upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-23 18:47:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests
History
Petr Špaček e223ee7097
Test that spoofed DNAME is not accepted via spoofable transport 
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer.  To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.test. IN A
    ;ANSWER
    trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
    test. 3600 IN DNAME attacker.net.
    ;AUTHORITY
    ;ADDITIONAL

This has been discovered internally.

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
..
startperf Reformat shell scripts with shfmt 2023-10-26 10:23:50 +02:00
system Test that spoofed DNAME is not accepted via spoofable transport 2025-12-22 11:58:39 +01:00
testdata/wire move all optional tests from bin/tests to bin/tests/optional 2018-03-09 14:12:47 -08:00
.gitignore Move environment variables from conf.sh to pytest 2024-05-09 17:08:08 +02:00
meson.build replace the build system with meson 2025-06-11 10:30:12 +03:00
test_client.c Add and use global memory context called isc_g_mctx 2025-08-04 11:29:26 +02:00
test_server.c Add and use global memory context called isc_g_mctx 2025-08-04 11:29:26 +02:00