Commits

Anonymous committed 8cbe7ae

9.7.1.dfsg.P2-2ubuntu0.1

committer: LaMont Jones <lamont@debian.org>

Comments (0)

Files changed (4)

+bind9 (1:9.7.1.dfsg.P2-2ubuntu0.1) maverick-security; urgency=low
+
+  * SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
+    same type
+    - debian/patches/CVE-2010-3613-3614.patch: properly mark existing RRSIG
+      records as stale in lib/dns/rbtdb.c. Added tests to
+      bin/tests/system/resolver/*.
+    - CVE-2010-3613
+  * SECURITY UPDATE: answers incorrectly marked as insecure during key
+    algorithm rollover
+    - debian/patches/CVE-2010-3613-3614.patch: improve logic in
+      lib/dns/validator.c. Added tests to bin/tests/system/dnssec/*.
+    - CVE-2010-3614
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 30 Nov 2010 08:39:45 -0500
+
 bind9 (1:9.7.1.dfsg.P2-2) unstable; urgency=low
 
   * Correct conflicts for bind9-host
 Source: bind9
 Section: net
 Priority: optional
-Maintainer: LaMont Jones <lamont@debian.org>
+Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: LaMont Jones <lamont@debian.org>
 Uploaders: Bdale Garbee <bdale@gag.com>
 Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5)
 Build-Conflicts: libdb4.2-dev

debian/patches/CVE-2010-3613-3614.patch

+Description: fix denial of service via ncache entry and a rrsig for the
+ same type and fix answers incorrectly marked as insecure during key
+ algorithm rollover
+Origin: backported from 9.7.2-P3
+
+Index: bind9-9.7.1.dfsg.P2/lib/dns/rbtdb.c
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/lib/dns/rbtdb.c	2010-11-26 08:35:31.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/lib/dns/rbtdb.c	2010-11-26 08:36:51.000000000 -0500
+@@ -5606,14 +5606,14 @@
+     dns_rdataset_t *addedrdataset, isc_stdtime_t now)
+ {
+ 	rbtdb_changed_t *changed = NULL;
+-	rdatasetheader_t *topheader, *topheader_prev, *header;
++	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	isc_boolean_t header_nx;
+ 	isc_boolean_t newheader_nx;
+ 	isc_boolean_t merge;
+ 	dns_rdatatype_t rdtype, covers;
+-	rbtdb_rdatatype_t negtype;
++	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
+ 
+@@ -5651,7 +5651,7 @@
+ 
+ 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
+ 	topheader_prev = NULL;
+-
++	sigheader = NULL;
+ 	negtype = 0;
+ 	if (rbtversion == NULL && !newheader_nx) {
+ 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+@@ -5660,26 +5660,34 @@
+ 			 * We're adding a negative cache entry.
+ 			 */
+ 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
+-			if (covers == dns_rdatatype_any) {
++			sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
++							covers);
++			for (topheader = rbtnode->data;
++			     topheader != NULL;
++			     topheader = topheader->next) {
+ 				/*
+-				 * We're adding an negative cache entry
++				 * If we're adding an negative cache entry
+ 				 * which covers all types (NXDOMAIN,
+ 				 * NODATA(QTYPE=ANY)).
+ 				 *
+ 				 * We make all other data stale so that the
+ 				 * only rdataset that can be found at this
+ 				 * node is the negative cache entry.
++				 *
++				 * Otherwise look for any RRSIGs of the
++				 * given type so they can be marked stale
++				 * later.
+ 				 */
+-				for (topheader = rbtnode->data;
+-				     topheader != NULL;
+-				     topheader = topheader->next) {
++				if (covers == dns_rdatatype_any) {
+ 					set_ttl(rbtdb, topheader, 0);
+ 					topheader->attributes |=
+ 						RDATASET_ATTR_STALE;
+-				}
+-				rbtnode->dirty = 1;
+-				goto find_header;
++					rbtnode->dirty = 1;
++				} else if (topheader->type == sigtype)
++					sigheader = topheader;
+ 			}
++			if (covers == dns_rdatatype_any)
++				goto find_header;
+ 			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+ 		} else {
+ 			/*
+@@ -5918,6 +5926,11 @@
+ 			if (rbtversion == NULL) {
+ 				set_ttl(rbtdb, header, 0);
+ 				header->attributes |= RDATASET_ATTR_STALE;
++				if (sigheader != NULL) {
++					set_ttl(rbtdb, sigheader, 0);
++					sigheader->attributes |=
++						 RDATASET_ATTR_STALE;
++				}
+ 			}
+ 			idx = newheader->node->locknum;
+ 			if (IS_CACHE(rbtdb)) {
+Index: bind9-9.7.1.dfsg.P2/lib/dns/validator.c
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/lib/dns/validator.c	2010-11-26 08:35:43.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/lib/dns/validator.c	2010-11-26 08:37:44.000000000 -0500
+@@ -393,6 +393,7 @@
+ 	isc_boolean_t want_destroy;
+ 	isc_result_t result;
+ 	isc_result_t eresult;
++	isc_result_t saved_result;
+ 
+ 	UNUSED(task);
+ 	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+@@ -429,6 +430,17 @@
+ 				val->keyset = &val->frdataset;
+ 		}
+ 		result = validate(val, ISC_TRUE);
++		if (result == DNS_R_NOVALIDSIG &&
++		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
++		{
++			saved_result = result;
++			validator_log(val, ISC_LOG_DEBUG(3),
++				      "falling back to insecurity proof");
++			val->attributes |= VALATTR_INSECURITY;
++			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
++			if (result == DNS_R_NOTINSECURE)
++				result = saved_result;
++		}
+ 		if (result != DNS_R_WAIT)
+ 			validator_done(val, result);
+ 	} else {
+@@ -620,6 +632,7 @@
+ 	isc_boolean_t want_destroy;
+ 	isc_result_t result;
+ 	isc_result_t eresult;
++	isc_result_t saved_result;
+ 
+ 	UNUSED(task);
+ 	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+@@ -646,6 +659,17 @@
+ 		if (val->frdataset.trust >= dns_trust_secure)
+ 			(void) get_dst_key(val, val->siginfo, &val->frdataset);
+ 		result = validate(val, ISC_TRUE);
++		if (result == DNS_R_NOVALIDSIG &&
++		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
++		{
++			saved_result = result;
++			validator_log(val, ISC_LOG_DEBUG(3),
++				      "falling back to insecurity proof");
++			val->attributes |= VALATTR_INSECURITY;
++			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
++			if (result == DNS_R_NOTINSECURE)
++				result = saved_result;
++		}
+ 		if (result != DNS_R_WAIT)
+ 			validator_done(val, result);
+ 	} else {
+@@ -1908,9 +1932,11 @@
+ 		 * was known and "sufficiently good".
+ 		 */
+ 		if (!dns_resolver_algorithm_supported(val->view->resolver,
+-						      event->name,
+-						      val->siginfo->algorithm))
++						    event->name,
++						    val->siginfo->algorithm)) {
++			resume = ISC_FALSE;
+ 			continue;
++		}
+ 
+ 		if (!resume) {
+ 			result = get_key(val, val->siginfo);
+@@ -1921,18 +1947,12 @@
+ 		}
+ 
+ 		/*
+-		 * The key is insecure, so mark the data as insecure also.
++		 * There isn't a secure DNSKEY for this signature so move
++		 * onto the next RRSIG.
+ 		 */
+ 		if (val->key == NULL) {
+-			if (val->mustbesecure) {
+-				validator_log(val, ISC_LOG_WARNING,
+-					      "must be secure failure,"
+-					      " key is insecure, so mark the"
+-					      " data as insecure also.");
+-				return (DNS_R_MUSTBESECURE);
+-			}
+-			markanswer(val, "validate");
+-			return (ISC_R_SUCCESS);
++			resume = ISC_FALSE;
++			continue;
+ 		}
+ 
+ 		do {
+@@ -3770,6 +3790,20 @@
+ 				 */
+ 				result = DNS_R_NOVALIDNSEC;
+ 				goto out;
++			} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
++				   DNS_TRUST_ANSWER(val->frdataset.trust)) {
++				/*
++				 * If we have "trust == answer" then this namespace
++				 * has switched from insecure to should be secure.
++				 */
++				result = create_validator(val, tname,
++							  dns_rdatatype_ds,
++							  &val->frdataset,
++							  NULL, dsvalidated,
++							  "proveunsecure");
++				if (result != ISC_R_SUCCESS)
++					goto out;
++				return (DNS_R_WAIT);
+ 			} else if (val->frdataset.trust < dns_trust_secure) {
+ 				/*
+ 				 * This shouldn't happen, since the negative
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns1/root.db.in
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/dnssec/ns1/root.db.in	2010-11-30 08:37:20.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns1/root.db.in	2010-11-30 08:39:02.000000000 -0500
+@@ -30,3 +30,5 @@
+ ns2.example.		A	10.53.0.2
+ dlv.			NS	ns2.dlv.
+ ns2.dlv.		A	10.53.0.2
++algroll			NS	ns2.algroll
++ns2.algroll.		A	10.53.0.2
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns1/sign.sh
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/dnssec/ns1/sign.sh	2010-11-30 08:37:24.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns1/sign.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -30,6 +30,7 @@
+ 
+ cp ../ns2/dsset-example. .
+ cp ../ns2/dsset-dlv. .
++grep "8 [12]" ../ns2/dsset-algroll. > dsset-algroll.
+ 
+ keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+ 
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/algroll.db.in
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/algroll.db.in	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,31 @@
++; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++; $Id: algroll.db.in,v 1.2.4.3 2010/11/17 23:46:50 tbox Exp $
++
++$TTL 30	; 5 minutes
++@			IN SOA	mname1. . (
++				2000042407 ; serial
++				20         ; refresh (20 seconds)
++				20         ; retry (20 seconds)
++				1814400    ; expire (3 weeks)
++				30       ; minimum (1 hour)
++				)
++			NS	ns2
++ns2			A	10.53.0.2
++ns3			A	10.53.0.3
++
++a			A	10.0.0.1
++b			A	10.0.0.2
++d			A	10.0.0.4
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/named.conf
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/dnssec/ns2/named.conf	2010-11-30 08:37:40.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/named.conf	2010-11-30 08:39:02.000000000 -0500
+@@ -80,4 +80,9 @@
+ 	allow-update { none; };
+ };
+ 
++zone "algroll" {
++	type master;
++	file "algroll.db.signed";
++};
++
+ include "trusted.conf";
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/sign.sh
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/dnssec/ns2/sign.sh	2010-11-30 08:37:44.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/ns2/sign.sh	2010-11-30 08:39:28.000000000 -0500
+@@ -114,3 +114,21 @@
+ cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
+ 
+ $SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
++
++#
++# algroll has just has the old DNSKEY records removed and is waiting
++# for them to be flushed from caches.  We still need to generate
++# RRSIGs for the old DNSKEY.
++#
++zone=algroll.
++infile=algroll.db.in
++zonefile=algroll.db
++
++keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
++keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
++keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
++keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
++
++cat $infile $keynew1.key $keynew2.key >$zonefile
++
++$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/tests.sh
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/dnssec/tests.sh	2010-11-30 08:37:50.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/dnssec/tests.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -928,6 +928,14 @@
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ 
++echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
++ret=0
++$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1
++grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
++grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ # Run a minimal update test if possible.  This is really just
+ # a regression test for RT #2399; more tests should be added.
+ 
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/clean.sh
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/resolver/clean.sh	2010-11-30 08:37:55.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/clean.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -14,10 +14,12 @@
+ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ # PERFORMANCE OF THIS SOFTWARE.
+ 
+-# $Id: clean.sh,v 1.3 2009/05/29 23:47:49 tbox Exp $
++# $Id: clean.sh,v 1.3.310.2 2010/11/17 23:46:50 tbox Exp $
+ 
+ #
+ # Clean up after resolver tests.
+ #
+ rm -f */named.memstats
+ rm -f dig.out
++rm -f ns6/K*
++rm -f ns6/example.net.db.signed ns6/example.net.db
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/example.net.db.in
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/example.net.db.in	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,22 @@
++; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++; $Id: example.net.db.in,v 1.2.2.3 2010/11/17 23:46:50 tbox Exp $
++
++$TTL 600
++@	IN SOA	ns hostmaster 1 1800 900 604800 600
++@	IN NS	ns
++@	IN MX	0 mail
++ns	IN A	10.53.0.6
++mail	IN A	10.53.0.6
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/keygen.sh
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/keygen.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,31 @@
++#!/bin/sh -e
++#
++# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++# $Id: keygen.sh,v 1.2.2.2 2010/11/16 07:04:08 marka Exp $
++
++SYSTEMTESTTOP=../..
++. $SYSTEMTESTTOP/conf.sh
++
++RANDFILE=../random.data
++
++zone=example.net
++zonefile="${zone}.db"
++infile="${zonefile}.in"
++cp $infile $zonefile
++ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
++zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
++cat $ksk.key $zsk.key >> $zonefile
++$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/named.conf
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/named.conf	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,44 @@
++/*
++ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/* $Id: named.conf,v 1.2.2.2 2010/11/16 07:04:09 marka Exp $ */
++
++// NS4
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.6;
++	notify-source 10.53.0.6;
++	transfer-source 10.53.0.6;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.6; };
++	listen-on-v6 { none; };
++	recursion no;
++	// minimal-responses yes;
++};
++
++zone "." {
++	type master;
++	file "root.db";
++};
++
++zone "example.net" {
++	type master;
++	file "example.net.db.signed";
++	allow-update { any; };
++};
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/root.db
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns6/root.db	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,26 @@
++; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++; $Id: root.db,v 1.2.2.2 2010/11/16 07:04:09 marka Exp $
++
++$TTL 300
++. 			IN SOA	marka.isc.org. a.root.servers.nil. (
++				2010   	; serial
++				600         	; refresh
++				600         	; retry
++				1200    	; expire
++				600       	; minimum
++				)
++.			NS	a.root-servers.nil.
++a.root-servers.nil.	A	10.53.0.6
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns7/named.conf
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns7/named.conf	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,37 @@
++/*
++ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/* $Id: named.conf,v 1.2.2.2 2010/11/16 07:04:09 marka Exp $ */
++
++// NS4
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.7;
++	notify-source 10.53.0.7;
++	transfer-source 10.53.0.7;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.7; };
++	listen-on-v6 { none; };
++	recursion yes;
++};
++
++zone "." {
++	type hint;
++	file "root.hint";
++};
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns7/root.hint
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/ns7/root.hint	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,19 @@
++; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++; $Id: root.hint,v 1.2.2.2 2010/11/16 07:04:09 marka Exp $
++
++$TTL 999999
++.			 IN NS	a.root-servers.nil.
++a.root-servers.nil.	 IN A	10.53.0.6
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/setup.sh
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/setup.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -0,0 +1,21 @@
++#!/bin/sh -e
++#
++# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++# $Id: setup.sh,v 1.2.2.3 2010/11/17 23:46:50 tbox Exp $
++
++../../../tools/genrandom 400 random.data
++
++(cd ns6 && sh keygen.sh)
+Index: bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/tests.sh
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/bin/tests/system/resolver/tests.sh	2010-11-30 08:38:44.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/bin/tests/system/resolver/tests.sh	2010-11-30 08:39:02.000000000 -0500
+@@ -120,5 +120,30 @@
+ status=`expr $status + $ret`
+ 
+ 
++n=`expr $n + 1`
++echo "I:check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
++ret=0
++$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=1
++grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1
++if [ $ret = 1 ]; then echo "I:mx priming failed"; fi
++$NSUPDATE << EOF
++server 10.53.0.6 5300
++zone example.net
++update delete mail.example.net A
++update add mail.example.net 0 AAAA ::1
++send
++EOF
++$DIG +tcp a mail.example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=2
++grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2
++grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2
++if [ $ret = 2 ]; then echo "I:ncache priming failed"; fi
++$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=3
++grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3
++$DIG +tcp rrsig mail.example.net +norec @10.53.0.7 -p 5300 > dig.ns7.out.${n}  || ret=4
++grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4
++grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4
++if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+ exit $status

debian/patches/series

 debian-changes-1:9.7.1.dfsg.P2-2
+CVE-2010-3613-3614.patch