Change additional NS to be served partially

When too many NS records are fetched from authoritative zone, limit number of fetched additional records. Instead of not producing any additional record when there is over 13 NS servers, limit number of records for which those records would be fetched. Resolves: RHEL-84006
2025-06-20 20:57:37 +02:00 · 2025-06-20 20:57:37 +02:00 · 76f8c8bbb5
commit 76f8c8bbb5
parent 1a2cdb3553
2 changed files with 59 additions and 1 deletions
--- a/bind-9.18-partial-additional-records.patch
+++ b/bind-9.18-partial-additional-records.patch
@ -0,0 +1,54 @@
+From 9140eac85cda21fa86f2768f7ccaf6800776c726 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 19 Jun 2025 19:51:43 +0200
+Subject: [PATCH] Limit number of additional records fetched
+
+Limit number of started fetches for additional zone instead of doing
+none. Keep limit of NS filled with additional records, but present at
+least some if possible.
+
+Might help broken implementations relying on receiving addresses in the
+response for NS query in authoritative zone.
+---
+ lib/dns/rdataset.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index ffe6163..cfdb7d5 100644
+--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
+@@ -586,6 +586,7 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 			    dns_additionaldatafunc_t add, void *arg, size_t limit) {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+	size_t n = 0;
+ 
+ 	/*
+ 	 * For each rdata in rdataset, call 'add' for each name and type in the
+@@ -595,10 +596,6 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
+-	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+-		return DNS_R_TOOMANYRECORDS;
+-	}
+-
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS) {
+ 		return (result);
+@@ -608,7 +605,11 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 		dns_rdataset_current(rdataset, &rdata);
+ 		result = dns_rdata_additionaldata(&rdata, add, arg);
+ 		if (result == ISC_R_SUCCESS) {
+-			result = dns_rdataset_next(rdataset);
+			if (limit != 0 && ++n >= limit) {
+				result = DNS_R_TOOMANYRECORDS;
+			} else {
+				result = dns_rdataset_next(rdataset);
+			}
+ 		}
+ 		dns_rdata_reset(&rdata);
+ 	} while (result == ISC_R_SUCCESS);
+-- 
+2.49.0
+
--- a/bind.spec
+++ b/bind.spec
@ -56,7 +56,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  29%{?dist}
+Release:  30%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -185,6 +185,7 @@ Patch216: bind-9.18-CVE-2024-11187.patch
 Patch217: bind-9.21-resume-qmin-cname.patch
 # downstream only, extra check for above change, RHEL-30407
 Patch218: bind-9.18-query-fname-relative.patch
+Patch219: bind-9.18-partial-additional-records.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -1229,6 +1230,9 @@ fi;
 %endif

 %changelog
+* Fri Jun 20 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-30
+- Change additional NS to be served partially (RHEL-84006)
+
 * Tue Jun 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.23-29
 - Prevent name.c:670 attributes assertion failed (RHEL-30407)
 - Add extra checks for relative names