From b64aa2d7a2ed5f4ece70dc99ff93a33ec2814e1a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 08:34:45 +1000 Subject: [PATCH 1/4] Return REFUSED if GSSAPI is not configured Return REFUSED if neither a keytab nor a gssapi credential is configured to GSSAPI/TKEY requests. (cherry picked from commit b5076014b9fd3b6fac25f45c6599abd8c6577c52) --- lib/dns/tkey.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 894fea477d..d60f65d380 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -523,7 +523,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) { tkey_log("process_gsstkey(): no tkey-gssapi-credential " "or tkey-gssapi-keytab configured"); - return (ISC_R_NOPERM); + return (DNS_R_REFUSED); } if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) && From aeab068adce4e7fb9508952c096e85595e2b0d01 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 16:47:09 +1000 Subject: [PATCH 2/4] Report TKEY query errors in nsupdate (cherry picked from commit f2446196809b4eb99928493c7dd7f22cfee32249) --- bin/nsupdate/nsupdate.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 7cb8d201ea..1f06dab614 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -3140,7 +3140,16 @@ recvgss(isc_task_t *task, isc_event_t *event) { if (rcvmsg->rcode != dns_rcode_noerror && rcvmsg->rcode != dns_rcode_nxdomain) { - fatal("response to GSS-TSIG query was unsuccessful"); + char rcode[64]; + isc_buffer_t b; + + isc_buffer_init(&b, rcode, sizeof(rcode) - 1); + result = dns_rcode_totext(rcvmsg->rcode, &b); + check_result(result, "dns_rcode_totext"); + rcode[isc_buffer_usedlength(&b)] = 0; + + fatal("response to GSS-TSIG query was unsuccessful (%s)", + rcode); } servname = dns_fixedname_initname(&fname); From 022397a2c76a7aa3d61a25a814973e1e69c6793b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 17:08:34 +1000 Subject: [PATCH 3/4] Check GSS-API TKEY against non configured server Check for the expected error message which includes rcode REFUSED then reload the server to specify the keytab for the rest of the GSSAPI tests. (cherry picked from commit 3a2a24903c0ab3a5a04b6d69e88d3948ff0df95a) --- bin/tests/system/nsupdate/ns7/named1.conf.in | 52 +++++++++++++++++++ .../ns7/{named.conf.in => named2.conf.in} | 0 bin/tests/system/nsupdate/setup.sh | 2 +- bin/tests/system/nsupdate/tests.sh | 18 +++++++ 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/nsupdate/ns7/named1.conf.in rename bin/tests/system/nsupdate/ns7/{named.conf.in => named2.conf.in} (100%) diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in new file mode 100644 index 0000000000..28d2aeafd5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/named1.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + recursion no; + notify yes; + minimal-responses no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain-self-rhs . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-self . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv-no-type.example.com; + }; +}; diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in similarity index 100% rename from bin/tests/system/nsupdate/ns7/named.conf.in rename to bin/tests/system/nsupdate/ns7/named2.conf.in diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index b12c79789e..7f8c27f349 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -23,7 +23,7 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf # If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 6e257ae914..50dadce747 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1506,6 +1506,24 @@ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 if ! $FEATURETEST --gssapi ; then echo_i "SKIPPED: GSSAPI tests" else + n=$((n + 1)) + ret=0 + echo_i "check GSS-API TKEY request rcode against a non configured server ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + send +EOF + grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + copy_setports ns7/named2.conf.in ns7/named.conf + rndc_reload ns7 10.53.0.7 + n=$((n + 1)) ret=0 echo_i "check krb5-self match ($n)" From 26ff230be257f751172ed05f1536003cd67254b2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 08:51:11 +1000 Subject: [PATCH 4/4] Add CHANGES for [GL #4225] (cherry picked from commit ccaefce7ca85b91a1b72fec5cfcc22f3aa951cc5) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 61a6d3d859..d9767531c9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API + support is not configured. [GL #4225] + 6213. [bug] Mark a primary server as temporarily unreachable if the TCP connection attempt times out. [GL #4215]