1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14#shellcheck source=conf.sh 15SYSTEMTESTTOP=.. 16. "$SYSTEMTESTTOP/conf.sh" 17 18dig_with_opts() ( 19 "$DIG" -p "$PORT" "$@" 20) 21 22sendcmd() ( 23 "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" 24) 25 26rndccmd() { 27 "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" 28} 29 30root=10.53.0.1 31hidden=10.53.0.2 32f1=10.53.0.3 33f2=10.53.0.4 34 35status=0 36n=0 37 38n=$((n+1)) 39echo_i "checking that a forward zone overrides global forwarders ($n)" 40ret=0 41dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 42dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1 43digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 44if [ $ret != 0 ]; then echo_i "failed"; fi 45status=$((status+ret)) 46 47n=$((n+1)) 48echo_i "checking that a forward first zone no forwarders recurses ($n)" 49ret=0 50dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 51dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 52digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 53if [ $ret != 0 ]; then echo_i "failed"; fi 54status=$((status+ret)) 55 56n=$((n+1)) 57echo_i "checking that a forward only zone no forwarders fails ($n)" 58ret=0 59dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 60dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 61digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 62if [ $ret != 0 ]; then echo_i "failed"; fi 63status=$((status+ret)) 64 65n=$((n+1)) 66echo_i "checking that global forwarders work ($n)" 67ret=0 68dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 69dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1 70digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 71if [ $ret != 0 ]; then echo_i "failed"; fi 72status=$((status+ret)) 73 74n=$((n+1)) 75echo_i "checking that a forward zone works ($n)" 76ret=0 77dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 78dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 79digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 80if [ $ret != 0 ]; then echo_i "failed"; fi 81status=$((status+ret)) 82 83n=$((n+1)) 84echo_i "checking that forwarding doesn't spontaneously happen ($n)" 85ret=0 86dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 87dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1 88digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 89if [ $ret != 0 ]; then echo_i "failed"; fi 90status=$((status+ret)) 91 92n=$((n+1)) 93echo_i "checking that a forward zone with no specified policy works ($n)" 94ret=0 95dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 96dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 97digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 98if [ $ret != 0 ]; then echo_i "failed"; fi 99status=$((status+ret)) 100 101n=$((n+1)) 102echo_i "checking that a forward only doesn't recurse ($n)" 103ret=0 104dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1 105grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1 106if [ $ret != 0 ]; then echo_i "failed"; fi 107status=$((status+ret)) 108 109n=$((n+1)) 110echo_i "checking for negative caching of forwarder response ($n)" 111# prime the cache, shutdown the forwarder then check that we can 112# get the answer from the cache. restart forwarder. 113ret=0 114dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 115grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 116stop_server ns4 || ret=1 117dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 118grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 119start_server --restart --noclean --port "${PORT}" ns4 || ret=1 120if [ $ret != 0 ]; then echo_i "failed"; fi 121status=$((status+ret)) 122 123check_override() ( 124 dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && 125 grep "status: NOERROR" dig.out.$n.f2 > /dev/null && 126 dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && 127 grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null 128) 129 130n=$((n+1)) 131echo_i "checking that forward only zone overrides empty zone ($n)" 132ret=0 133# retry loop in case the server restart above causes transient failure 134retry_quiet 10 check_override || ret=1 135if [ $ret != 0 ]; then echo_i "failed"; fi 136status=$((status+ret)) 137 138n=$((n+1)) 139echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" 140ret=0 141dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1 142dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1 143dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1 144dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1 145grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1 146grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1 147grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1 148grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1 149if [ $ret != 0 ]; then echo_i "failed"; fi 150status=$((status+ret)) 151 152n=$((n+1)) 153echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" 154ret=0 155$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 156$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 157if [ $ret != 0 ]; then echo_i "failed"; fi 158status=$((status+ret)) 159 160n=$((n+1)) 161echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" 162ret=0 163$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 164$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 165if [ $ret != 0 ]; then echo_i "failed"; fi 166status=$((status+ret)) 167 168count_sent() ( 169 logfile="$1" 170 start_pattern="$2" 171 pattern="$3" 172 nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" 173) 174 175check_sent() ( 176 expected="$1" 177 shift 178 count=$(count_sent "$@") 179 [ "$expected" = "$count" ] 180) 181 182wait_for_log() ( 183 nextpartpeek "$1" | grep "$2" >/dev/null 184 185) 186 187n=$((n+1)) 188echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" 189ret=0 190# Make ans6 receive queries without responding to them. 191echo "//" | sendcmd 192# Query for a record in a zone which is forwarded to a non-responding forwarder 193# and is delegated from the root to check whether the forwarder will be retried 194# when a delegation is encountered after falling back to full recursive 195# resolution. 196nextpart ns3/named.run >/dev/null 197dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1 198# The forwarder for the "example7" zone should only be queried once. 199start_pattern="sending packet to 10\.53\.0\.6" 200retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" 201check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 202if [ $ret != 0 ]; then echo_i "failed"; fi 203status=$((status+ret)) 204 205n=$((n+1)) 206echo_i "checking that priming queries are not forwarded ($n)" 207ret=0 208nextpart ns7/named.run >/dev/null 209dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1 210received_pattern="received packet from 10\.53\.0\.1" 211start_pattern="sending packet to 10\.53\.0\.1" 212retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 213check_sent 1 ns7/named.run "$start_pattern" ";\.[[:space:]]*IN[[:space:]]*NS$" || ret=1 214sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run) 215[ "$sent" -eq 0 ] || ret=1 216sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run) 217[ "$sent" -eq 1 ] || ret=1 218if [ $ret != 0 ]; then echo_i "failed"; fi 219status=$((status+ret)) 220 221n=$((n+1)) 222echo_i "checking recovery from forwarding to a non-recursive server ($n)" 223ret=0 224dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1 225grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1 226if [ $ret != 0 ]; then echo_i "failed"; fi 227status=$((status+ret)) 228 229n=$((n+1)) 230echo_i "checking that rebinding protection works in forward only mode ($n)" 231ret=0 232# 10.53.0.5 will forward target.malicious. query to 10.53.0.4 233# which in turn will return a CNAME for subdomain.rebind. 234# to honor the option deny-answer-aliases { "rebind"; }; 235# ns5 should return a SERVFAIL to avoid potential rebinding attacks 236dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 237grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 238if [ $ret != 0 ]; then echo_i "failed"; fi 239status=$((status+ret)) 240 241n=$((n+1)) 242echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)" 243ret=0 244copy_setports ns3/named2.conf.in ns3/named.conf 245rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 246sleep 1 247sendcmd << EOF 248/ns1.sld.tld/A/ 249300 A 10.53.0.2 250/sld.tld/NS/ 251300 NS ns1.sld.tld. 252/sld.tld/ 253EOF 254nextpart ns3/named.run >/dev/null 255dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 256grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 257if [ $ret != 0 ]; then echo_i "failed"; fi 258status=$((status+ret)) 259 260# 261# Check various spoofed response scenarios. The same tests will be 262# run twice, with "forward first" and "forward only" configurations. 263# 264run_spooftests () { 265 n=$((n+1)) 266 echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" 267 ret=0 268 # prime 269 dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 270 # check 'net' is not poisoned. 271 dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 272 grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 273 # check 'sub.local.net' is not poisoned. 274 dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 275 grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 276 if [ $ret != 0 ]; then echo_i "failed"; fi 277 status=$((status+ret)) 278 279 n=$((n+1)) 280 echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" 281 ret=0 282 # prime 283 dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 284 # check that net2/DNAME is not cached 285 dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 286 grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 287 grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 288 if [ $ret != 0 ]; then echo_i "failed"; fi 289 status=$((status+ret)) 290 291 n=$((n+1)) 292 echo_i "checking spoofed response scenario 3 - extra answer ($n)" 293 ret=0 294 # prime 295 dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 296 # check extra net3 records are not cached 297 rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i 298 for try in 1 2 3 4 5; do 299 lines=$(grep "net3" ns9/named_dump.db | wc -l) 300 if [ ${lines} -eq 0 ]; then 301 sleep 1 302 continue 303 fi 304 [ ${lines} -eq 1 ] || ret=1 305 grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 306 grep -q '^local.net3' ns9/named_dump.db && ret=1 307 done 308 if [ $ret != 0 ]; then echo_i "failed"; fi 309 status=$((status+ret)) 310} 311 312echo_i "checking spoofed response scenarios with forward first zones" 313run_spooftests 314 315copy_setports ns9/named2.conf.in ns9/named.conf 316rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 317rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 318sleep 1 319 320echo_i "rechecking spoofed response scenarios with forward only zones" 321run_spooftests 322 323# 324# This scenario expects the spoofed response to succeed. The tests are 325# similar to the ones above, but not identical. 326# 327echo_i "rechecking spoofed response scenarios with 'forward only' set globally" 328copy_setports ns9/named3.conf.in ns9/named.conf 329rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 330rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 331sleep 1 332 333n=$((n+1)) 334echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" 335ret=0 336# prime 337dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 338# check 'net' is poisoned. 339dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 340grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 341# check 'sub.local.net' is poisoned. 342dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 343grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 344if [ $ret != 0 ]; then echo_i "failed"; fi 345status=$((status+ret)) 346 347n=$((n+1)) 348echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" 349ret=0 350# prime 351dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 352# check that net2/DNAME is cached 353dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 354grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 355grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 356if [ $ret != 0 ]; then echo_i "failed"; fi 357status=$((status+ret)) 358 359# 360# This test doesn't use any forwarder clauses but is here because it 361# is similar to forwarders, as the set of servers that can populate 362# the namespace is defined by the zone content. 363# 364echo_i "rechecking spoofed response scenarios glue below local zone" 365copy_setports ns9/named4.conf.in ns9/named.conf 366rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 367rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 368sleep 1 369 370n=$((n+1)) 371echo_i "checking sibling glue below zone ($n)" 372ret=0 373# prime 374dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 375# check for glue A record for sub.local.tld is not used 376dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 377grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 378grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 379if [ $ret != 0 ]; then echo_i "failed"; fi 380status=$((status+ret)) 381 382echo_i "exit status: $status" 383[ $status -eq 0 ] || exit 1 384