mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Test adding ede with rpz cname override policy

Browse Source 
When the zone is configured with a CNAME override policy, the EDE code
is not added as expected. Add a test case based on the issue in GitLab
(#5342).

When the zone contains a wildcard CNAME, the EDE code is not added as
expected. Also add a test case for this.
This commit is contained in:
Matthijs Mekking
2025-07-25 15:18:23 +02:00
parent c613d87308
commit 4ef00f97d6
7 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
bin/tests/system/rpz/ns3/evil-cname.db.in Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
$TTL 300
@ SOA evil-cname. hostmaster.ns.evil-cname. ( 1 3600 1200 604800 60 )
NS ns.tld3.
evil.tld2 CNAME a12.tld2.

12
bin/tests/system/rpz/ns3/named.conf.in
View File

@@ -51,6 +51,8 @@ options {
zone "bl.tld2"; zone "bl.tld2";
zone "manual-update-rpz" ede forged; zone "manual-update-rpz" ede forged;
zone "mixed-case-rpz"; zone "mixed-case-rpz";
zone "evil-cname" policy cname a12.tld2. ede blocked;
zone "wild-cname" ede blocked;
} }
add-soa yes add-soa yes
min-ns-dots 0 min-ns-dots 0
@@ -150,6 +152,16 @@ zone "static-stub-nomatch." {
server-addresses { 10.53.0.10; }; server-addresses { 10.53.0.10; };
}; };
zone "evil-cname" {
type primary;
file "evil-cname.db";
};
zone "wild-cname" {
type primary;
file "wild-cname.db";
};
# A faulty dlz configuration to check if named with response policy zones # A faulty dlz configuration to check if named with response policy zones
# survives a certain class of failed configuration attempts (see GL #3880). # survives a certain class of failed configuration attempts (see GL #3880).
# "dlz" is used because the dlz processing code is located in an ideal place in # "dlz" is used because the dlz processing code is located in an ideal place in

21
bin/tests/system/rpz/ns3/wild-cname.db.in Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
$TTL 300
@ SOA wild-cname. hostmaster.ns.wild-cname. ( 1 3600 1200 604800 60 )
NS ns.tld3.
*.evil.tld2 CNAME *.wc.tld4.

2
bin/tests/system/rpz/ns4/tld4.db
View File

@@ -64,3 +64,5 @@ a3-8.tld2 A 58.58.58.58
a3-9.sub9.tld2 A 59.59.59.59 a3-9.sub9.tld2 A 59.59.59.59
a3-10.tld2 A 60.60.60.60 a3-10.tld2 A 60.60.60.60
*.wc A 61.61.61.61

3
bin/tests/system/rpz/setup.sh
View File

@@ -44,6 +44,9 @@ done
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
cp ns3/evil-cname.db.in ns3/evil-cname.db
cp ns3/wild-cname.db.in ns3/wild-cname.db
cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
# a zone that expires quickly and then can't be refreshed # a zone that expires quickly and then can't be refreshed

10
bin/tests/system/rpz/tests.sh
View File

@@ -687,6 +687,16 @@ echo_i "checking the configured extended DNS error code (EDE) (${t})"
$DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed" $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed" grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
t=$((t + 1))
echo_i "checking the configured extended DNS error code, CNAME override (EDE) (${t})"
$DIG -p ${PORT} @$ns3 evil.tld2 >dig.out.$t || setret "failed"
grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
t=$((t + 1))
echo_i "checking the configured extended DNS error code, wildcard CNAME override (EDE) (${t})"
$DIG -p ${PORT} @$ns3 foo.evil.tld2 >dig.out.$t || setret "failed"
grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
# reload a RPZ zone that is now deliberately broken. # reload a RPZ zone that is now deliberately broken.
t=$((t + 1)) t=$((t + 1))
echo_i "checking rpz failed update will keep previous rpz rules (${t})" echo_i "checking rpz failed update will keep previous rpz rules (${t})"

2
bin/tests/system/rpz/tests_sh_rpz.py
View File

@@ -36,11 +36,13 @@ pytestmark = pytest.mark.extra_artifacts(
"ns3/bl-wildcname.db", "ns3/bl-wildcname.db",
"ns3/bl.db", "ns3/bl.db",
"ns3/bl.tld2.db", "ns3/bl.tld2.db",
"ns3/evil-cname.db",
"ns3/fast-expire.db", "ns3/fast-expire.db",
"ns3/manual-update-rpz.db", "ns3/manual-update-rpz.db",
"ns3/mixed-case-rpz.db", "ns3/mixed-case-rpz.db",
"ns3/named.conf.tmp", "ns3/named.conf.tmp",
"ns3/named.stats", "ns3/named.stats",
"ns3/wild-cname.db",
"ns5/bl.db", "ns5/bl.db",
"ns5/empty.db", "ns5/empty.db",
"ns5/empty.db.jnl", "ns5/empty.db.jnl",