Add tests for forwarder cache poisoning scenarios

- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

Related: CVE-2021-25220
This commit is contained in:
Petr Menšík 2022-04-11 18:07:08 +02:00
parent 68bb3ef214
commit 4cefc72f11
2 changed files with 1147 additions and 0 deletions

File diff suppressed because it is too large Load Diff

View File

@ -104,6 +104,7 @@ Patch171:bind-9.11-tests-variants.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
Patch172:bind-9.16-CVE-2022-0396.patch
Patch173:bind-9.16-CVE-2021-25220.patch
Patch174:bind-9.16-CVE-2021-25220-test.patch
%{?systemd_ordering}
Requires: coreutils
@ -406,6 +407,7 @@ in HTML and PDF format.
%patch171 -p1 -b .test-variant
%patch172 -p1 -b .CVE-2022-0396
%patch173 -p1 -b .CVE-2021-25220
%patch174 -p1 -b .CVE-2021-25220-test
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1130,6 +1132,7 @@ fi;
%changelog
* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders
* Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
- TCP connections with 'keep-response-order' are properly close in all cases