[9.20] fix: usr: fix generation of 6to4-self name expansion from IPv4 address

The period between the most significant nibble of the encoded IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the wrong name being checked. Add system test for 6to4-self implementation. Closes #4766 Backport of MR !9099 Merge branch 'backport-4766-add-system-test-for-6to4-self-9.20' into 'bind-9.20' See merge request isc-projects/bind9!9217
2026-06-03 13:59:27 -04:00 · 2024-08-01 07:31:25 +00:00 · 2024-08-01 07:31:25 +00:00 · 00ce93a69c
commit 00ce93a69c
parent fb07c38697 c55d89f9d1
14 changed files with 137 additions and 8 deletions
--- a/bin/tests/system/ifconfig.sh.in
+++ b/bin/tests/system/ifconfig.sh.in
@ -21,6 +21,7 @@
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #       fd92:7065:b8e:fffe::10.53.0.4
+#       2002:0a35:0007::1                       6to4 for 10.53.0.7
 #
 # We also set the MTU on the 1500 bytes to match the default MTU on physical
 # interfaces, so we can properly test the cases with packets bigger than
@ -241,7 +242,7 @@ sequence() (
 max=11
 case $1 in
  start | up | stop | down)
-    for i in $(sequence 0 3); do
+    for i in $(sequence 0 4); do
      case $i in
        0) ipv6="ff" ;;
        1) ipv6="99" ;;
@ -261,6 +262,11 @@ case $1 in
            a=
            aaaa=fd92:7065:b8e:fffe::10.53.0.$ns
            ;;
+          4)
+            [ $ns -ne 1 ] && continue
+            a=
+            aaaa=2002:0a35:0007::$ns
+            ;;
        esac
        case "$1" in
          start | up) up ;;
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@ -54,6 +54,7 @@ rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
+rm -f ns6/2.0.0.2.ip6.addr.db
 rm -f ns6/in-addr.db
 rm -f ns7/_default.tsigkeys
 rm -f ns7/example.com.db
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on tls ephemeral { 10.53.0.10; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in
+++ b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in
@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns5.local.nil. hostmaster.local.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns6
+ns6			A	10.53.0.6
--- a/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@ -15,10 +15,14 @@ options {
 	query-source address 10.53.0.6;
 	notify-source 10.53.0.6;
 	transfer-source 10.53.0.6;
+	query-source-v6 address fd92:7065:b8e:ffff::6;
+	notify-source-v6 fd92:7065:b8e:ffff::6;
+	transfer-source-v6 fd92:7065:b8e:ffff::6;
 	port @PORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
+	listen-on-v6 { fd92:7065:b8e:ffff::6; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
@ -39,3 +43,9 @@ zone "in-addr.arpa" {
 	file "in-addr.db";
 	update-policy {	grant * tcp-self . PTR(1) ANY(2) A; };
 };
+
+zone "2.0.0.2.ip6.arpa" {
+	type primary;
+	file "2.0.0.2.ip6.addr.db";
+	update-policy {	grant * 6to4-self . NS(10) DS(4); };
+};
--- a/bin/tests/system/nsupdate/ns7/named1.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named1.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns7/named2.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named2.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns8/named.conf.in
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@ -115,6 +115,7 @@ cp ns2/sample.db.in ns2/sample.db
 cp -f ns1/maxjournal.db.in ns1/maxjournal.db

 cp -f ns5/local.db.in ns5/local.db
+cp -f ns6/2.0.0.2.ip6.addr.db.in ns6/2.0.0.2.ip6.addr.db
 cp -f ns6/in-addr.db.in ns6/in-addr.db
 cp -f ns7/in-addr.db.in ns7/in-addr.db
 cp -f ns7/example.com.db.in ns7/example.com.db
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@ -759,6 +759,90 @@ if test $ret -ne 0; then
  status=1
 fi

+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv4 ($n)"
+REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
+server 10.53.0.6 ${PORT}
+local 10.53.0.6
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv4 ($n)"
+ret=0
+REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
+server 10.53.0.6 ${PORT}
+local 10.53.0.6
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)"
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)"
+ret=0
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
 n=$((n + 1))
 ret=0
 echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
--- a/bin/tests/system/org.isc.bind.system
+++ b/bin/tests/system/org.isc.bind.system
@ -28,3 +28,4 @@ do
 	ifup 2 00 $ns
 done
 /sbin/ifconfig lo0 inet6 fd92:7065:b8e:fffe::10.53.0.4 alias
+/sbin/ifconfig lo0 inet6 2002:a35:7::1 alias
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@ -245,13 +245,12 @@ stf_from_address(dns_name_t *stfself, const isc_netaddr_t *tcpaddr) {
 	switch (tcpaddr->family) {
 	case AF_INET:
 		l = ntohl(tcpaddr->type.in.s_addr);
-		result = snprintf(buf, sizeof(buf),
-				  "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
-				  "2.0.0.2.IP6.ARPA.",
-				  l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf,
-				  (l >> 12) & 0xf, (l >> 16) & 0xf,
-				  (l >> 20) & 0xf, (l >> 24) & 0xf,
-				  (l >> 28) & 0xf);
+		result = snprintf(
+			buf, sizeof(buf),
+			"%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.2.0.0.2.IP6.ARPA.",
+			l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf,
+			(l >> 12) & 0xf, (l >> 16) & 0xf, (l >> 20) & 0xf,
+			(l >> 24) & 0xf, (l >> 28) & 0xf);
 		RUNTIME_CHECK(result < sizeof(buf));
 		break;
 	case AF_INET6: