mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Check Cloudflare "black lies" response

Browse Source 
"black lies" with a different QTYPE should synthesis NODATA responses.
This commit is contained in:
Mark Andrews
2021-10-19 17:59:45 +11:00
committed by Petr Špaček
parent c8a7f92b9e
commit cad24b8dc4
3 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/synthfromdnssec/clean.sh
View File

@@ -37,3 +37,4 @@ rm -f ./nxdomain.out ./insecure.nxdomain.out
rm -f ./wild.out ./insecure.wild.out rm -f ./wild.out ./insecure.wild.out
rm -f ./wildcname.out ./insecure.wildcname.out rm -f ./wildcname.out ./insecure.wildcname.out
rm -f ./minimal.nxdomain.out rm -f ./minimal.nxdomain.out
rm -f ./black.out

5
bin/tests/system/synthfromdnssec/ns1/minimal.db.in
View File

@@ -7,7 +7,10 @@ minimal. 3600 SOA ns1.minimal. hostmaster.minimal. (
3600 ; minimum (1 hour) 3600 ; minimum (1 hour)
) )
3600 NS ns1.minimal. 3600 NS ns1.minimal.
3600 NSEC dnamed.minimal. NS SOA RRSIG NSEC DNSKEY 3600 NSEC black.minimal. NS SOA RRSIG NSEC DNSKEY
; cloudflare black lie
black.minimal. 3600 NSEC \000.black.minimal. RRSIG NSEC
;
dnamed.minimal. 3600 DNAME dnamed. dnamed.minimal. 3600 DNAME dnamed.
3600 NSEC insecure.minimal. DNAME RRSIG NSEC 3600 NSEC insecure.minimal. DNAME RRSIG NSEC
insecure.minimal. 3600 NS ns1.insecure.minimal. insecure.minimal. 3600 NS ns1.insecure.minimal.

31
bin/tests/system/synthfromdnssec/tests.sh
View File

@@ -185,6 +185,18 @@ do
n=$((n+1)) n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done done
echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -353,6 +365,25 @@ do
n=$((n+1)) n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
echo_i "check back lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1
else
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
fi
digcomp black.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done done
echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)" echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"