diff options
-rw-r--r-- | bin/tests/system/forward/clean.sh | 2 | ||||
-rw-r--r-- | bin/tests/system/forward/ns1/named.conf.in | 20 | ||||
-rw-r--r-- | bin/tests/system/forward/ns2/tld.db | 6 | ||||
-rw-r--r-- | bin/tests/system/forward/ns4/named.conf.in | 5 | ||||
-rw-r--r-- | bin/tests/system/forward/ns8/named.conf.in | 5 | ||||
-rw-r--r-- | bin/tests/system/forward/setup.sh | 2 | ||||
-rw-r--r-- | bin/tests/system/forward/tests.sh | 121 | ||||
-rwxr-xr-x | bin/tests/system/ifconfig.sh | 8 |
8 files changed, 165 insertions, 4 deletions
diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh index 46a8a87c..70f9a0e3 100644 --- a/bin/tests/system/forward/clean.sh +++ b/bin/tests/system/forward/clean.sh @@ -10,9 +10,11 @@ # # Clean up after forward tests. # +rm -f ./ans11/query.log rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/named_dump.db rm -f ./ns*/named.lock rm -f ./ns*/managed-keys.bind* diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in index 282e76bb..b195ec93 100644 --- a/bin/tests/system/forward/ns1/named.conf.in +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -60,3 +60,23 @@ zone "sld.tld" { zone "example6" { type forward; }; + +zone "diditwork.net" { + type primary; + file "diditwork.net.db"; +}; + +zone "spoofed.net" { + type primary; + file "spoofed.net.db"; +}; + +zone "sub.local.net" { + type primary; + file "sub.local.net.db"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db index 61b6569b..819210dc 100644 --- a/bin/tests/system/forward/ns2/tld.db +++ b/bin/tests/system/forward/ns2/tld.db @@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes ns A 10.53.0.2 sld NS ns.sld ns.sld A 10.53.0.1 +local NS ns.local +ns.local A 10.53.0.9 +sibling NS ns.sibling +ns.sibling A 10.53.0.4 +sibling NS ns.sub.local +ns.sub.local A 10.53.0.10 diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in index fee76b41..92cbd8b3 100644 --- a/bin/tests/system/forward/ns4/named.conf.in +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -60,3 +60,8 @@ zone "malicious." { type master; file "malicious.db"; }; + +zone "sibling.tld" { + type primary; + file "sibling.tld.db"; +}; diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in index 531ff59e..f752eae8 100644 --- a/bin/tests/system/forward/ns8/named.conf.in +++ b/bin/tests/system/forward/ns8/named.conf.in @@ -26,3 +26,8 @@ zone "." { type hint; file "root.db"; }; + +zone "sub.local.tld" { + type primary; + file "sub.local.tld.db"; +}; diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index 285ecc9d..b89cb300 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -20,3 +20,5 @@ copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named1.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index fc3822cf..4361ab25 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -229,6 +229,127 @@ grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh index 41b0182f..cd6377d7 100755 --- a/bin/tests/system/ifconfig.sh +++ b/bin/tests/system/ifconfig.sh @@ -12,10 +12,10 @@ # # Set up interface aliases for bind9 system tests. # -# IPv4: 10.53.0.{1..10} RFC 1918 +# IPv4: 10.53.0.{1..11} RFC 1918 # 10.53.1.{1..2} # 10.53.2.{1..2} -# IPv6: fd92:7065:b8e:ffff::{1..10} ULA +# IPv6: fd92:7065:b8e:ffff::{1..11} ULA # fd92:7065:b8e:99ff::{1..2} # fd92:7065:b8e:ff::{1..2} # @@ -65,7 +65,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 1 2 3 4 5 6 7 8 9 10 + for ns in 1 2 3 4 5 6 7 8 9 10 11 do [ $i -gt 0 -a $ns -gt 2 ] && break int=`expr $i \* 10 + $ns` @@ -165,7 +165,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 10 9 8 7 6 5 4 3 2 1 + for ns in 11 10 9 8 7 6 5 4 3 2 1 do [ $i -gt 0 -a $ns -gt 2 ] && continue int=`expr $i \* 10 + $ns - 1` |