commit 2b068456f83e74eb8a04aa72aa811cac843011b7 Author: MSVSphere Packaging Team Date: Thu Apr 13 20:17:48 2023 +0300 import bind-9.16.23-11.el9 diff --git a/.bind.metadata b/.bind.metadata new file mode 100644 index 0000000..2a4946f --- /dev/null +++ b/.bind.metadata @@ -0,0 +1 @@ +30cbd1f3e9d2d47d653498143334128aac1f8fc0 SOURCES/bind-9.16.23.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bed248e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/bind-9.16.23.tar.xz diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch new file mode 100644 index 0000000..85ece30 --- /dev/null +++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch @@ -0,0 +1,550 @@ +From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Jan 2021 10:46:20 +0100 +Subject: [PATCH] Enable custom pkcs11 native build + +Share common parts like libisc, libcc and others. But provide native +pkcs11 libraries as a new copy of libdns and libns. +--- + bin/Makefile.in | 2 +- + bin/confgen/Makefile.in | 2 +- + bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- + bin/named-pkcs11/Makefile.in | 33 ++++++++++++++------------- + configure.ac | 19 ++++++++++++++++ + lib/Makefile.in | 2 +- + lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- + lib/dns-pkcs11/tests/Makefile.in | 8 +++---- + lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- + lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- + make/includes.in | 7 ++++++ + 11 files changed, 101 insertions(+), 71 deletions(-) + +diff --git a/bin/Makefile.in b/bin/Makefile.in +index 9ad7f62..094775a 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,7 +11,7 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ + @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests + TARGETS = + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index c126bf3..1b7512d 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = @USE_PKCS11@ ++CDEFINES = + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in +index ace0e5a..e0f6a00 100644 +--- a/bin/dnssec-pkcs11/Makefile.in ++++ b/bin/dnssec-pkcs11/Makefile.in +@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ ++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ + ${OPENSSL_CFLAGS} + +-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" ++CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + +@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ + + NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ + ++# Add suffix to all targets ++EXEEXT = -pkcs11@EXEEXT@ ++ + # Alphabetically +-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ +- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ +- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ +- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ +- dnssec-verify@EXEEXT@ ++TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ ++ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ ++ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ ++ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ ++ dnssec-verify${EXEEXT} + + OBJS = dnssectool.@O@ + +@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ + + @BIND9_MAKE_RULES@ + +-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} ++dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-signzone.c + +-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-verify.c + +-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-revoke.@O@ ${OBJS} ${LIBS} + +-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} ++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-settime.@O@ ${OBJS} ${LIBS} + +-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-importkey.@O@ ${OBJS} ${LIBS} + +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index 98125dd..518a75f 100644 +--- a/bin/named-pkcs11/Makefile.in ++++ b/bin/named-pkcs11/Makefile.in +@@ -37,13 +37,14 @@ DBDRIVER_LIBS = + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ +-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ +-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ ++# Skip building on PKCS11 variant ++DLZDRIVER_OBJS = ++DLZDRIVER_SRCS = ++DLZDRIVER_INCLUDES = ++DLZDRIVER_LIBS = + + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +- ${NS_INCLUDES} ${DNS_INCLUDES} \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ + ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ + ${DBDRIVER_INCLUDES} \ +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LIBXML2_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @CONTRIB_DLZ@ ++CDEFINES = + + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCLIBS = ../../lib/isccc/libisccc.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + BIND9LIBS = ../../lib/bind9/libbind9.@A@ +-NSLIBS = ../../lib/ns/libns.@A@ ++NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ +-NSDEPLIBS = ../../lib/ns/libns.@A@ ++NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + + DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ feature-test@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -151,7 +152,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -c ${top_srcdir}/bin/tests/system/feature-test.c + +-feature-test@EXEEXT@: feature-test.@O@ ++feature-test-pkcs11@EXEEXT@: feature-test.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ + -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} + +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + +-install:: named@EXEEXT@ installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} ++install:: named-pkcs11@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/configure.ac b/configure.ac +index 032228b..64e3da0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-lmdb specified? +@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) + AC_SUBST(BIND9_NS_BUILDINCLUDE) + AC_SUBST(BIND9_BIND9_BUILDINCLUDE) + AC_SUBST(BIND9_IRS_BUILDINCLUDE) ++AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) ++AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) + if test "X$srcdir" != "X"; then + BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" + BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" +@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then + BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" + BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" + BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" ++ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" + else + BIND9_ISC_BUILDINCLUDE="" + BIND9_ISCCC_BUILDINCLUDE="" +@@ -2343,6 +2349,8 @@ else + BIND9_NS_BUILDINCLUDE="" + BIND9_BIND9_BUILDINCLUDE="" + BIND9_IRS_BUILDINCLUDE="" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="" ++ BIND9_NS_PKCS11_BUILDINCLUDE="" + fi + + AC_SUBST_FILE(BIND9_MAKE_INCLUDES) +@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile + bin/dig/Makefile + bin/dnssec/Makefile ++ bin/dnssec-pkcs11/Makefile + bin/named/Makefile + bin/named/unix/Makefile ++ bin/named-pkcs11/Makefile ++ bin/named-pkcs11/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/plugins/Makefile +@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ + lib/dns/include/dns/Makefile + lib/dns/include/dst/Makefile + lib/dns/tests/Makefile ++ lib/dns-pkcs11/Makefile ++ lib/dns-pkcs11/include/Makefile ++ lib/dns-pkcs11/include/dns/Makefile ++ lib/dns-pkcs11/include/dst/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ + lib/ns/include/Makefile + lib/ns/include/ns/Makefile + lib/ns/tests/Makefile ++ lib/ns-pkcs11/Makefile ++ lib/ns-pkcs11/include/Makefile ++ lib/ns-pkcs11/include/ns/Makefile ++ lib/ns-pkcs11/tests/Makefile + make/Makefile + make/mkdep + unit/unittest.sh +diff --git a/lib/Makefile.in b/lib/Makefile.in +index 833964e..058ba2f 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns ns isccfg bind9 irs ++SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in +index 58bda3c..d6a45df 100644 +--- a/lib/dns-pkcs11/Makefile.in ++++ b/lib/dns-pkcs11/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ + ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ +@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ + ${LMDB_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @USE_GSSAPI@ ++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ + + CWARNINGS = + +@@ -135,15 +135,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ + -c ${srcdir}/version.c + +-libdns.@SA@: ${OBJS} ++libdns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libdns.la: ${OBJS} ++libdns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + + include: gen + ${MAKE} include/dns/enumtype.h +@@ -174,22 +174,22 @@ gen: gen.c + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ + ${BUILD_LIBS} ${LFS_LIBS} + +-timestamp: include libdns.@A@ ++timestamp: include libdns-pkcs11.@A@ + touch timestamp + +-testdirs: libdns.@A@ ++testdirs: libdns-pkcs11.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ + + clean distclean:: +- rm -f libdns.@A@ timestamp ++ rm -f libdns-pkcs11.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + rm -f dnstap.pb-c.c dnstap.pb-c.h +diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in +index 3bb5e01..c96fe7d 100644 +--- a/lib/dns-pkcs11/tests/Makefile.in ++++ b/lib/dns-pkcs11/tests/Makefile.in +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" ++CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../libdns.@A@ ++DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../libdns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in +index bc683ce..7a9d2f2 100644 +--- a/lib/ns-pkcs11/Makefile.in ++++ b/lib/ns-pkcs11/Makefile.in +@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ +- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ + ${FSTRM_CFLAGS} + +-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" + + CWARNINGS = + +@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ + + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + + LIBS = @LIBS@ + +@@ -60,28 +60,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ + -c ${srcdir}/version.c + +-libns.@SA@: ${OBJS} ++libns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libns.la: ${OBJS} ++libns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + +-timestamp: libns.@A@ ++timestamp: libns-pkcs11.@A@ + touch timestamp + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ + ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ + + clean distclean:: +- rm -f libns.@A@ timestamp ++ rm -f libns-pkcs11.@A@ timestamp +diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in +index 4c3e694..c1b6d99 100644 +--- a/lib/ns-pkcs11/tests/Makefile.in ++++ b/lib/ns-pkcs11/tests/Makefile.in +@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ + + WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach + +-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} \ + @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../../dns/libdns.@A@ +-NSLIBS = ../libns.@A@ +-NSDEPLIBS = ../libns.@A@ ++DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ ++NSLIBS = ../libns-pkcs11.@A@ ++NSDEPLIBS = ../libns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/make/includes.in b/make/includes.in +index b8317d3..b73b0c4 100644 +--- a/make/includes.in ++++ b/make/includes.in +@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ + + TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include ++ ++DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/dns-pkcs11/include ++ ++NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/ns-pkcs11/include ++ +-- +2.26.3 + diff --git a/SOURCES/bind-9.11-feature-test-named.patch b/SOURCES/bind-9.11-feature-test-named.patch new file mode 100644 index 0000000..9af8d73 --- /dev/null +++ b/SOURCES/bind-9.11-feature-test-named.patch @@ -0,0 +1,59 @@ +From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 30 Jan 2019 14:37:17 +0100 +Subject: [PATCH] Create feature-test in source directory + +Feature-test tool is used in system tests to test compiled in changes. +Because we build more variants of named with different configuration, +compile feature-test for each of them this way. +--- + bin/named/Makefile.in | 12 +++++++++++- + bin/tests/system/conf.sh.in | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 37053a7..ed9add2 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ ++TARGETS = named@EXEEXT@ feature-test@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS} + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} + ++# Bit of hack, do not produce intermediate .o object for featuretest ++feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c ++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ ++ -c ${top_srcdir}/bin/tests/system/feature-test.c ++ ++feature-test@EXEEXT@: feature-test.@O@ ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ ++ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} ++ ++ + clean distclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index 7934930..e84fde2 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read + DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/tests/system/feature-test ++FEATURETEST=$TOP/bin/named/feature-test + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host + IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-fips-tests.patch b/SOURCES/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..51927a4 --- /dev/null +++ b/SOURCES/bind-9.11-fips-tests.patch @@ -0,0 +1,959 @@ +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH] FIPS tests changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 ++++----- + .../system/allow-query/ns2/named10.conf.in | 2 +- + .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named12.conf.in | 2 +- + .../system/allow-query/ns2/named30.conf.in | 2 +- + .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named32.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 ++--- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/feature-test.c | 14 ++++ + bin/tests/system/notify/ns5/named.conf.in | 6 +- + bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 6 +- + bin/tests/system/nsupdate/tests.sh | 15 +++-- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ + bin/tests/system/tsig/setup.sh | 5 ++ + bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 33 files changed, 162 insertions(+), 108 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 60f22e1..249f672 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index ada97bc..f82d858 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 97684e4..de6a2e9 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 462b3fa..994b35c 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 728da58..8f00d09 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -35,12 +35,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index be59d64..13d5bdc 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 7d43e36..f7b25f9 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 2952518..121557e 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index 0c01071..ceabbb5 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index 4c17292..9cd9d1f 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index a2690a4..f488730 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index a0708c8..51fa457 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index 687768e..d24d6d2 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fe40635..543c663 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -500,7 +500,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -510,7 +510,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -520,7 +520,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 1218669..e62715e 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index 30333e6..4005152 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e..e57c308 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index e09b9e8..2e824b3 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 877504f..577660a 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -186,6 +187,19 @@ main(int argc, char **argv) { + #endif /* ifdef DLZ_FILESYSTEM */ + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++ unsigned char digest[ISC_MAX_MD_SIZE]; ++ const unsigned char test[] = "test"; ++ unsigned int size = sizeof(digest); ++ ++ if (isc_md(ISC_MD_MD5, test, sizeof(test), ++ digest, &size) == ISC_R_SUCCESS) { ++ return (0); ++ } else { ++ return (1); ++ } ++ } ++ + if (strcmp(argv[1], "--with-idn") == 0) { + #ifdef HAVE_LIBIDN2 + return (0); +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index 1ee8df4..2b75d9a 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index 3d7e0b7..ec4d9a7 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -212,16 +212,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index b51e700..436c97d 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -37,7 +37,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index da6b3b4..c547e47 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index c055da3..4e1242b 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -56,7 +56,11 @@ EOF + + $DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi + $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b35d797..41c128e 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -797,7 +797,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -805,7 +812,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index b59e7a7..04d5f5a 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -33,7 +33,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index 9fd84ed..d0b188f 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index 3470c4f..cf539cd 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index e3b4a45..ae21d04 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. + $SHELL clean.sh + + copy_setports ns1/named.conf.in ns1/named.conf ++ ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index 38d842a..668aa6f 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi + +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index 3873c7c..b359a5a 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index a50c896..8062d68 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < +Date: Tue, 2 Jan 2018 18:13:07 +0100 +Subject: [PATCH] Fix pkcs11 variants atf tests + +Add dns-pkcs11 tests Makefile to configure + +Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode +--- + configure.ac | 1 + + lib/Kyuafile | 2 ++ + lib/dns-pkcs11/tests/dh_test.c | 3 ++- + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index d80ae31..0fb9328 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile ++ lib/dns-pkcs11/tests/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +diff --git a/lib/Kyuafile b/lib/Kyuafile +index 39ce986..037e5ef 100644 +--- a/lib/Kyuafile ++++ b/lib/Kyuafile +@@ -2,8 +2,10 @@ syntax(2) + test_suite('bind9') + + include('dns/Kyuafile') ++include('dns-pkcs11/Kyuafile') + include('irs/Kyuafile') + include('isc/Kyuafile') + include('isccc/Kyuafile') + include('isccfg/Kyuafile') + include('ns/Kyuafile') ++include('ns-pkcs11/Kyuafile') +diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c +index 934e8fd..658d1af 100644 +--- a/lib/dns-pkcs11/tests/dh_test.c ++++ b/lib/dns-pkcs11/tests/dh_test.c +@@ -87,7 +87,8 @@ dh_computesecret(void **state) { + result = dst_key_computesecret(key, key, &buf); + assert_int_equal(result, DST_R_NOTPRIVATEKEY); + result = key->func->computesecret(key, key, &buf); +- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); ++ /* PKCS11 variant gives different result, accept both */ ++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); + + dst_key_free(&key); + } +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rh1666814.patch b/SOURCES/bind-9.11-rh1666814.patch new file mode 100644 index 0000000..7429999 --- /dev/null +++ b/SOURCES/bind-9.11-rh1666814.patch @@ -0,0 +1,29 @@ +From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 16 Jan 2019 16:27:33 +0100 +Subject: [PATCH] Fix possible crash when loading corrupted file + +Some values passes internal triggers by coincidence. Fix the check and +check also first_node_offset before even passing it further. +--- + lib/dns/rbt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c +index 5aee5f6..7f2c2d2 100644 +--- a/lib/dns/rbt.c ++++ b/lib/dns/rbt.c +@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, + rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + + header->first_node_offset); + +- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { ++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize ++ || header->first_node_offset > filesize) { ++ + result = ISC_R_INVALIDFILE; + goto cleanup; + } +-- +2.31.1 + diff --git a/SOURCES/bind-9.11-tests-variants.patch b/SOURCES/bind-9.11-tests-variants.patch new file mode 100644 index 0000000..807a4a0 --- /dev/null +++ b/SOURCES/bind-9.11-tests-variants.patch @@ -0,0 +1,65 @@ +From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 1 Mar 2019 15:48:20 +0100 +Subject: [PATCH] Make alternative named builds testable in system tests + +Red Hat has alternative variant builds of named, which are not ever +tested by system tests. New variables make it relatively easy to test +alternative variants. + +For sdb variant use: +export NAMED_VARIANT=-sdb DNSSEC_VARIANT= + +For pkcs variant use: +export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 +--- + bin/tests/system/conf.sh.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index d859909..9152f07 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen + DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read +-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/named/feature-test ++DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} ++FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT} + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host +-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey ++IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} + JOURNALPRINT=$TOP/bin/tools/named-journalprint +-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel +-KEYGEN=$TOP/bin/dnssec/dnssec-keygen ++KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} ++KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} + KEYMGR=$TOP/bin/python/dnssec-keymgr + MDIG=$TOP/bin/tools/mdig +-NAMED=$TOP/bin/named/named ++NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT} + NSEC3HASH=$TOP/bin/tools/nsec3hash + NSLOOKUP=$TOP/bin/dig/nslookup + NSUPDATE=$TOP/bin/nsupdate/nsupdate +@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" + PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" + PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" + RESOLVE=$TOP/bin/tests/system/resolve +-REVOKE=$TOP/bin/dnssec/dnssec-revoke ++REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} + RNDC=$TOP/bin/rndc/rndc + RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen + RRCHECKER=$TOP/bin/tools/named-rrchecker +-SETTIME=$TOP/bin/dnssec/dnssec-settime +-SIGNER=$TOP/bin/dnssec/dnssec-signzone ++SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} ++SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} + TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen + VERIFY=$TOP/bin/dnssec/dnssec-verify + WIRETEST=$TOP/bin/tests/wire_test +-- +2.26.3 + diff --git a/SOURCES/bind-9.14-config-pkcs11.patch b/SOURCES/bind-9.14-config-pkcs11.patch new file mode 100644 index 0000000..0d62df6 --- /dev/null +++ b/SOURCES/bind-9.14-config-pkcs11.patch @@ -0,0 +1,83 @@ +From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 18 Oct 2019 21:30:52 +0200 +Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h + +Building two variants with the same common code requires to unset +USE_PKCS11 on part of build. That is not possible with config.h value. +Move it as normal define to CDEFINES. +--- + bin/confgen/Makefile.in | 2 +- + configure.ac | 8 ++++++-- + lib/dns/dst_internal.h | 12 +++++++++--- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 1b7512d..c126bf3 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = ++CDEFINES = @USE_PKCS11@ + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/configure.ac b/configure.ac +index f5483fe..08a7d8a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) + AC_SUBST([PKCS11_TOOLS]) + AC_SUBST([PKCS11_MANS]) + ++USE_PKCS11='-DUSE_PKCS11=0' ++USE_OPENSSL='-DUSE_OPENSSL=0' + AC_SUBST([CRYPTO]) + AS_CASE([$CRYPTO], +- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], +- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) ++ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], ++ [USE_OPENSSL='-DUSE_OPENSSL=1']) ++AC_SUBST(USE_PKCS11) ++AC_SUBST(USE_OPENSSL) + + # preparation for automake + # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 2c3b4a3..55e9dc4 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -38,6 +38,13 @@ + #include + #include + ++#ifndef USE_PKCS11 ++#define USE_PKCS11 0 ++#endif ++#ifndef USE_OPENSSL ++#define USE_OPENSSL (! USE_PKCS11) ++#endif ++ + #if USE_PKCS11 + #include + #include +@@ -116,11 +123,10 @@ struct dst_key { + void *generic; + dns_gss_ctx_id_t gssctx; + DH *dh; +-#if USE_OPENSSL +- EVP_PKEY *pkey; +-#endif /* if USE_OPENSSL */ + #if USE_PKCS11 + pk11_object_t *pkey; ++#else ++ EVP_PKEY *pkey; + #endif /* if USE_PKCS11 */ + dst_hmac_key_t *hmac_key; + } keydata; /*%< pointer to key in crypto pkg fmt */ +-- +2.26.2 + diff --git a/SOURCES/bind-9.16-CVE-2021-25220-test.patch b/SOURCES/bind-9.16-CVE-2021-25220-test.patch new file mode 100644 index 0000000..150aa87 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2021-25220-test.patch @@ -0,0 +1,1144 @@ +From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 18 Jan 2022 00:19:47 +1100 +Subject: [PATCH] Add tests for forwarder cache poisoning scenarios + +- Check that an NS in an authority section returned from a forwarder + which is above the name in a configured "forward first" or "forward + only" zone (i.e., net/NS in a response from a forwarder configured for + local.net) is not cached. +- Test that a DNAME for a parent domain will not be cached when sent + in a response from a forwarder configured to answer for a child. +- Check that glue is rejected if its name falls below that of zone + configured locally. +- Check that an extra out-of-bailiwick data in the answer section is + not cached (this was already working correctly, but was not explicitly + tested before). + +(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) +(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) +--- + bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ + bin/tests/system/forward/clean.sh | 2 + + bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ + bin/tests/system/forward/ns1/named.conf.in | 20 +++ + bin/tests/system/forward/ns1/net.example.lll | 15 ++ + bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ + bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ + bin/tests/system/forward/ns10/fakenet.zone | 17 +++ + bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ + .../system/forward/ns10/fakesublocalnet.zone | 15 ++ + .../system/forward/ns10/fakesublocaltld.zone | 15 ++ + bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ + bin/tests/system/forward/ns10/net.example.lll | 15 ++ + bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ + bin/tests/system/forward/ns2/tld.db | 6 + + bin/tests/system/forward/ns4/named.conf.in | 5 + + bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ + bin/tests/system/forward/ns8/named.conf.in | 5 + + bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ + bin/tests/system/forward/ns9/local.net.db | 16 +++ + bin/tests/system/forward/ns9/local.tld.db | 15 ++ + bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ + bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ + bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ + bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ + bin/tests/system/forward/ns9/root.db | 13 ++ + bin/tests/system/forward/setup.sh | 2 + + bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ + bin/tests/system/ifconfig.sh | 8 +- + 29 files changed, 844 insertions(+), 4 deletions(-) + create mode 100644 bin/tests/system/forward/ans11/ans.py + create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db + create mode 100644 bin/tests/system/forward/ns1/net.example.lll + create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db + create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db + create mode 100644 bin/tests/system/forward/ns10/fakenet.zone + create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone + create mode 100644 bin/tests/system/forward/ns10/named.conf.in + create mode 100644 bin/tests/system/forward/ns10/net.example.lll + create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone + create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db + create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db + create mode 100644 bin/tests/system/forward/ns9/local.net.db + create mode 100644 bin/tests/system/forward/ns9/local.tld.db + create mode 100644 bin/tests/system/forward/ns9/named1.conf.in + create mode 100644 bin/tests/system/forward/ns9/named2.conf.in + create mode 100644 bin/tests/system/forward/ns9/named3.conf.in + create mode 100644 bin/tests/system/forward/ns9/named4.conf.in + create mode 100644 bin/tests/system/forward/ns9/root.db + +diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py +new file mode 100644 +index 0000000000..1d35b3d3f1 +--- /dev/null ++++ b/bin/tests/system/forward/ans11/ans.py +@@ -0,0 +1,136 @@ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# SPDX-License-Identifier: MPL-2.0 ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++from __future__ import print_function ++import os ++import sys ++import signal ++import socket ++import select ++from datetime import datetime, timedelta ++import time ++import functools ++ ++import dns, dns.message, dns.query, dns.flags ++from dns.rdatatype import * ++from dns.rdataclass import * ++from dns.rcode import * ++from dns.name import * ++ ++# Log query to file ++def logquery(type, qname): ++ with open("qlog", "a") as f: ++ f.write("%s %s\n", type, qname) ++ ++############################################################################ ++# Respond to a DNS query. ++############################################################################ ++def create_response(msg): ++ m = dns.message.from_wire(msg) ++ qname = m.question[0].name.to_text() ++ rrtype = m.question[0].rdtype ++ typename = dns.rdatatype.to_text(rrtype) ++ ++ with open("query.log", "a") as f: ++ f.write("%s %s\n" % (typename, qname)) ++ print("%s %s" % (typename, qname), end=" ") ++ ++ r = dns.message.make_response(m) ++ r.set_rcode(NOERROR) ++ if rrtype == A: ++ tld=qname.split('.')[-2] + '.' ++ ns="local." + tld ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) ++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) ++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) ++ elif rrtype == NS: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) ++ elif rrtype == SOA: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ else: ++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ r.flags |= dns.flags.AA ++ return r ++ ++def sigterm(signum, frame): ++ print ("Shutting down now...") ++ os.remove('ans.pid') ++ running = False ++ sys.exit(0) ++ ++############################################################################ ++# Main ++# ++# Set up responder and control channel, open the pid file, and start ++# the main loop, listening for queries on the query channel or commands ++# on the control channel and acting on them. ++############################################################################ ++ip4 = "10.53.0.11" ++ip6 = "fd92:7065:b8e:ffff::11" ++ ++try: port=int(os.environ['PORT']) ++except: port=5300 ++ ++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++query4_socket.bind((ip4, port)) ++havev6 = True ++try: ++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) ++ try: ++ query6_socket.bind((ip6, port)) ++ except: ++ query6_socket.close() ++ havev6 = False ++except: ++ havev6 = False ++signal.signal(signal.SIGTERM, sigterm) ++ ++f = open('ans.pid', 'w') ++pid = os.getpid() ++print (pid, file=f) ++f.close() ++ ++running = True ++ ++print ("Listening on %s port %d" % (ip4, port)) ++if havev6: ++ print ("Listening on %s port %d" % (ip6, port)) ++print ("Ctrl-c to quit") ++ ++if havev6: ++ input = [query4_socket, query6_socket] ++else: ++ input = [query4_socket] ++ ++while running: ++ try: ++ inputready, outputready, exceptready = select.select(input, [], []) ++ except select.error as e: ++ break ++ except socket.error as e: ++ break ++ except KeyboardInterrupt: ++ break ++ ++ for s in inputready: ++ if s == query4_socket or s == query6_socket: ++ print ("Query received on %s" % ++ (ip4 if s == query4_socket else ip6), end=" ") ++ # Handle incoming queries ++ msg = s.recvfrom(65535) ++ rsp = create_response(msg[0]) ++ if rsp: ++ print(dns.rcode.to_text(rsp.rcode())) ++ s.sendto(rsp.to_wire(), msg[1]) ++ else: ++ print("NO RESPONSE") ++ if not running: ++ break +diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh +index bc04eadb2c..b65b092680 100644 +--- a/bin/tests/system/forward/clean.sh ++++ b/bin/tests/system/forward/clean.sh +@@ -10,10 +10,12 @@ + # + # Clean up after forward tests. + # ++rm -f ./ans11/query.log + rm -f ./dig.out.* + rm -f ./*/named.conf + rm -f ./*/named.memstats + rm -f ./*/named.run ./*/named.run.prev ++rm -f ./*/named_dump.db + rm -f ./ns*/named.lock + rm -f ./ns*/managed-keys.bind* + rm -f ./ns1/root.db ./ns1/root.db.signed +diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/diditwork.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in +index 4aef4e55e5..c5fb2eb172 100644 +--- a/bin/tests/system/forward/ns1/named.conf.in ++++ b/bin/tests/system/forward/ns1/named.conf.in +@@ -63,3 +63,23 @@ zone "sld.tld" { + zone "example6" { + type forward; + }; ++ ++zone "diditwork.net" { ++ type primary; ++ file "diditwork.net.db"; ++}; ++ ++zone "spoofed.net" { ++ type primary; ++ file "spoofed.net.db"; ++}; ++ ++zone "sub.local.net" { ++ type primary; ++ file "sub.local.net.db"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; +diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db +new file mode 100644 +index 0000000000..eedc46f5c0 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/spoofed.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.1 ++sub TXT "recursed" +diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/sub.local.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone +new file mode 100644 +index 0000000000..b655a32459 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet.zone +@@ -0,0 +1,17 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net. SOA . . 0 0 0 0 0 ++net. NS attackSecureDomain.net. ++attackSecureDomain.net. A 10.53.0.10 ++didItWork.net. TXT "if you can see this record the attack worked" ++ns.spoofed.net. A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone +new file mode 100644 +index 0000000000..cd1e6e9944 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet2.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net2. SOA . . 0 0 0 0 0 ++net2. NS attackSecureDomain.net. ++net2. DNAME net.example.lll. +diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone +new file mode 100644 +index 0000000000..160b5332b2 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++sub.local.net. SOA . . 0 0 0 0 0 ++sub.local.net. NS ns.spoofed.net. ++sub.local.net. TXT "if you see this attacker overrode local delegation" +diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone +new file mode 100644 +index 0000000000..f78cbc77f6 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT bad ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in +new file mode 100644 +index 0000000000..1f318dd867 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/named.conf.in +@@ -0,0 +1,53 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.10; ++ notify-source 10.53.0.10; ++ transfer-source 10.53.0.10; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.10; }; ++ listen-on-v6 { none; }; ++ minimal-responses no; ++}; ++ ++zone "net." { ++ type master; ++ file "fakenet.zone"; ++}; ++ ++zone "spoofed.net." { ++ type master; ++ file "spoofednet.zone"; ++}; ++ ++zone "sub.local.net." { ++ type master; ++ file "fakesublocalnet.zone"; ++}; ++ ++zone "net2" { ++ type master; ++ file "fakenet2.zone"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; ++ ++zone "sub.local.tld." { ++ type master; ++ file "fakesublocaltld.zone"; ++}; +diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone +new file mode 100644 +index 0000000000..fb70a4372b +--- /dev/null ++++ b/bin/tests/system/forward/ns10/spoofednet.zone +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++spoofed.net. SOA . . 0 0 0 0 0 ++spoofed.net. NS ns.spoofed.net. ++ns.spoofed.net. A 10.53.0.10 ++spoofed.net. TXT "this record is clearly spoofed" +diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db +index 61b6569b07..819210dc05 100644 +--- a/bin/tests/system/forward/ns2/tld.db ++++ b/bin/tests/system/forward/ns2/tld.db +@@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes + ns A 10.53.0.2 + sld NS ns.sld + ns.sld A 10.53.0.1 ++local NS ns.local ++ns.local A 10.53.0.9 ++sibling NS ns.sibling ++ns.sibling A 10.53.0.4 ++sibling NS ns.sub.local ++ns.sub.local A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index 855b4bfb82..85349aa97e 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -60,3 +60,8 @@ zone "malicious." { + type primary; + file "malicious.db"; + }; ++ ++zone "sibling.tld" { ++ type primary; ++ file "sibling.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db +new file mode 100644 +index 0000000000..fe080ae974 +--- /dev/null ++++ b/bin/tests/system/forward/ns4/sibling.tld.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 +diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in +index 531ff59ece..f752eae885 100644 +--- a/bin/tests/system/forward/ns8/named.conf.in ++++ b/bin/tests/system/forward/ns8/named.conf.in +@@ -26,3 +26,8 @@ zone "." { + type hint; + file "root.db"; + }; ++ ++zone "sub.local.tld" { ++ type primary; ++ file "sub.local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db +new file mode 100644 +index 0000000000..f2234c754e +--- /dev/null ++++ b/bin/tests/system/forward/ns8/sub.local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT good ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db +new file mode 100644 +index 0000000000..af0d2a5a67 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.net.db +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.net. 3600 IN SOA . . 0 0 0 0 0 ++local.net. 3600 IN NS localhost. ++ns.local.net. 3600 IN A 10.53.0.9 ++txt.local.net. 3600 IN TXT "something in the local auth zone" ++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this +diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db +new file mode 100644 +index 0000000000..876a9139da +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.tld. 3600 IN SOA . . 0 0 0 0 0 ++local.tld. 3600 IN NS localhost. ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in +new file mode 100644 +index 0000000000..be9a43842f +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named1.conf.in +@@ -0,0 +1,67 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in +new file mode 100644 +index 0000000000..2c40b42a0c +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named2.conf.in +@@ -0,0 +1,70 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in +new file mode 100644 +index 0000000000..576f57c10b +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named3.conf.in +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in +new file mode 100644 +index 0000000000..5cd7d84109 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named4.conf.in +@@ -0,0 +1,47 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.tld." { ++ type primary; ++ file "local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db +new file mode 100644 +index 0000000000..2cbdff5977 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/root.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index 21cf67b782..a56dd3c03f 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf + copy_setports ns7/named.conf.in ns7/named.conf + copy_setports ns8/named.conf.in ns8/named.conf ++copy_setports ns9/named1.conf.in ns9/named.conf ++copy_setports ns10/named.conf.in ns10/named.conf + + ( + cd ns1 +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index 6096b06ca7..dfbaf887f7 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ++# ++# Check various spoofed response scenarios. The same tests will be ++# run twice, with "forward first" and "forward only" configurations. ++# ++run_spooftests () { ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++ # check 'net' is not poisoned. ++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 ++ # check 'sub.local.net' is not poisoned. ++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++ # check that net2/DNAME is not cached ++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 ++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 3 - extra answer ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 ++ # check extra net3 records are not cached ++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i ++ for try in 1 2 3 4 5; do ++ lines=$(grep "net3" ns9/named_dump.db | wc -l) ++ if [ ${lines} -eq 0 ]; then ++ sleep 1 ++ continue ++ fi ++ [ ${lines} -eq 1 ] || ret=1 ++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 ++ grep -q '^local.net3' ns9/named_dump.db && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++} ++ ++echo_i "checking spoofed response scenarios with forward first zones" ++run_spooftests ++ ++copy_setports ns9/named2.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++echo_i "rechecking spoofed response scenarios with forward only zones" ++run_spooftests ++ ++# ++# This scenario expects the spoofed response to succeed. The tests are ++# similar to the ones above, but not identical. ++# ++echo_i "rechecking spoofed response scenarios with 'forward only' set globally" ++copy_setports ns9/named3.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++# check 'net' is poisoned. ++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 ++# check 'sub.local.net' is poisoned. ++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++# check that net2/DNAME is cached ++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 ++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++# ++# This test doesn't use any forwarder clauses but is here because it ++# is similar to forwarders, as the set of servers that can populate ++# the namespace is defined by the zone content. ++# ++echo_i "rechecking spoofed response scenarios glue below local zone" ++copy_setports ns9/named4.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking sibling glue below zone ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 ++# check for glue A record for sub.local.tld is not used ++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 ++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 ++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh +index e078f3313b..2a4d955caf 100755 +--- a/bin/tests/system/ifconfig.sh ++++ b/bin/tests/system/ifconfig.sh +@@ -12,10 +12,10 @@ + # + # Set up interface aliases for bind9 system tests. + # +-# IPv4: 10.53.0.{1..10} RFC 1918 ++# IPv4: 10.53.0.{1..11} RFC 1918 + # 10.53.1.{1..2} + # 10.53.2.{1..2} +-# IPv6: fd92:7065:b8e:ffff::{1..10} ULA ++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA + # fd92:7065:b8e:99ff::{1..2} + # fd92:7065:b8e:ff::{1..2} + # +@@ -55,7 +55,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 1 2 3 4 5 6 7 8 9 10 ++ for ns in 1 2 3 4 5 6 7 8 9 10 11 + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=`expr $i \* 10 + $ns` +@@ -160,7 +160,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 10 9 8 7 6 5 4 3 2 1 ++ for ns in 11 10 9 8 7 6 5 4 3 2 1 + do + [ $i -gt 0 -a $ns -gt 2 ] && continue + int=`expr $i \* 10 + $ns - 1` +-- +2.34.1 + diff --git a/SOURCES/bind-9.16-CVE-2021-25220.patch b/SOURCES/bind-9.16-CVE-2021-25220.patch new file mode 100644 index 0000000..de75ab8 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2021-25220.patch @@ -0,0 +1,251 @@ +From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 19 Jan 2022 17:38:18 +1100 +Subject: [PATCH] Add additional name checks when using a forwarder + +When using a forwarder, check that the owner name of response +records are within the bailiwick of the forwarded name space. + +(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b) + +Check that the forward declaration is unchanged and not overridden + +If we are using a fowarder, in addition to checking that names to +be cached are subdomains of the forwarded namespace, we must also +check that there are no subsidiary forwarded namespaces which would +take precedence. To be safe, we don't cache any responses if the +forwarding configuration has changed since the query was sent. + +(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3) + +Check cached names for possible "forward only" clause + +When caching additional and glue data *not* from a forwarder, we must +check that there is no "forward only" clause covering the owner name +that would take precedence. Such names would normally be allowed by +baliwick rules, but a "forward only" zone introduces a new baliwick +scope. + +(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78) + +Look for zones deeper than the current domain or forward name + +When caching glue, we need to ensure that there is no closer +source of truth for the name. If the owner name for the glue +record would be answered by a locally configured zone, do not +cache. + +(cherry picked from commit 71b24210542730355149130770deea3e58d8527a) +--- + lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 123 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a7bc661bb7..7603a07b7b 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -63,6 +63,8 @@ + #include + #include + #include ++#include ++ + #ifdef WANT_QUERYTRACE + #define RTRACE(m) \ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \ +@@ -337,6 +339,8 @@ struct fetchctx { + dns_fetch_t *qminfetch; + dns_rdataset_t qminrrset; + dns_name_t qmindcname; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(domain, fctx->fwdname); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) + { +@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fname, &forwarders); + if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(fname, fctx->fwdname); + } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { +@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, + } + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline bool ++name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (true); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (false); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (true); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (true); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (true); ++ } ++ ++ return (false); ++} ++ + static isc_result_t + check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) { +@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(rctx->query->rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = !dns_name_issubdomain(name, &fctx->domain); ++ external = name_external(name, type, fctx); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) { + DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { + dns_name_t *name = NULL; +- bool external; + + dns_message_currentname(rctx->query->rmessage, + DNS_SECTION_AUTHORITY, &name); +- external = !dns_name_issubdomain(name, &fctx->domain); + +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + dns_rdataset_t *rdataset = NULL; + + /* +@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) { + } + + if (!dns_name_issubdomain(name, &fctx->domain)) { +- /* Invalid name found; preserve it for logging later */ ++ /* ++ * Invalid name found; preserve it for logging ++ * later. ++ */ + rctx->found_name = name; + rctx->found_type = ISC_LIST_HEAD(name->list)->type; + continue; +-- +2.34.1 + diff --git a/SOURCES/bind-9.16-CVE-2022-0396.patch b/SOURCES/bind-9.16-CVE-2022-0396.patch new file mode 100644 index 0000000..5a374f1 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-0396.patch @@ -0,0 +1,81 @@ +From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 8 Feb 2022 12:42:34 +0100 +Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb() + +When sock->closehandle_cb is set, we need to run nmhandle_detach_cb() +asynchronously to ensure correct order of multiple packets processing in +the isc__nm_process_sock_buffer(). When not run asynchronously, it +would cause: + + a) out-of-order processing of the return codes from processbuffer(); + + b) stack growth because the next TCP DNS message read callback will + be called from within the current TCP DNS message read callback. + +The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP +sockets which calls isc__nm_process_sock_buffer(). If the read callback +(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't +attach to the nmhandle (f.e. because it wants to drop the processing or +we send the response directly via uv_try_write()), the +isc__nm_resume_processing() (via .closehandle_cb) would call +isc__nm_process_sock_buffer() recursively. + +The below shortened code path shows how the stack can grow: + + 1: ns__client_request(handle, ...); + 2: isc_nm_tcpdns_sequential(handle); + 3: ns_query_start(client, handle); + 4: query_lookup(qctx); + 5: query_send(qctcx->client); + 6: isc__nmhandle_detach(&client->reqhandle); + 7: nmhandle_detach_cb(&handle); + 8: sock->closehandle_cb(sock); // isc__nm_resume_processing + 9: isc__nm_process_sock_buffer(sock); +10: processbuffer(sock); // isc__nm_tcpdns_processbuffer +11: isc_nmhandle_attach(req->handle, &handle); +12: isc__nm_readcb(sock, req, ISC_R_SUCCESS); +13: isc__nm_async_readcb(NULL, ...); +14: uvreq->cb.recv(...); // ns__client_request + +Instead, if 'sock->closehandle_cb' is set, we need to run detach the +handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in +the code flow above does not start this recursion. This ensures the +correct order when processing multiple packets in the function +'isc__nm_process_sock_buffer()' and prevents the stack growth. + +When not run asynchronously, the out-of-order processing leaves the +first TCP socket open until all requests on the stream have been +processed. + +If the pipelining is disabled on the TCP via `keep-response-order` +configuration option, named would keep the first socket in lingering +CLOSE_WAIT state when the client sends an incomplete packet and then +closes the connection from the client side. + +(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17) +--- + lib/isc/netmgr/netmgr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f..0ed3182fb6 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) { + handle = *handlep; + *handlep = NULL; + ++ /* ++ * If the closehandle_cb is set, it needs to run asynchronously to ++ * ensure correct ordering of the isc__nm_process_sock_buffer(). ++ */ + sock = handle->sock; +- if (sock->tid == isc_nm_tid()) { ++ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) { + nmhandle_detach_cb(&handle FLARG_PASS); + } else { + isc__netievent_detach_t *event = +-- +2.34.1 + diff --git a/SOURCES/bind-9.16-CVE-2022-2795.patch b/SOURCES/bind-9.16-CVE-2022-2795.patch new file mode 100644 index 0000000..b67c8e9 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8..73a0ee9f77 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/SOURCES/bind-9.16-CVE-2022-3080.patch b/SOURCES/bind-9.16-CVE-2022-3080.patch new file mode 100644 index 0000000..998ddf4 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-3080.patch @@ -0,0 +1,116 @@ +From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 20 Sep 2022 11:34:42 +0200 +Subject: [PATCH 2/4] Fix CVE-2022-3080 + +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] +--- + lib/ns/include/ns/query.h | 1 + + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h +index 4d48cf6..34b3070 100644 +--- a/lib/ns/include/ns/query.h ++++ b/lib/ns/include/ns/query.h +@@ -145,6 +145,7 @@ struct query_ctx { + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ ++ bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 249321c..a450cb7 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) { + bool dbfind_stale = false; + bool stale_timeout = false; + bool stale_found = false; +- bool refresh_rrset = false; + bool stale_refresh_window = false; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); +@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) { + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); +- refresh_rrset = STALE(qctx->rdataset); +- qctx->client->nodetach = refresh_rrset; ++ qctx->refresh_rrset = STALE(qctx->rdataset); + } + } else { + /* +@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) { + + result = query_gotanswer(qctx, result); + +- if (refresh_rrset) { +- /* +- * If we reached this point then it means that we have found a +- * stale RRset entry in cache and BIND is configured to allow +- * queries to be answered with stale data if no active RRset +- * is available, i.e. "stale-anwer-client-timeout 0". But, we +- * still need to refresh the RRset. +- */ +- query_refresh_rrset(qctx); +- } +- + cleanup: + return (result); + } +@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) { + + /* + * On normal lookups, clear any rdatasets that were added on a +- * lookup due to stale-answer-client-timeout. ++ * lookup due to stale-answer-client-timeout. Do not clear if we ++ * are going to refresh the RRset, because the stale contents are ++ * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && +- !QUERY_STALETIMEOUT(&qctx->client->query)) ++ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { ++ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing +@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) { + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. ++ * If we are refreshing the RRSet, we must not detach from the client ++ * in the query_send(), so we need to override the flag. + */ ++ if (qctx->refresh_rrset) { ++ qctx->client->nodetach = true; ++ } + nodetach = qctx->client->nodetach; + query_send(qctx->client); ++ ++ if (qctx->refresh_rrset) { ++ /* ++ * If we reached this point then it means that we have found a ++ * stale RRset entry in cache and BIND is configured to allow ++ * queries to be answered with stale data if no active RRset ++ * is available, i.e. "stale-anwer-client-timeout 0". But, we ++ * still need to refresh the RRset. To prevent adding duplicate ++ * RRsets, clear the RRsets from the message before doing the ++ * refresh. ++ */ ++ message_clearrdataset(qctx->client->message, 0); ++ query_refresh_rrset(qctx); ++ } ++ + if (!nodetach) { + qctx->detach_client = true; + } +-- +2.37.3 + diff --git a/SOURCES/bind-9.16-CVE-2022-3094-1.patch b/SOURCES/bind-9.16-CVE-2022-3094-1.patch new file mode 100644 index 0000000..86fbf76 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-3094-1.patch @@ -0,0 +1,240 @@ +From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Thu, 1 Sep 2022 16:05:04 -0700 +Subject: [PATCH] add an update quota + +limit the number of simultaneous DNS UPDATE events that can be +processed by adding a quota for update and update forwarding. +this quota currently, arbitrarily, defaults to 100. + +also add a statistics counter to record when the update quota +has been exceeded. + +(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826) +--- + bin/named/bind9.xsl | 4 +++- + bin/named/bind9.xsl.h | 6 +++++- + bin/named/statschannel.c | 5 +++-- + doc/arm/reference.rst | 5 +++++ + lib/ns/include/ns/server.h | 1 + + lib/ns/include/ns/stats.h | 4 +++- + lib/ns/server.c | 2 ++ + lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++- + 8 files changed, 58 insertions(+), 6 deletions(-) + +diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl +index 5078115..194625b 100644 +--- a/bin/named/bind9.xsl ++++ b/bin/named/bind9.xsl +@@ -12,7 +12,9 @@ + + + +- ++ ++ ++ + + + +diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h +index e30f7f5..b182742 100644 +--- a/bin/named/bind9.xsl.h ++++ b/bin/named/bind9.xsl.h +@@ -20,7 +20,11 @@ static char xslmsg[] = + "\n" + " \n" +- " \n" ++ " \n" ++ " \n" ++ " \n" + " \n" + " \n" + "