packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bind/backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch
chengyechun 976d86a951 fix CVE and sync some patches from upstream 
(cherry picked from commit 024c1c3a13843410cfc171309152f326fed846cf)
2024-03-15 17:30:31 +08:00

108 lines
3.3 KiB
Diff
Raw Blame History

From 2022384b8dc7249671d521dc9ef5a292a960521d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 13 Jul 2022 10:27:18 +0200
Subject: [PATCH] Test dnssec-policy max-zone-ttl rejects zone with too high
TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2022384b8dc7249671d521dc9ef5a292a960521d
---
bin/tests/system/kasp/ns3/named.conf.in | 9 +++++++
.../system/kasp/ns3/policies/kasp.conf.in | 4 ++++
bin/tests/system/kasp/ns3/setup.sh | 24 ++++++++-----------
bin/tests/system/kasp/tests.sh | 9 +++++++
4 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index e229fd9158..64ae2aa402 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -223,6 +223,15 @@ zone "ecdsa384.kasp" {
dnssec-policy "ecdsa384";
};
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+ type primary;
+ file "max-zone-ttl.kasp.db";
+ dnssec-policy "ttl";
+};
+
/*
* Zones in different signing states.
*/
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index d0ae96ce08..17b900c7b3 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -132,3 +132,7 @@ dnssec-policy "checkds-csk" {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
+
+dnssec-policy "ttl" {
+ max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 21c4c9126d..bc4a0fc11d 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -64,20 +64,16 @@ if [ -f ../ed448-supported.file ]; then
cat ed448.conf >> named.conf
fi
-# Set up zone that stays unsigned.
-zone="unsigned.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $infile
-cp template.db.in $zonefile
-
-# Set up zone that stays unsigned.
-zone="insecure.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $zonefile
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+ zone="${zn}.kasp"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in $infile
+ cp template.db.in $zonefile
+done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4a458945a0..ff4d32cc7b 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -253,6 +253,15 @@ status=$((status+ret))
next_key_event_threshold=$((next_key_event_threshold+i))
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
#
# Zone: default.kasp.
#
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink