From fc350f311afa614fffeccfc0505fad2493b03305 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 Jun 2024 13:59:39 +1000 Subject: [PATCH 1/3] Add missing period to generated IPv4 6to4 name The period between the most significant nibble of the IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the wrong name being checked. (cherry picked from commit bca63437a15d857cdf79ca1f1bbcb5e5062e5fb8) --- lib/dns/ssu.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c index b54157ecc1..b43c7cfac3 100644 --- a/lib/dns/ssu.c +++ b/lib/dns/ssu.c @@ -245,13 +245,12 @@ stf_from_address(dns_name_t *stfself, const isc_netaddr_t *tcpaddr) { switch (tcpaddr->family) { case AF_INET: l = ntohl(tcpaddr->type.in.s_addr); - result = snprintf(buf, sizeof(buf), - "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx" - "2.0.0.2.IP6.ARPA.", - l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf, - (l >> 12) & 0xf, (l >> 16) & 0xf, - (l >> 20) & 0xf, (l >> 24) & 0xf, - (l >> 28) & 0xf); + result = snprintf( + buf, sizeof(buf), + "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx.2.0.0.2.IP6.ARPA.", + l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf, + (l >> 12) & 0xf, (l >> 16) & 0xf, (l >> 20) & 0xf, + (l >> 24) & 0xf, (l >> 28) & 0xf); RUNTIME_CHECK(result < sizeof(buf)); break; case AF_INET6: From c92b05c0e2c9b62741a0deebab5be16c6e83beff Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 Jun 2024 15:22:17 +1000 Subject: [PATCH 2/3] check 'update-policy 6to4-self' over IPv4 (cherry picked from commit b28e5ff72174ebc91f0247e22efa6177fa0ccfcc) --- bin/tests/system/nsupdate/clean.sh | 1 + .../nsupdate/ns6/2.0.0.2.ip6.addr.db.in | 21 ++++++++++ bin/tests/system/nsupdate/ns6/named.conf.in | 6 +++ bin/tests/system/nsupdate/setup.sh | 1 + bin/tests/system/nsupdate/tests.sh | 42 +++++++++++++++++++ 5 files changed, 71 insertions(+) create mode 100644 bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 99f3d4d612..de5f3c3be9 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -54,6 +54,7 @@ rm -f ns3/many.test.bk rm -f ns3/nsec3param.test.db rm -f ns3/too-big.test.db rm -f ns5/local.db +rm -f ns6/2.0.0.2.ip6.addr.db rm -f ns6/in-addr.db rm -f ns7/_default.tsigkeys rm -f ns7/example.com.db diff --git a/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in new file mode 100644 index 0000000000..71609c349d --- /dev/null +++ b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns5.local.nil. hostmaster.local.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns6 +ns6 A 10.53.0.6 diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in index c636cfc754..5ed1623546 100644 --- a/bin/tests/system/nsupdate/ns6/named.conf.in +++ b/bin/tests/system/nsupdate/ns6/named.conf.in @@ -39,3 +39,9 @@ zone "in-addr.arpa" { file "in-addr.db"; update-policy { grant * tcp-self . PTR(1) ANY(2) A; }; }; + +zone "2.0.0.2.ip6.arpa" { + type primary; + file "2.0.0.2.ip6.addr.db"; + update-policy { grant * 6to4-self . NS(10) DS(4); }; +}; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index fab75704bf..6ea5a66027 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -115,6 +115,7 @@ cp ns2/sample.db.in ns2/sample.db cp -f ns1/maxjournal.db.in ns1/maxjournal.db cp -f ns5/local.db.in ns5/local.db +cp -f ns6/2.0.0.2.ip6.addr.db.in ns6/2.0.0.2.ip6.addr.db cp -f ns6/in-addr.db.in ns6/in-addr.db cp -f ns7/in-addr.db.in ns7/in-addr.db cp -f ns7/example.com.db.in ns7/example.com.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 3d309d93f1..6a1fb1b3cf 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -759,6 +759,48 @@ if test $ret -ne 0; then status=1 fi +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv4 ($n)" +REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE >nsupdate.out.$n 2>&1 </dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv4 ($n)" +ret=0 +REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE -v >nsupdate.out.$n 2>&1 </dev/null 2>&1 && ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + n=$((n + 1)) ret=0 echo_i "check that 'update-policy subdomain' is properly enforced ($n)" From c55d89f9d17a11bbd0beba918f91d125dea682e7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 7 Jun 2024 13:28:48 +1000 Subject: [PATCH 3/3] check 'update-policy 6to4-self' over IPv6 (cherry picked from commit 3b0de4773bb0d485fbc079152e08a261718005d6) --- bin/tests/system/ifconfig.sh.in | 8 +++- bin/tests/system/nsupdate/ns10/named.conf.in | 1 + bin/tests/system/nsupdate/ns5/named.conf.in | 1 + bin/tests/system/nsupdate/ns6/named.conf.in | 4 ++ bin/tests/system/nsupdate/ns7/named1.conf.in | 1 + bin/tests/system/nsupdate/ns7/named2.conf.in | 1 + bin/tests/system/nsupdate/ns8/named.conf.in | 1 + bin/tests/system/nsupdate/ns9/named.conf.in | 1 + bin/tests/system/nsupdate/tests.sh | 42 ++++++++++++++++++++ bin/tests/system/org.isc.bind.system | 1 + 10 files changed, 60 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/ifconfig.sh.in b/bin/tests/system/ifconfig.sh.in index 0e054149f7..ef50291672 100755 --- a/bin/tests/system/ifconfig.sh.in +++ b/bin/tests/system/ifconfig.sh.in @@ -21,6 +21,7 @@ # fd92:7065:b8e:99ff::{1..2} # fd92:7065:b8e:ff::{1..2} # fd92:7065:b8e:fffe::10.53.0.4 +# 2002:0a35:0007::1 6to4 for 10.53.0.7 # # We also set the MTU on the 1500 bytes to match the default MTU on physical # interfaces, so we can properly test the cases with packets bigger than @@ -241,7 +242,7 @@ sequence() ( max=11 case $1 in start | up | stop | down) - for i in $(sequence 0 3); do + for i in $(sequence 0 4); do case $i in 0) ipv6="ff" ;; 1) ipv6="99" ;; @@ -261,6 +262,11 @@ case $1 in a= aaaa=fd92:7065:b8e:fffe::10.53.0.$ns ;; + 4) + [ $ns -ne 1 ] && continue + a= + aaaa=2002:0a35:0007::$ns + ;; esac case "$1" in start | up) up ;; diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in index a186d14114..51a0b4f587 100644 --- a/bin/tests/system/nsupdate/ns10/named.conf.in +++ b/bin/tests/system/nsupdate/ns10/named.conf.in @@ -21,6 +21,7 @@ options { session-keyfile "session.key"; listen-on { 10.53.0.10; }; listen-on tls ephemeral { 10.53.0.10; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns5/named.conf.in b/bin/tests/system/nsupdate/ns5/named.conf.in index e3c4d1b33d..223abd925e 100644 --- a/bin/tests/system/nsupdate/ns5/named.conf.in +++ b/bin/tests/system/nsupdate/ns5/named.conf.in @@ -19,6 +19,7 @@ options { pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in index 5ed1623546..e2950aa3b7 100644 --- a/bin/tests/system/nsupdate/ns6/named.conf.in +++ b/bin/tests/system/nsupdate/ns6/named.conf.in @@ -15,10 +15,14 @@ options { query-source address 10.53.0.6; notify-source 10.53.0.6; transfer-source 10.53.0.6; + query-source-v6 address fd92:7065:b8e:ffff::6; + notify-source-v6 fd92:7065:b8e:ffff::6; + transfer-source-v6 fd92:7065:b8e:ffff::6; port @PORT@; pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.6; }; + listen-on-v6 { fd92:7065:b8e:ffff::6; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in index 28d2aeafd5..0fcdcab7b2 100644 --- a/bin/tests/system/nsupdate/ns7/named1.conf.in +++ b/bin/tests/system/nsupdate/ns7/named1.conf.in @@ -19,6 +19,7 @@ options { pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns7/named2.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in index e5886e9acd..8ef779b81c 100644 --- a/bin/tests/system/nsupdate/ns7/named2.conf.in +++ b/bin/tests/system/nsupdate/ns7/named2.conf.in @@ -19,6 +19,7 @@ options { pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in index f69d3adaca..3d9913fc1f 100644 --- a/bin/tests/system/nsupdate/ns8/named.conf.in +++ b/bin/tests/system/nsupdate/ns8/named.conf.in @@ -19,6 +19,7 @@ options { pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in index 2cdc6afa74..07e38d2d41 100644 --- a/bin/tests/system/nsupdate/ns9/named.conf.in +++ b/bin/tests/system/nsupdate/ns9/named.conf.in @@ -19,6 +19,7 @@ options { pid-file "named.pid"; session-keyfile "session.key"; listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; recursion no; notify yes; minimal-responses no; diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 6a1fb1b3cf..f3f9723667 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -801,6 +801,48 @@ if test $ret -ne 0; then status=1 fi +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)" +REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE >nsupdate.out.$n 2>&1 </dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)" +ret=0 +REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE -v >nsupdate.out.$n 2>&1 </dev/null 2>&1 && ret=1 +$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + n=$((n + 1)) ret=0 echo_i "check that 'update-policy subdomain' is properly enforced ($n)" diff --git a/bin/tests/system/org.isc.bind.system b/bin/tests/system/org.isc.bind.system index df5c90b056..48a5756eaa 100644 --- a/bin/tests/system/org.isc.bind.system +++ b/bin/tests/system/org.isc.bind.system @@ -28,3 +28,4 @@ do ifup 2 00 $ns done /sbin/ifconfig lo0 inet6 fd92:7065:b8e:fffe::10.53.0.4 alias +/sbin/ifconfig lo0 inet6 2002:a35:7::1 alias