Add tests for forwarder cache poisoning scenarios

- Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). Related: CVE-2021-25220
2022-04-11 18:07:08 +02:00 · 2022-04-11 18:07:08 +02:00 · 4cefc72f11
parent 68bb3ef214
commit 4cefc72f11
2 changed files with 1147 additions and 0 deletions
--- a/bind-9.16-CVE-2021-25220-test.patch
+++ b/bind-9.16-CVE-2021-25220-test.patch
--- a/bind.spec
+++ b/bind.spec
@ -104,6 +104,7 @@ Patch171:bind-9.11-tests-variants.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
 Patch172:bind-9.16-CVE-2022-0396.patch
 Patch173:bind-9.16-CVE-2021-25220.patch
+Patch174:bind-9.16-CVE-2021-25220-test.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -406,6 +407,7 @@ in HTML and PDF format.
 %patch171 -p1 -b .test-variant
 %patch172 -p1 -b .CVE-2022-0396
 %patch173 -p1 -b .CVE-2021-25220
+%patch174 -p1 -b .CVE-2021-25220-test

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1130,6 +1132,7 @@ fi;
 %changelog
 * Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
 - Tighten cache protection against record from forwarders (CVE-2021-25220)
+- Include test of forwarders

 * Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
 - TCP connections with 'keep-response-order' are properly close in all cases