Add a CAMP test case

This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.

bin/tests/system/Makefile.am

@@ -71,6 +71,7 @@ TESTS =				\
 	autosign		\
 	builtin			\
 	cacheclean		\
+	camp			\
 	case			\
 	catz			\
 	cds			\

bin/tests/system/camp/ns1/named.conf.in

@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};

bin/tests/system/camp/ns1/root.db

@@ -0,0 +1,51 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+tld0.			NS	ns.tld0.
+ns.tld0.		A	10.53.0.2
+
+tld1.			NS	ns.tld1.
+ns.tld1.		A	10.53.0.2
+
+tld2.			NS	ns.tld2.
+ns.tld2.		A	10.53.0.2
+
+tld3.			NS	ns.tld3.
+ns.tld3.		A	10.53.0.2
+
+tld4.			NS	ns.tld4.
+ns.tld4.		A	10.53.0.2
+
+tld5.			NS	ns.tld5.
+ns.tld5.		A	10.53.0.2
+
+tld6.			NS	ns.tld6.
+ns.tld6.		A	10.53.0.2
+
+tld7.			NS	ns.tld7.
+ns.tld7.		A	10.53.0.2
+
+tld8.			NS	ns.tld8.
+ns.tld8.		A	10.53.0.2
+
+tld9.			NS	ns.tld9.
+ns.tld9.		A	10.53.0.2

bin/tests/system/camp/ns2/named.conf.in

@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "tld0" {
+	type primary;
+	file "tld0.db";
+};

bin/tests/system/camp/ns2/setup.sh

@@ -0,0 +1,57 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns2/setup.sh"
+
+cp template.db.in tld0.db
+echo "final.tld0. IN NS ns.final.tld0." >>tld0.db
+echo "ns.final.tld0. IN A 10.53.0.3" >>tld0.db
+
+DEPTH=5
+
+tld=1
+while [ $tld -le $DEPTH ]; do
+
+  cat >>"named.conf" <<EOF
+zone "tld${tld}" {
+        type primary;
+        file "tld${tld}.db";
+};
+EOF
+
+  cp template.db.in tld${tld}.db
+
+  label=0
+  while [ $label -le $DEPTH ]; do
+    echo "label${label}.tld${tld}. IN NS ns.label${label}.tld${tld}." >>tld${tld}.db
+    echo "ns.label${label}.tld${tld}. IN A 10.53.0.3" >>tld${tld}.db
+    echo "" >>tld${tld}.db
+
+    label=$((label + 1))
+  done
+
+  tld=$((tld + 1))
+done
+
+goto=1
+tld=1
+while [ $goto -le $DEPTH ]; do
+  echo "goto${goto}.tld${tld}. IN NS ns.goto${goto}.tld${tld}." >>tld${tld}.db
+  echo "ns.goto${goto}.tld${tld}. IN A 10.53.0.3" >>tld${tld}.db
+  echo "" >>tld${tld}.db
+
+  goto=$((goto + 1))
+done

bin/tests/system/camp/ns2/template.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+ns2			A	10.53.0.2
+			NS	ns
+ns			A	10.53.0.2
+
+; camp attack

bin/tests/system/camp/ns3/named.conf.in

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+
+	max-query-count 150;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "final.tld0" {
+	type primary;
+	file "final.tld0.db";
+};

bin/tests/system/camp/ns3/setup.sh

@@ -0,0 +1,79 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+cp template.db.in final.tld0.db
+echo "q.final.tld0. IN A 1.2.3.4" >>final.tld0.db
+
+DEPTH=5
+
+tld=1
+while [ $tld -le $DEPTH ]; do
+  nexttld=$((tld + 1))
+
+  label=1
+  while [ $label -le $DEPTH ]; do
+    nextlabel=$((label + 1))
+
+    cat >>"named.conf" <<EOF
+zone "label${label}.tld${tld}" {
+        type primary;
+        file "label${label}.tld${tld}.db";
+};
+EOF
+
+    cp template.db.in label${label}.tld${tld}.db
+
+    if [ $label -eq $DEPTH ] && [ $tld -eq $DEPTH ]; then
+      echo "q.label${label}.tld${tld}. IN CNAME q.goto1.tld1." >>label${label}.tld${tld}.db
+    elif [ $tld -eq $DEPTH ]; then
+      nextlabel=$((label + 1))
+      echo "q.label${label}.tld${tld}. IN CNAME q.label${nextlabel}.tld1." >>label${label}.tld${tld}.db
+    else
+      echo "q.label${label}.tld${tld}. IN CNAME q.label${label}.tld${nexttld}." >>label${label}.tld${tld}.db
+    fi
+
+    label=$nextlabel
+  done
+
+  echo "" >>label${label}.tld${tld}.db
+  tld=$nexttld
+done
+
+goto=1
+tld=1
+while [ $goto -le $DEPTH ]; do
+  nextgoto=$((goto + 1))
+
+  cat >>"named.conf" <<EOF
+zone "goto${goto}.tld${tld}" {
+        type primary;
+        file "goto${goto}.tld${tld}.db";
+};
+EOF
+
+  cp template.db.in goto${goto}.tld${tld}.db
+
+  if [ $goto -eq $DEPTH ]; then
+    echo "q.goto${goto}.tld${tld}. IN CNAME q.final.tld0." >>goto${goto}.tld${tld}.db
+  else
+    echo "q.goto${goto}.tld${tld}. IN CNAME q.goto${nextgoto}.tld${tld}." >>goto${goto}.tld${tld}.db
+  fi
+
+  echo "" >>label${label}.tld${tld}.db
+  goto=$nextgoto
+done

bin/tests/system/camp/ns3/template.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns
+			NS	ns3
+ns			A	10.53.0.3
+ns3			A	10.53.0.3
+
+; camp attack

bin/tests/system/camp/ns9/hints.db

@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 60 IN NS a.root-servers.nil.
+a.root-servers.nil.     A       10.53.0.1

bin/tests/system/camp/ns9/named.conf.in

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS9
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+
+	max-recursion-queries 50;
+	max-query-restarts 50;
+	max-query-count 100;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };

bin/tests/system/camp/setup.sh

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+
+(
+  cd ns3
+  $SHELL setup.sh
+)
+
+(
+  cd ns2
+  $SHELL setup.sh
+)

bin/tests/system/camp/tests.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=../conf.sh
+. ../conf.sh
+
+dig_with_opts() {
+  "${DIG}" -p "${PORT}" "${@}"
+}
+
+status=0
+n=0
+
+n=$((n + 1))
+echo_i "checking max-query-count is in effect ($n)"
+ret=0
+dig_with_opts q.label1.tld1. @10.53.0.9 a >dig.out.ns9.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns9.test${n} >/dev/null || ret=1
+grep "exceeded global max queries resolving" ns9/named.run >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/camp/tests_sh_camp.py

@@ -0,0 +1,25 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+pytestmark = pytest.mark.extra_artifacts(
+    [
+        "dig.out*",
+        "ans*/ans.run",
+        "ns*/*.jnl",
+        "ns*/*tld*.db",
+    ]
+)
+
+
+def test_camp(run_tests_sh):
+    run_tests_sh()