diff --git a/CHANGES b/CHANGES index cee82974fc..3d4a244897 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4872. [bug] Don't permit loading meta RR types such as TKEY + from master files. [RT #47009] + 4871. [bug] Fix configure glitch in detecting stdatomic.h support on systems with multiple compilers. [RT #46959] diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 5162fb31ed..61acb11281 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -2142,6 +2142,7 @@ show_message(FILE *stream, dns_message_t *msg, const char *description) { } fprintf(stream, "%s\n%.*s", description, (int)isc_buffer_usedlength(buf), (char*)isc_buffer_base(buf)); + fflush(stream); isc_buffer_free(&buf); } diff --git a/bin/tests/system/checkzone/zones/bad-generate-tkey.db b/bin/tests/system/checkzone/zones/bad-generate-tkey.db new file mode 100644 index 0000000000..0a79644082 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-tkey.db @@ -0,0 +1,12 @@ +; Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 tkey$ TKEY "invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==" diff --git a/bin/tests/system/checkzone/zones/bad-tkey.db b/bin/tests/system/checkzone/zones/bad-tkey.db new file mode 100644 index 0000000000..c2e8c07fbf --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-tkey.db @@ -0,0 +1,12 @@ +; Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +tkey TKEY invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db b/bin/tests/system/checkzone/zones/bad-tsig.db new file mode 100644 index 0000000000..4867f45e78 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-tsig.db @@ -0,0 +1,12 @@ +; Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +tsig TSIG hmac-sha1. 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index f307d6745e..31e54ac9ba 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -886,6 +886,18 @@ END grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo I:failed; status=1; } +n=`expr $n + 1` +ret=0 +echo "I:check that TKEY in a update is rejected ($n)" +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 5300 +update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== +send +END +grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + # # Add client library tests here # diff --git a/lib/dns/master.c b/lib/dns/master.c index 1f5b3698aa..855547e25a 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -833,6 +833,22 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs, goto insist_cleanup; } + /* + * RFC2930: TKEY and TSIG are not allowed to be loaded + * from master files. + */ + if ((lctx->options & DNS_MASTER_ZONE) != 0 && + (lctx->options & DNS_MASTER_SLAVE) == 0 && + dns_rdatatype_ismeta(type)) + { + (*callbacks->error)(callbacks, + "%s: %s:%lu: meta RR type '%s'", + "$GENERATE", + source, line, gtype); + result = DNS_R_METATYPE; + goto insist_cleanup; + } + for (i = start; i <= stop; i += step) { result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS); if (result != ISC_R_SUCCESS) @@ -1700,6 +1716,30 @@ load_text(dns_loadctx_t *lctx) { goto insist_and_cleanup; } + /* + * RFC2930: TKEY and TSIG are not allowed to be loaded + * from master files. + */ + if ((lctx->options & DNS_MASTER_ZONE) != 0 && + (lctx->options & DNS_MASTER_SLAVE) == 0 && + dns_rdatatype_ismeta(type)) + { + char typename[DNS_RDATATYPE_FORMATSIZE]; + + result = DNS_R_METATYPE; + + dns_rdatatype_format(type, typename, sizeof(typename)); + (*callbacks->error)(callbacks, + "%s:%lu: %s '%s': %s", + source, line, + "type", typename, + dns_result_totext(result)); + if (MANYERRS(lctx, result)) { + SETRESULT(lctx, result); + } else + goto insist_and_cleanup; + } + /* * Find a rdata structure. */ diff --git a/lib/ns/update.c b/lib/ns/update.c index 6dcb4a988d..263e89d18b 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -2796,7 +2796,8 @@ update_action(isc_task_t *task, isc_event_t *event) { if (update_class == zoneclass) { /* - * RFC1123 doesn't allow MF and MD in master zones. */ + * RFC1123 doesn't allow MF and MD in master zones. + */ if (rdata.type == dns_rdatatype_md || rdata.type == dns_rdatatype_mf) { char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -2885,7 +2886,9 @@ update_action(isc_task_t *task, isc_event_t *event) { * Ignore attempts to add NSEC3PARAM records * with any flags other than OPTOUT. */ - if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { + if ((rdata.data[1] & + ~DNS_NSEC3FLAG_OPTOUT) != 0) + { update_log(client, zone, LOGLEVEL_PROTOCOL, "attempt to add NSEC3PARAM "