Merge branch '4281-CVE-2023-5517-test' into 'main'

[CVE-2023-5517] Check nxdomain-redirect against built-in RFC-1918 zone

Closes #4281

See merge request isc-projects/bind9!8919

bin/tests/system/redirect/ns3/redirect.db

@@ -12,5 +12,6 @@
 $TTL 300
 @ IN SOA a.root-servers.nil. hostmaster.example.net. 0 0 0 0 0
 @ IN NS a.root-servers.nil.
+10.in-addr.arpa	TXT turn off redirect
 * IN A 100.100.100.1
 * IN AAAA 2001:ffff:ffff::100.100.100.1

bin/tests/system/redirect/tests.sh

@@ -518,6 +518,14 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "checking nxdomain-redirect against built-in RFC-1918 zone ($n)"
+ret=0
+$DIG $DIGOPTS -x 10.0.0.1 @10.53.0.4 -b 10.53.0.2 >dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "checking tld nxdomain-redirect against signed root zone ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.5 asdfasdfasdf >dig.out.ns5.test$n || ret=1