diff --git a/CHANGES b/CHANGES index 0839f62122..ecd526da0a 100644 --- a/CHANGES +++ b/CHANGES @@ -87,7 +87,9 @@ and "nsdname-enable" both now default to yes, regardless of compile-time settings. [GL #824] -5141. [placeholder] +5141. [security] Zone transfer controls for writable DLZ zones were + not effective as the allowzonexfr method was not being + called for such zones. (CVE-2019-6465) [GL #790] 5140. [bug] Don't immediately mark existing keys as inactive and deleted when running dnssec-keymgr for the first diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c index f6e59a8377..f67d1c7ce0 100644 --- a/bin/tests/system/dlzexternal/driver.c +++ b/bin/tests/system/dlzexternal/driver.c @@ -536,10 +536,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, */ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { - UNUSED(client); + isc_result_t result; - /* Just say yes for all our zones */ - return (dlz_findzonedb(dbdata, name, NULL, NULL)); + result = dlz_findzonedb(dbdata, name, NULL, NULL); + if (result != ISC_R_SUCCESS) { + return (result); + } + + /* + * Exception for 10.53.0.5 so we can test that allow-transfer + * is effective. + */ + if (strcmp(client, "10.53.0.5") == 0) { + return (ISC_R_NOPERM); + } + + return (ISC_R_SUCCESS); } /* diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index 85f5705a62..6c84ad10eb 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 status=`expr $status + $ret` newtest "testing AXFR from DLZ drivers" -$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n -lines=`cat dig.out.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n +lines=`cat dig.out.example.ns1.test$n | wc -l` [ ${lines:-0} -eq 4 ] || ret=1 -$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n -lines=`cat dig.out.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n +lines=`cat dig.out.alternate.ns1.test$n | wc -l` [ ${lines:-0} -eq 5 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=`expr $status + $ret` +newtest "testing AXFR denied from DLZ drivers" +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n +grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n +grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + newtest "testing unsearched/unregistered DLZ zone is not found" $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 79256ea5c1..849ba261b0 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -157,6 +157,14 @@ [GL #772] + + + Zone transfer controls for writable DLZ zones were not + effective as the allowzonexfr method was + not being called for such zones. This flaw is disclosed in + CVE-2019-6465. [GL #790] + + diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index 502b10079b..9b3721b062 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -817,12 +817,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, &zone); - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { /* - * Normal zone table does not have a match. - * Try the DLZ database + * The normal zone table does not have a match, or this is + * marked in the zone table as a DLZ zone. Check the DLZ + * databases for a match. */ - // Temporary: only searching the first DLZ database if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { result = dns_dlzallowzonexfr(client->view, question_name,