -+zone "sub.local.tld" { -+ type primary; -+ file "sub.local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db -new file mode 100644 -index 0000000000..f2234c754e ---- /dev/null -+++ b/bin/tests/system/forward/ns8/sub.local.tld.db -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT good -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db -new file mode 100644 -index 0000000000..af0d2a5a67 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.net.db -@@ -0,0 +1,16 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.net. 3600 IN SOA . . 0 0 0 0 0 -+local.net. 3600 IN NS localhost. -+ns.local.net. 3600 IN A 10.53.0.9 -+txt.local.net. 3600 IN TXT "something in the local auth zone" -+sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this -diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db -new file mode 100644 -index 0000000000..876a9139da ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.tld.db -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.tld. 3600 IN SOA . . 0 0 0 0 0 -+local.tld. 3600 IN NS localhost. -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in -new file mode 100644 -index 0000000000..be9a43842f ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named1.conf.in -@@ -0,0 +1,67 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in -new file mode 100644 -index 0000000000..2c40b42a0c ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named2.conf.in -@@ -0,0 +1,70 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in -new file mode 100644 -index 0000000000..576f57c10b ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named3.conf.in -@@ -0,0 +1,50 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in -new file mode 100644 -index 0000000000..5cd7d84109 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named4.conf.in -@@ -0,0 +1,47 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.tld." { -+ type primary; -+ file "local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db -new file mode 100644 -index 0000000000..2cbdff5977 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/root.db -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+. NS a.root-servers.nil. -+a.root-servers.nil. A 10.53.0.1 -diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh -index 21cf67b782..a56dd3c03f 100644 ---- a/bin/tests/system/forward/setup.sh -+++ b/bin/tests/system/forward/setup.sh -@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf - copy_setports ns5/named.conf.in ns5/named.conf - copy_setports ns7/named.conf.in ns7/named.conf - copy_setports ns8/named.conf.in ns8/named.conf -+copy_setports ns9/named1.conf.in ns9/named.conf -+copy_setports ns10/named.conf.in ns10/named.conf - - ( - cd ns1 -diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh -index 6096b06ca7..dfbaf887f7 100644 ---- a/bin/tests/system/forward/tests.sh -+++ b/bin/tests/system/forward/tests.sh -@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - -+# -+# Check various spoofed response scenarios. The same tests will be -+# run twice, with "forward first" and "forward only" configurations. -+# -+run_spooftests () { -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+ # check 'net' is not poisoned. -+ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 -+ # check 'sub.local.net' is not poisoned. -+ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+ # check that net2/DNAME is not cached -+ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 -+ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 3 - extra answer ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 -+ # check extra net3 records are not cached -+ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i -+ for try in 1 2 3 4 5; do -+ lines=$(grep "net3" ns9/named_dump.db | wc -l) -+ if [ ${lines} -eq 0 ]; then -+ sleep 1 -+ continue -+ fi -+ [ ${lines} -eq 1 ] || ret=1 -+ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 -+ grep -q '^local.net3' ns9/named_dump.db && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+} -+ -+echo_i "checking spoofed response scenarios with forward first zones" -+run_spooftests -+ -+copy_setports ns9/named2.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+echo_i "rechecking spoofed response scenarios with forward only zones" -+run_spooftests -+ -+# -+# This scenario expects the spoofed response to succeed. The tests are -+# similar to the ones above, but not identical. -+# -+echo_i "rechecking spoofed response scenarios with 'forward only' set globally" -+copy_setports ns9/named3.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+# check 'net' is poisoned. -+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 -+# check 'sub.local.net' is poisoned. -+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+# check that net2/DNAME is cached -+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+# -+# This test doesn't use any forwarder clauses but is here because it -+# is similar to forwarders, as the set of servers that can populate -+# the namespace is defined by the zone content. -+# -+echo_i "rechecking spoofed response scenarios glue below local zone" -+copy_setports ns9/named4.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking sibling glue below zone ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 -+# check for glue A record for sub.local.tld is not used -+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 -diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh -index e078f3313b..2a4d955caf 100755 ---- a/bin/tests/system/ifconfig.sh -+++ b/bin/tests/system/ifconfig.sh -@@ -12,10 +12,10 @@ - # - # Set up interface aliases for bind9 system tests. - # --# IPv4: 10.53.0.{1..10} RFC 1918 -+# IPv4: 10.53.0.{1..11} RFC 1918 - # 10.53.1.{1..2} - # 10.53.2.{1..2} --# IPv6: fd92:7065:b8e:ffff::{1..10} ULA -+# IPv6: fd92:7065:b8e:ffff::{1..11} ULA - # fd92:7065:b8e:99ff::{1..2} - # fd92:7065:b8e:ff::{1..2} - # -@@ -55,7 +55,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 1 2 3 4 5 6 7 8 9 10 -+ for ns in 1 2 3 4 5 6 7 8 9 10 11 - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=`expr $i \* 10 + $ns` -@@ -160,7 +160,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 10 9 8 7 6 5 4 3 2 1 -+ for ns in 11 10 9 8 7 6 5 4 3 2 1 - do - [ $i -gt 0 -a $ns -gt 2 ] && continue - int=`expr $i \* 10 + $ns - 1` --- -2.34.1 - diff --git a/bind-9.16-CVE-2021-25220.patch b/bind-9.16-CVE-2021-25220.patch deleted file mode 100644 index de75ab8..0000000 --- a/bind-9.16-CVE-2021-25220.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 19 Jan 2022 17:38:18 +1100 -Subject: [PATCH] Add additional name checks when using a forwarder - -When using a forwarder, check that the owner name of response -records are within the bailiwick of the forwarded name space. - -(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b) - -Check that the forward declaration is unchanged and not overridden - -If we are using a fowarder, in addition to checking that names to -be cached are subdomains of the forwarded namespace, we must also -check that there are no subsidiary forwarded namespaces which would -take precedence. To be safe, we don't cache any responses if the -forwarding configuration has changed since the query was sent. - -(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3) - -Check cached names for possible "forward only" clause - -When caching additional and glue data *not* from a forwarder, we must -check that there is no "forward only" clause covering the owner name -that would take precedence. Such names would normally be allowed by -baliwick rules, but a "forward only" zone introduces a new baliwick -scope. - -(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78) - -Look for zones deeper than the current domain or forward name - -When caching glue, we need to ensure that there is no closer -source of truth for the name. If the owner name for the glue -record would be answered by a locally configured zone, do not -cache. - -(cherry picked from commit 71b24210542730355149130770deea3e58d8527a) ---- - lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 123 insertions(+), 5 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index a7bc661bb7..7603a07b7b 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -63,6 +63,8 @@ - #include - #include - #include -+#include -+ - #ifdef WANT_QUERYTRACE - #define RTRACE(m) \ - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \ -@@ -337,6 +339,8 @@ struct fetchctx { - dns_fetch_t *qminfetch; - dns_rdataset_t qminrrset; - dns_name_t qmindcname; -+ dns_fixedname_t fwdfname; -+ dns_name_t *fwdname; - - /*% - * The number of events we're waiting for. -@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - if (result == ISC_R_SUCCESS) { - fwd = ISC_LIST_HEAD(forwarders->fwdrs); - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copynf(domain, fctx->fwdname); - if (fctx->fwdpolicy == dns_fwdpolicy_only && - isstrictsubdomain(domain, &fctx->domain)) - { -@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, - fctx->restarts = 0; - fctx->querysent = 0; - fctx->referrals = 0; -+ -+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); -+ - TIME_NOW(&fctx->start); - fctx->timeouts = 0; - fctx->lamecount = 0; -@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, - fname, &forwarders); - if (result == ISC_R_SUCCESS) { - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copynf(fname, fctx->fwdname); - } - - if (fctx->fwdpolicy != dns_fwdpolicy_only) { -@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, - } - } - -+/* -+ * Returns true if 'name' is external to the namespace for which -+ * the server being queried can answer, either because it's not a -+ * subdomain or because it's below a forward declaration or a -+ * locally served zone. -+ */ -+static inline bool -+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { -+ isc_result_t result; -+ dns_forwarders_t *forwarders = NULL; -+ dns_fixedname_t fixed, zfixed; -+ dns_name_t *fname = dns_fixedname_initname(&fixed); -+ dns_name_t *zfname = dns_fixedname_initname(&zfixed); -+ dns_name_t *apex = NULL; -+ dns_name_t suffix; -+ dns_zone_t *zone = NULL; -+ unsigned int labels; -+ dns_namereln_t rel; -+ -+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; -+ -+ /* -+ * The name is outside the queried namespace. -+ */ -+ rel = dns_name_fullcompare(name, apex, &(int){ 0 }, -+ &(unsigned int){ 0U }); -+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { -+ return (true); -+ } -+ -+ /* -+ * If the record lives in the parent zone, adjust the name so we -+ * look for the correct zone or forward clause. -+ */ -+ labels = dns_name_countlabels(name); -+ if (dns_rdatatype_atparent(type) && labels > 1U) { -+ dns_name_init(&suffix, NULL); -+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); -+ name = &suffix; -+ } else if (rel == dns_namereln_equal) { -+ /* If 'name' is 'apex', no further checking is needed. */ -+ return (false); -+ } -+ -+ /* -+ * If there is a locally served zone between 'apex' and 'name' -+ * then don't cache. -+ */ -+ LOCK(&fctx->res->view->lock); -+ if (fctx->res->view->zonetable != NULL) { -+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR; -+ result = dns_zt_find(fctx->res->view->zonetable, name, options, -+ zfname, &zone); -+ if (zone != NULL) { -+ dns_zone_detach(&zone); -+ } -+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { -+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, -+ &(unsigned int){ 0U }) == -+ dns_namereln_subdomain) -+ { -+ UNLOCK(&fctx->res->view->lock); -+ return (true); -+ } -+ } -+ } -+ UNLOCK(&fctx->res->view->lock); -+ -+ /* -+ * Look for a forward declaration below 'name'. -+ */ -+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, -+ &forwarders); -+ -+ if (ISFORWARDER(fctx->addrinfo)) { -+ /* -+ * See if the forwarder declaration is better. -+ */ -+ if (result == ISC_R_SUCCESS) { -+ return (!dns_name_equal(fname, fctx->fwdname)); -+ } -+ -+ /* -+ * If the lookup failed, the configuration must have -+ * changed: play it safe and don't cache. -+ */ -+ return (true); -+ } else if (result == ISC_R_SUCCESS && -+ forwarders->fwdpolicy == dns_fwdpolicy_only && -+ !ISC_LIST_EMPTY(forwarders->fwdrs)) -+ { -+ /* -+ * If 'name' is covered by a 'forward only' clause then we -+ * can't cache this repsonse. -+ */ -+ return (true); -+ } -+ -+ return (false); -+} -+ - static isc_result_t - check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, - dns_section_t section) { -@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, - result = dns_message_findname(rctx->query->rmessage, section, addname, - dns_rdatatype_any, 0, &name, NULL); - if (result == ISC_R_SUCCESS) { -- external = !dns_name_issubdomain(name, &fctx->domain); -+ external = name_external(name, type, fctx); - if (type == dns_rdatatype_a) { - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) { - break; - - case dns_namereln_subdomain: -+ /* -+ * Don't accept DNAME from parent namespace. -+ */ -+ if (name_external(name, dns_rdatatype_dname, fctx)) { -+ continue; -+ } -+ - /* - * In-scope DNAME records must have at least - * as many labels as the domain being queried. -@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) { - DNS_SECTION_AUTHORITY); - while (!done && result == ISC_R_SUCCESS) { - dns_name_t *name = NULL; -- bool external; - - dns_message_currentname(rctx->query->rmessage, - DNS_SECTION_AUTHORITY, &name); -- external = !dns_name_issubdomain(name, &fctx->domain); - -- if (!external) { -+ if (!name_external(name, dns_rdatatype_ns, fctx)) { - dns_rdataset_t *rdataset = NULL; - - /* -@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) { - } - - if (!dns_name_issubdomain(name, &fctx->domain)) { -- /* Invalid name found; preserve it for logging later */ -+ /* -+ * Invalid name found; preserve it for logging -+ * later. -+ */ - rctx->found_name = name; - rctx->found_type = ISC_LIST_HEAD(name->list)->type; - continue; --- -2.34.1 - diff --git a/bind-9.16-CVE-2022-0396.patch b/bind-9.16-CVE-2022-0396.patch deleted file mode 100644 index 5a374f1..0000000 --- a/bind-9.16-CVE-2022-0396.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Tue, 8 Feb 2022 12:42:34 +0100 -Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb() - -When sock->closehandle_cb is set, we need to run nmhandle_detach_cb() -asynchronously to ensure correct order of multiple packets processing in -the isc__nm_process_sock_buffer(). When not run asynchronously, it -would cause: - - a) out-of-order processing of the return codes from processbuffer(); - - b) stack growth because the next TCP DNS message read callback will - be called from within the current TCP DNS message read callback. - -The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP -sockets which calls isc__nm_process_sock_buffer(). If the read callback -(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't -attach to the nmhandle (f.e. because it wants to drop the processing or -we send the response directly via uv_try_write()), the -isc__nm_resume_processing() (via .closehandle_cb) would call -isc__nm_process_sock_buffer() recursively. - -The below shortened code path shows how the stack can grow: - - 1: ns__client_request(handle, ...); - 2: isc_nm_tcpdns_sequential(handle); - 3: ns_query_start(client, handle); - 4: query_lookup(qctx); - 5: query_send(qctcx->client); - 6: isc__nmhandle_detach(&client->reqhandle); - 7: nmhandle_detach_cb(&handle); - 8: sock->closehandle_cb(sock); // isc__nm_resume_processing - 9: isc__nm_process_sock_buffer(sock); -10: processbuffer(sock); // isc__nm_tcpdns_processbuffer -11: isc_nmhandle_attach(req->handle, &handle); -12: isc__nm_readcb(sock, req, ISC_R_SUCCESS); -13: isc__nm_async_readcb(NULL, ...); -14: uvreq->cb.recv(...); // ns__client_request - -Instead, if 'sock->closehandle_cb' is set, we need to run detach the -handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in -the code flow above does not start this recursion. This ensures the -correct order when processing multiple packets in the function -'isc__nm_process_sock_buffer()' and prevents the stack growth. - -When not run asynchronously, the out-of-order processing leaves the -first TCP socket open until all requests on the stream have been -processed. - -If the pipelining is disabled on the TCP via `keep-response-order` -configuration option, named would keep the first socket in lingering -CLOSE_WAIT state when the client sends an incomplete packet and then -closes the connection from the client side. - -(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17) ---- - lib/isc/netmgr/netmgr.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c -index 3283eb6e4f..0ed3182fb6 100644 ---- a/lib/isc/netmgr/netmgr.c -+++ b/lib/isc/netmgr/netmgr.c -@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) { - handle = *handlep; - *handlep = NULL; - -+ /* -+ * If the closehandle_cb is set, it needs to run asynchronously to -+ * ensure correct ordering of the isc__nm_process_sock_buffer(). -+ */ - sock = handle->sock; -- if (sock->tid == isc_nm_tid()) { -+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) { - nmhandle_detach_cb(&handle FLARG_PASS); - } else { - isc__netievent_detach_t *event = --- -2.34.1 - diff --git a/bind-9.16-CVE-2022-2795.patch b/bind-9.16-CVE-2022-2795.patch deleted file mode 100644 index b67c8e9..0000000 --- a/bind-9.16-CVE-2022-2795.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= -Date: Thu, 8 Sep 2022 11:11:30 +0200 -Subject: [PATCH] Bound the amount of work performed for delegations - -Limit the amount of database lookups that can be triggered in -fctx_getaddresses() (i.e. when determining the name server addresses to -query next) by setting a hard limit on the number of NS RRs processed -for any delegation encountered. Without any limit in place, named can -be forced to perform large amounts of database lookups per each query -received, which severely impacts resolver performance. - -The limit used (20) is an arbitrary value that is considered to be big -enough for any sane DNS delegation. - -(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) ---- - lib/dns/resolver.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index d2cf14bbc8..73a0ee9f77 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -195,6 +195,12 @@ - */ - #define NS_FAIL_LIMIT 4 - #define NS_RR_LIMIT 5 -+/* -+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in -+ * any NS RRset encountered, to avoid excessive resource use while processing -+ * large delegations. -+ */ -+#define NS_PROCESSING_LIMIT 20 - - /* Number of hash buckets for zone counters */ - #ifndef RES_DOMAIN_BUCKETS -@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - bool need_alternate = false; - bool all_spilled = true; - unsigned int no_addresses = 0; -+ unsigned int ns_processed = 0; - - FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); - -@@ -3902,6 +3909,11 @@ normal_nses: - - dns_rdata_reset(&rdata); - dns_rdata_freestruct(&ns); -+ -+ if (++ns_processed >= NS_PROCESSING_LIMIT) { -+ result = ISC_R_NOMORE; -+ break; -+ } - } - if (result != ISC_R_NOMORE) { - return (result); --- -2.37.3 - diff --git a/bind-9.16-CVE-2022-3080.patch b/bind-9.16-CVE-2022-3080.patch deleted file mode 100644 index 998ddf4..0000000 --- a/bind-9.16-CVE-2022-3080.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 20 Sep 2022 11:34:42 +0200 -Subject: [PATCH 2/4] Fix CVE-2022-3080 - -5960. [security] Fix serve-stale crash that could happen when - stale-answer-client-timeout was set to 0 and there was - a stale CNAME in the cache for an incoming query. - (CVE-2022-3080) [GL #3517] ---- - lib/ns/include/ns/query.h | 1 + - lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- - 2 files changed, 27 insertions(+), 16 deletions(-) - -diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h -index 4d48cf6..34b3070 100644 ---- a/lib/ns/include/ns/query.h -+++ b/lib/ns/include/ns/query.h -@@ -145,6 +145,7 @@ struct query_ctx { - bool authoritative; /* authoritative query? */ - bool want_restart; /* CNAME chain or other - * restart needed */ -+ bool refresh_rrset; /* stale RRset refresh needed */ - bool need_wildcardproof; /* wildcard proof needed */ - bool nxrewrite; /* negative answer from RPZ */ - bool findcoveringnsec; /* lookup covering NSEC */ -diff --git a/lib/ns/query.c b/lib/ns/query.c -index 249321c..a450cb7 100644 ---- a/lib/ns/query.c -+++ b/lib/ns/query.c -@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) { - bool dbfind_stale = false; - bool stale_timeout = false; - bool stale_found = false; -- bool refresh_rrset = false; - bool stale_refresh_window = false; - - CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); -@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) { - "%s stale answer used, an attempt to " - "refresh the RRset will still be made", - namebuf); -- refresh_rrset = STALE(qctx->rdataset); -- qctx->client->nodetach = refresh_rrset; -+ qctx->refresh_rrset = STALE(qctx->rdataset); - } - } else { - /* -@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) { - - result = query_gotanswer(qctx, result); - -- if (refresh_rrset) { -- /* -- * If we reached this point then it means that we have found a -- * stale RRset entry in cache and BIND is configured to allow -- * queries to be answered with stale data if no active RRset -- * is available, i.e. "stale-anwer-client-timeout 0". But, we -- * still need to refresh the RRset. -- */ -- query_refresh_rrset(qctx); -- } -- - cleanup: - return (result); - } -@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) { - - /* - * On normal lookups, clear any rdatasets that were added on a -- * lookup due to stale-answer-client-timeout. -+ * lookup due to stale-answer-client-timeout. Do not clear if we -+ * are going to refresh the RRset, because the stale contents are -+ * prioritized. - */ - if (QUERY_STALEOK(&qctx->client->query) && -- !QUERY_STALETIMEOUT(&qctx->client->query)) -+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) - { -+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); - query_clear_stale(qctx->client); - /* - * We can clear the attribute to prevent redundant clearing -@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) { - /* - * Client may have been detached after query_send(), so - * we test and store the flag state here, for safety. -+ * If we are refreshing the RRSet, we must not detach from the client -+ * in the query_send(), so we need to override the flag. - */ -+ if (qctx->refresh_rrset) { -+ qctx->client->nodetach = true; -+ } - nodetach = qctx->client->nodetach; - query_send(qctx->client); -+ -+ if (qctx->refresh_rrset) { -+ /* -+ * If we reached this point then it means that we have found a -+ * stale RRset entry in cache and BIND is configured to allow -+ * queries to be answered with stale data if no active RRset -+ * is available, i.e. "stale-anwer-client-timeout 0". But, we -+ * still need to refresh the RRset. To prevent adding duplicate -+ * RRsets, clear the RRsets from the message before doing the -+ * refresh. -+ */ -+ message_clearrdataset(qctx->client->message, 0); -+ query_refresh_rrset(qctx); -+ } -+ - if (!nodetach) { - qctx->detach_client = true; - } --- -2.37.3 - diff --git a/bind-9.16-CVE-2022-3094-1.patch b/bind-9.16-CVE-2022-3094-1.patch deleted file mode 100644 index 86fbf76..0000000 --- a/bind-9.16-CVE-2022-3094-1.patch +++ /dev/null @@ -1,240 +0,0 @@ -From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Thu, 1 Sep 2022 16:05:04 -0700 -Subject: [PATCH] add an update quota - -limit the number of simultaneous DNS UPDATE events that can be -processed by adding a quota for update and update forwarding. -this quota currently, arbitrarily, defaults to 100. - -also add a statistics counter to record when the update quota -has been exceeded. - -(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826) ---- - bin/named/bind9.xsl | 4 +++- - bin/named/bind9.xsl.h | 6 +++++- - bin/named/statschannel.c | 5 +++-- - doc/arm/reference.rst | 5 +++++ - lib/ns/include/ns/server.h | 1 + - lib/ns/include/ns/stats.h | 4 +++- - lib/ns/server.c | 2 ++ - lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++- - 8 files changed, 58 insertions(+), 6 deletions(-) - -diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl -index 5078115..194625b 100644 ---- a/bin/named/bind9.xsl -+++ b/bin/named/bind9.xsl -@@ -12,7 +12,9 @@ - - - -- -+ -+ -+ - - - -diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h -index e30f7f5..b182742 100644 ---- a/bin/named/bind9.xsl.h -+++ b/bin/named/bind9.xsl.h -@@ -20,7 +20,11 @@ static char xslmsg[] = - "\n" - " \n" -- " \n" -+ " \n" -+ " \n" -+ " \n" - " \n" - " \n" - "