Merge branch '2950-cache-acceptance-rules-test' into 'main'

[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios

Closes #2950

See merge request isc-projects/bind9!6062

bin/tests/system/forward/ans11/ans.py

@@ -0,0 +1,136 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+############################################################################
+# Respond to a DNS query.
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        tld=qname.split('.')[-2] + '.'
+        ns="local." + tld
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
+        r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
+        r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
+    r.flags |= dns.flags.AA
+    return r
+
+def sigterm(signum, frame):
+    print ("Shutting down now...")
+    os.remove('ans.pid')
+    running = False
+    sys.exit(0)
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.11"
+ip6 = "fd92:7065:b8e:ffff::11"
+
+try: port=int(os.environ['PORT'])
+except: port=5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open('ans.pid', 'w')
+pid = os.getpid()
+print (pid, file=f)
+f.close()
+
+running = True
+
+print ("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print ("Listening on %s port %d" % (ip6, port))
+print ("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print ("Query received on %s" %
+                    (ip4 if s == query4_socket else ip6), end=" ")
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break

bin/tests/system/forward/clean.sh

@@ -16,6 +16,7 @@ rm -f ./dig.out.*
 rm -f ./*/named.conf
 rm -f ./*/named.memstats
 rm -f ./*/named.run ./*/named.run.prev
+rm -f ./*/named_dump.db
 rm -f ./ns*/named.lock
 rm -f ./ns*/managed-keys.bind*
 rm -f ./ns1/root.db ./ns1/root.db.signed

bin/tests/system/forward/ns1/diditwork.net.db

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			TXT	"recursed"
+ns			A	10.53.0.1

bin/tests/system/forward/ns1/named.conf.in

@@ -65,3 +65,23 @@ zone "sld.tld" {
 zone "example6" {
 	type forward;
 };
+
+zone "diditwork.net" {
+	type primary;
+	file "diditwork.net.db";
+};
+
+zone "spoofed.net" {
+	type primary;
+	file "spoofed.net.db";
+};
+
+zone "sub.local.net" {
+	type primary;
+	file "sub.local.net.db";
+};
+
+zone "net.example.lll" {
+	type master;
+	file "net.example.lll";
+};

bin/tests/system/forward/ns1/net.example.lll

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.example.lll.		SOA	. . 0 0 0 0 0
+net.example.lll.		NS	attackSecureDomain.net.
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"

bin/tests/system/forward/ns1/spoofed.net.db

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+sub			TXT	"recursed"

bin/tests/system/forward/ns1/sub.local.net.db

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			TXT	"recursed"
+ns			A	10.53.0.1

bin/tests/system/forward/ns10/fakenet.zone

@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.			SOA	. . 0 0 0 0 0
+net.			NS	attackSecureDomain.net.
+attackSecureDomain.net.	A	10.53.0.10
+didItWork.net.		TXT	"if you can see this record the attack worked"
+ns.spoofed.net.		A	10.53.0.10

bin/tests/system/forward/ns10/fakenet2.zone

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net2.			SOA	. . 0 0 0 0 0
+net2.			NS	attackSecureDomain.net.
+net2.			DNAME	net.example.lll.

bin/tests/system/forward/ns10/fakesublocalnet.zone

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+sub.local.net.		SOA	. . 0 0 0 0 0
+sub.local.net.		NS	ns.spoofed.net.
+sub.local.net.		TXT	"if you see this attacker overrode local delegation"

bin/tests/system/forward/ns10/fakesublocaltld.zone

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+sub.local.tld.		3600	IN	TXT	bad
+ns.sub.local.tld.	3600	IN	A	10.53.0.8

bin/tests/system/forward/ns10/named.conf.in

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
+	minimal-responses no;
+};
+
+zone "net." {
+	type master;
+	file "fakenet.zone";
+};
+
+zone "spoofed.net." {
+	type master;
+	file "spoofednet.zone";
+};
+
+zone "sub.local.net." {
+	type master;
+	file "fakesublocalnet.zone";
+};
+
+zone "net2" {
+	type master;
+	file "fakenet2.zone";
+};
+
+zone "net.example.lll" {
+	type master;
+	file "net.example.lll";
+};
+
+zone "sub.local.tld." {
+	type master;
+	file "fakesublocaltld.zone";
+};

bin/tests/system/forward/ns10/net.example.lll

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.example.lll.		SOA	. . 0 0 0 0 0
+net.example.lll.		NS	attackSecureDomain.net.
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"

bin/tests/system/forward/ns10/spoofednet.zone

@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+spoofed.net.		SOA	. . 0 0 0 0 0
+spoofed.net.		NS	ns.spoofed.net.
+ns.spoofed.net.		A	10.53.0.10
+spoofed.net.		TXT	"this record is clearly spoofed"

bin/tests/system/forward/ns2/tld.db

@@ -21,3 +21,9 @@ $TTL 300	; 5 minutes
 ns			A	10.53.0.2
 sld			NS	ns.sld
 ns.sld			A	10.53.0.1
+local			NS	ns.local
+ns.local		A	10.53.0.9
+sibling			NS	ns.sibling
+ns.sibling		A	10.53.0.4
+sibling			NS	ns.sub.local
+ns.sub.local		A	10.53.0.10

bin/tests/system/forward/ns4/named.conf.in

@@ -62,3 +62,8 @@ zone "malicious." {
 	type primary;
 	file "malicious.db";
 };
+
+zone "sibling.tld" {
+	type primary;
+	file "sibling.tld.db";
+};

bin/tests/system/forward/ns4/sibling.tld.db

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4

bin/tests/system/forward/ns8/named.conf.in

@@ -28,3 +28,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "sub.local.tld" {
+	type primary;
+	file "sub.local.tld.db";
+};

bin/tests/system/forward/ns8/sub.local.tld.db

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+sub.local.tld.		3600	IN	TXT	good
+ns.sub.local.tld.	3600	IN	A	10.53.0.8

bin/tests/system/forward/ns9/local.net.db

@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+local.net.		3600	IN	SOA	. . 0 0 0 0 0
+local.net.		3600	IN	NS	localhost.
+ns.local.net.		3600	IN	A	10.53.0.9
+txt.local.net.		3600	IN	TXT	"something in the local auth zone"
+sub.local.net.		3600	IN	NS	ns.spoofed.net.  ; attacker will try to override this

bin/tests/system/forward/ns9/local.tld.db

@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+local.tld.		3600	IN	NS	localhost.
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+ns.sub.local.tld.	3600	IN	A	10.53.0.8

bin/tests/system/forward/ns9/named1.conf.in

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+server 10.53.0.11 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "attacksecuredomain.net." {
+	type forward;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net2." {
+	type forward;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net3." {
+	type forward;
+	forwarders { 10.53.0.11; };
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};

bin/tests/system/forward/ns9/named2.conf.in

@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+server 10.53.0.11 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "attacksecuredomain.net." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net2." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net3." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.11; };
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};

bin/tests/system/forward/ns9/named3.conf.in

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};

bin/tests/system/forward/ns9/named4.conf.in

@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "local.tld." {
+	type primary;
+	file "local.tld.db";
+};

bin/tests/system/forward/ns9/root.db

@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1

bin/tests/system/forward/setup.sh

@@ -21,6 +21,8 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named1.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
 
 (
     cd ns1

bin/tests/system/forward/tests.sh

@@ -254,5 +254,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+#
+# Check various spoofed response scenarios. The same tests will be
+# run twice, with "forward first" and "forward only" configurations.
+#
+run_spooftests () {
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+    # check 'net' is not poisoned.
+    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
+    # check 'sub.local.net' is not poisoned.
+    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+    # check that net2/DNAME is not cached
+    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
+    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
+    # check extra net3 records are not cached
+    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
+    for try in 1 2 3 4 5; do
+        lines=$(grep "net3" ns9/named_dump.db | wc -l)
+        if [ ${lines} -eq 0 ]; then
+                sleep 1
+                continue
+        fi
+        [ ${lines} -eq 1 ] || ret=1
+        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
+        grep -q '^local.net3' ns9/named_dump.db && ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+}
+
+echo_i "checking spoofed response scenarios with forward first zones"
+run_spooftests
+
+copy_setports ns9/named2.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+echo_i "rechecking spoofed response scenarios with forward only zones"
+run_spooftests
+
+#
+# This scenario expects the spoofed response to succeed. The tests are
+# similar to the ones above, but not identical.
+#
+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
+copy_setports ns9/named3.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+# check 'net' is poisoned.
+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
+# check 'sub.local.net' is poisoned.
+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+# check that net2/DNAME is cached
+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# This test doesn't use any forwarder clauses but is here because it
+# is similar to forwarders, as the set of servers that can populate
+# the namespace is defined by the zone content.
+#
+echo_i "rechecking spoofed response scenarios glue below local zone"
+copy_setports ns9/named4.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking sibling glue below zone ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
+# check for glue A record for sub.local.tld is not used
+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

bin/tests/system/ifconfig.sh.in

@@ -14,10 +14,10 @@
 #
 # Set up interface aliases for bind9 system tests.
 #
-# IPv4: 10.53.0.{1..10}				RFC 1918
+# IPv4: 10.53.0.{1..11}				RFC 1918
 #       10.53.1.{1..2}
 #       10.53.2.{1..2}
-# IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
+# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #
@@ -54,7 +54,7 @@ case "$1" in
 		  2) ipv6="00" ;;
 		  *) ipv6="" ;;
 		esac
-		for ns in 1 2 3 4 5 6 7 8 9 10
+		for ns in 1 2 3 4 5 6 7 8 9 10 11
 		do
 			[ $i -gt 0 -a $ns -gt 2 ] && break
 			int=`expr $i \* 10 + $ns`
@@ -159,7 +159,7 @@ case "$1" in
 		  2) ipv6="00" ;;
 		  *) ipv6="" ;;
 		esac
-		for ns in 10 9 8 7 6 5 4 3 2 1
+		for ns in 11 10 9 8 7 6 5 4 3 2 1
 		do
 			[ $i -gt 0 -a $ns -gt 2 ] && continue
 			int=`expr $i \* 10 + $ns - 1`