From b597ea863e08ca792b0979d557337655174e4c90 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 14 Apr 2022 10:57:11 +1000 Subject: [PATCH 1/3] Check that pending negative cache entries for DS can be used successfully Prime the cache with a negative cache DS entry then make a query for name beneath that entry. This will cause the DS entry to be retieved as part of the validation process. Each RRset in the ncache entry will be validated and the trust level for each will be updated. (cherry picked from commit d2d9910da23951bf310c7be8ba68e1030eb13caa) --- bin/tests/system/dnssec/ns2/example.db.in | 4 +++ .../system/dnssec/ns3/insecure2.example.db | 27 +++++++++++++++++++ bin/tests/system/dnssec/ns3/named.conf.in | 6 +++++ bin/tests/system/dnssec/tests.sh | 18 +++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 bin/tests/system/dnssec/ns3/insecure2.example.db diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 5ec88013c9..f711f5823f 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -55,6 +55,10 @@ ns3.secure A 10.53.0.3 insecure NS ns.insecure ns.insecure A 10.53.0.3 +; A second insecure subdomain +insecure2 NS ns.insecure2 +ns.insecure2 A 10.53.0.3 + ; A secure subdomain we're going to inject bogus data into bogus NS ns.bogus ns.bogus A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db new file mode 100644 index 0000000000..76e3f47f21 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure2.example.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index fc44b80098..08875f953b 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -78,6 +78,12 @@ zone "insecure.example" { allow-update { any; }; }; +zone "insecure2.example" { + type primary; + file "insecure2.example.db"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 340fa1d3b9..cf9ea6b544 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4420,5 +4420,23 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Check that a query against a validating resolver succeeds when there is +# a negative cache entry with trust level "pending" for the DS. Prime +# with a +cd DS query to produce the negative cache entry, then send a +# query that uses that entry as part of the validation process. [GL #3279] +echo_i "check that pending negative DS cache entry validates ($n)" +ret=0 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 40bfb70d6a4185b479dfad45e9dd51b702a8066b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 14 Apr 2022 11:16:32 +1000 Subject: [PATCH 2/3] Update the rdataset->trust field in ncache.c:rdataset_settrust Both the trust recorded in the slab stucture and the trust on rdataset need to be updated. (cherry picked from commit d043a41499f5cc52920841ca7332b7cce7460aad) --- lib/dns/ncache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index 2316eb04a7..7bea3d376c 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -504,6 +504,7 @@ rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) { unsigned char *raw = rdataset->private3; raw[-1] = (unsigned char)trust; + rdataset->trust = trust; } static dns_rdatasetmethods_t rdataset_methods = { From b66e00f73afcfdbe38a50266a7a7218fcfade9d1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 14 Apr 2022 11:19:23 +1000 Subject: [PATCH 3/3] Add CHANGES entry for [GL #3279] (cherry picked from commit 14ca6270d32d25a0f1adce8e5ca006a1c44a2a55) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index b362fd5f02..9519895e89 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5863. [bug] If there was a pending negative cache DS entry, + validations depending upon it could fail. [GL #3279] + 5862. [bug] dig returned a 0 exit status on UDP connection failure. [GL #3235]