BIND 10 master, updated. 652aa4de2fa82fdf3de569d01d9f4aa618fc1972 [master] Merge branch 'trac3383'
BIND 10 source code commits
bind10-changes at lists.isc.org
Wed Apr 2 17:23:05 UTC 2014
The branch, master has been updated
via 652aa4de2fa82fdf3de569d01d9f4aa618fc1972 (commit)
via dd5010df9501c97b84ff438e6b19b6a69335e6e6 (commit)
via bad81eacde96d3ca3753658631aab8f11327eb88 (commit)
from dfde8e94390096bba723ff0eb14c8f686856a992 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 652aa4de2fa82fdf3de569d01d9f4aa618fc1972
Merge: dfde8e9 dd5010d
Author: Thomas Markwalder <tmark at isc.org>
Date: Wed Apr 2 13:19:22 2014 -0400
[master] Merge branch 'trac3383'
Warning message added to D2 about listening outside loopback
-----------------------------------------------------------------------
Summary of changes:
src/bin/d2/d2_messages.mes | 14 ++++++---
src/bin/d2/d2_process.cc | 7 +++++
src/bin/d2/tests/d2_process_unittests.cc | 48 ++++++++++++++++++++++++++++++
3 files changed, 65 insertions(+), 4 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/d2/d2_messages.mes b/src/bin/d2/d2_messages.mes
index 2849ae4..b7f2447 100644
--- a/src/bin/d2/d2_messages.mes
+++ b/src/bin/d2/d2_messages.mes
@@ -254,6 +254,14 @@ This is a debug message issued when the DHCP-DDNS application encountered an
error while decoding a response to DNS Update message. Typically, this error
will be encountered when a response message is malformed.
+% DHCP_DDNS_NOT_ON_LOOPBACK the DHCP-DDNS server has been configured to listen on %1 which is not the local loopback. This is an insecure configuration supported for testing purposes only
+This is a warning message issued when the DHCP-DDNS server is configured to
+listen at an address other than the loopback address (127.0.0.1 or ::1). It is
+possible for a malicious attacker to send bogus NameChangeRequests to it and
+change entries in the DNS. For this reason, addresses other than the IPv4 or
+IPv6 loopback addresses should only be used for testing purposes. A future
+version of Kea will implement authentication to guard against such attacks.
+
% DHCP_DDNS_NO_ELIGIBLE_JOBS although there are queued requests, there are pending transactions for each Queue count: %1 Transaction count: %2
This is a debug message issued when all of the queued requests represent clients
for which there is a an update already in progress. This may occur under
@@ -290,11 +298,9 @@ requests too quickly, or perhaps upstream DNS servers are experiencing
load issues.
% DHCP_DDNS_QUEUE_MGR_RECONFIGURING application is reconfiguring the queue manager
-This is an informational message indicating that DHCP_DDNS is reconfiguring the
-queue manager as part of normal startup or in response to a new configuration.
+This is an informational message indicating that DHCP_DDNS is reconfiguring the queue manager as part of normal startup or in response to a new configuration.
-% DHCP_DDNS_QUEUE_MGR_RECOVERING application is attempting to recover from a
-queue manager IO error
+% DHCP_DDNS_QUEUE_MGR_RECOVERING application is attempting to recover from a queue manager IO error
This is an informational message indicating that DHCP_DDNS is attempting to
restart the queue manager after it suffered an IO error while receiving
requests.
diff --git a/src/bin/d2/d2_process.cc b/src/bin/d2/d2_process.cc
index 187bfe1..cca71e2 100644
--- a/src/bin/d2/d2_process.cc
+++ b/src/bin/d2/d2_process.cc
@@ -329,6 +329,13 @@ D2Process::reconfigureQueueMgr() {
std::string ip_address;
uint32_t port;
getCfgMgr()->getContext()->getParam("ip_address", ip_address);
+
+ // Warn the user if the server address is not the loopback.
+ /// @todo Remove this once we provide a secure mechanism.
+ if (ip_address != "127.0.0.1" && ip_address != "::1") {
+ LOG_WARN(dctl_logger, DHCP_DDNS_NOT_ON_LOOPBACK).arg(ip_address);
+ }
+
getCfgMgr()->getContext()->getParam("port", port);
isc::asiolink::IOAddress addr(ip_address);
diff --git a/src/bin/d2/tests/d2_process_unittests.cc b/src/bin/d2/tests/d2_process_unittests.cc
index cbbdd3f..bd6f770 100644
--- a/src/bin/d2/tests/d2_process_unittests.cc
+++ b/src/bin/d2/tests/d2_process_unittests.cc
@@ -602,4 +602,52 @@ TEST_F(D2ProcessTest, fatalErrorShutdown) {
elapsed.total_milliseconds() <= 2100);
}
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is issued when ip_address is not
+/// loopback.
+TEST_F(D2ProcessTest, notLoopbackTest) {
+ const char* config = "{ "
+ "\"interface\" : \"\" , "
+ "\"ip_address\" : \"0.0.0.0\" , "
+ "\"port\" : 53001, "
+ "\"tsig_keys\": [],"
+ "\"forward_ddns\" : {},"
+ "\"reverse_ddns\" : {}"
+ "}";
+
+ // Note we don't care nor can we predict if this
+ // succeeds or fails. The address and port may or may
+ // not be valid on the test host.
+ runWithConfig(config);
+}
+
+
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
+TEST_F(D2ProcessTest, v4LoopbackTest) {
+ const char* config = "{ "
+ "\"interface\" : \"\" , "
+ "\"ip_address\" : \"127.0.0.1\" , "
+ "\"port\" : 53001, "
+ "\"tsig_keys\": [],"
+ "\"forward_ddns\" : {},"
+ "\"reverse_ddns\" : {}"
+ "}";
+ ASSERT_TRUE(runWithConfig(config));
+}
+
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
+TEST_F(D2ProcessTest, v6LoopbackTest) {
+ const char* config = "{ "
+ "\"interface\" : \"\" , "
+ "\"ip_address\" : \"::1\" , "
+ "\"port\" : 53001, "
+ "\"tsig_keys\": [],"
+ "\"forward_ddns\" : {},"
+ "\"reverse_ddns\" : {}"
+ "}";
+ ASSERT_TRUE(runWithConfig(config));
+}
+
} // end of anonymous namespace
More information about the bind10-changes
mailing list