- fall back to insecure mode when no supported DNSSEC algorithm is found

instead of SERVFAIL - don't fall back to non-EDNS0 queries when DO bit is set
2009-03-17 11:41:17 +00:00 · 2009-03-17 11:41:17 +00:00 · 913b3afd3d
commit 913b3afd3d
parent fc276131b5
2 changed files with 227 additions and 1 deletions
--- a/bind.spec
+++ b/bind.spec
@ -20,7 +20,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.6.0
-Release:  10.%{PATCHVER}%{?dist}
+Release:  11.%{PATCHVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -54,6 +54,7 @@ Patch99: bind-96-libtool2.patch
 Patch101:bind-96-old-api.patch
 Patch102:bind-95-rh452060.patch
 Patch103:bind-96-realloc.patch
 Patch106:bind9-fedora-0001.diff
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -220,6 +221,7 @@ mkdir m4
 %patch102 -p1 -b .rh452060
 %patch103 -p0 -b .realloc
 %patch106 -p1 -b .nsec3
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
@ -569,6 +571,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %ghost %{chroot_prefix}/etc/localtime
 %changelog
 * Tue Mar 17 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.P1
 - fall back to insecure mode when no supported DNSSEC algorithm is found
  instead of SERVFAIL
 - don't fall back to non-EDNS0 queries when DO bit is set
 * Tue Mar 10 2009 Adam Tkac <atkac redhat com> 32:9.6.0-10.P1
 - enable DNSSEC only if it is enabled in sysconfig/dnssec
--- a/bind9-fedora-0001.diff
+++ b/bind9-fedora-0001.diff
@ -0,0 +1,219 @@
 diff -ur bind-9.6.0-P1.pristine/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
 --- bind-9.6.0-P1.pristine/lib/dns/resolver.c	2008-11-06 18:52:34.000000000 -0600
 +++ bind-9.6.0-P1/lib/dns/resolver.c	2009-03-16 21:15:44.000000000 -0500
@@ -222,6 +222,7 @@
 	 * is used for EDNS0 black hole detection.
 	 */
 	unsigned int			timeouts;
 +
 	/*%
 	 * Look aside state for DS lookups.
 	 */
@@ -245,6 +246,7 @@
 	 */
 	isc_uint32_t                    rand_buf;
 	isc_uint32_t                    rand_bits;
 +	isc_boolean_t			timeout;
 };
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
@@ -1575,28 +1577,44 @@
 				    DNS_FETCHOPT_NOEDNS0);
 	}
 -	/* Sync NOEDNS0 flag in addrinfo->flags and options now */
 +	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
 	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 	/*
 +	 * Handle timeouts by reducing the UDP response size to 512 bytes
 +	 * then if that doesn't work disabling EDNS (includes DO) and CD.
 +	 *
 +	 * These timeout can be due to:
 +	 *	* broken nameservers that don't respond to EDNS queries.
 +	 *	* broken/misconfigured firewalls and NAT implementations
 +	 *	  that don't handle IP fragmentation.
 +	 *	* broken/misconfigured firewalls that don't handle responses
 +	 *	  greater than 512 bytes.
 +	 *	* broken/misconfigured firewalls that don't handle EDNS, DO
 +	 *	  or CD.
 +	 *	* packet loss / link outage.
 +	 */
 +	if (fctx->timeout) {
 +		if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
 +		     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
 +		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 +			query->options |= DNS_FETCHOPT_NOEDNS0;
 +			fctx->reason = "disabling EDNS";
 +		} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
 +			    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
 +			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 +			query->options |= DNS_FETCHOPT_EDNS512;
 +			fctx->reason = "reducing the advertised EDNS UDP "
 +				       "packet size to 512 octets";
 +		}
 +		fctx->timeout = ISC_FALSE;
 +	}
 +
 +	/*
 	 * Use EDNS0, unless the caller doesn't want it, or we know that
 	 * the remote server doesn't like it.
 	 */
 -
 -	if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
 -	     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
 -	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 -		query->options |= DNS_FETCHOPT_NOEDNS0;
 -		fctx->reason = "disabling EDNS";
 -	} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
 -		    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
 -		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 -		query->options |= DNS_FETCHOPT_EDNS512;
 -		fctx->reason = "reducing the advertised EDNS UDP packet "
 -			       "size to 512 octets";
 -	}
 -
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
 			unsigned int version = 0;       /* Default version. */
@@ -2909,6 +2927,7 @@
 		isc_result_t result;
 		fctx->timeouts++;
 +		fctx->timeout = ISC_TRUE;
 		/*
 		 * We could cancel the running queries here, or we could let
 		 * them keep going.  Since we normally use separate sockets for
@@ -3242,6 +3261,7 @@
 	fctx->reason = NULL;
 	fctx->rand_buf = 0;
 	fctx->rand_bits = 0;
 +	fctx->timeout = ISC_FALSE;
 	dns_name_init(&fctx->nsname, NULL);
 	fctx->nsfetch = NULL;
@@ -4508,7 +4528,8 @@
 	 */
 	ttl = fctx->res->view->maxncachettl;
 	if (fctx->type == dns_rdatatype_soa &&
 -	    covers == dns_rdatatype_any)
 +	    covers == dns_rdatatype_any &&
 +	    fctx->res->zero_no_soa_ttl)
 		ttl = 0;
 	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
@@ -5768,6 +5789,7 @@
 	}
 	fctx->timeouts = 0;
 +	fctx->timeout = ISC_FALSE;
 	/*
 	 * XXXRTH  We should really get the current time just once.  We
 diff -ur bind-9.6.0-P1.pristine/lib/dns/validator.c bind-9.6.0-P1/lib/dns/validator.c
 --- bind-9.6.0-P1.pristine/lib/dns/validator.c	2008-11-14 17:47:33.000000000 -0600
 +++ bind-9.6.0-P1/lib/dns/validator.c	2009-03-16 21:13:56.000000000 -0500
@@ -218,6 +218,37 @@
 	return (ISC_TRUE);
 }
 +/*
 + * Check that we have atleast one supported algorithm in the DLV RRset.
 + */
 +static inline isc_boolean_t
 +dlv_algorithm_supported(dns_validator_t *val) {
 +	dns_rdata_t rdata = DNS_RDATA_INIT;
 +	dns_rdata_dlv_t dlv;
 +	isc_result_t result;
 +
 +	for (result = dns_rdataset_first(&val->dlv);
 +	     result == ISC_R_SUCCESS;
 +	     result = dns_rdataset_next(&val->dlv)) {
 +		dns_rdata_reset(&rdata);
 +		dns_rdataset_current(&val->dlv, &rdata);
 +		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
 +		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 +
 +		if (!dns_resolver_algorithm_supported(val->view->resolver,
 +						      val->event->name,
 +						      dlv.algorithm))
 +			continue;
 +
 +		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
 +		    dlv.digest_type != DNS_DSDIGEST_SHA1)
 +			continue;
 +
 +		return (ISC_TRUE);
 +	}
 +	return (ISC_FALSE);
 +}
 +
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2957,19 +2988,36 @@
 				sizeof(namebuf));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
 -		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 -		dlv_validator_start(val);
 +		if (dlv_algorithm_supported(val)) {
 +			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
 +				      namebuf);
 +			dlv_validator_start(val);
 +		} else {
 +			validator_log(val, ISC_LOG_DEBUG(3),
 +				      "DLV %s found with no supported algorithms",
 +				      namebuf);
 +			markanswer(val);
 +			validator_done(val, ISC_R_SUCCESS);
 +		}
 	} else if (eresult == DNS_R_NXRRSET ||
 		   eresult == DNS_R_NXDOMAIN ||
 		   eresult == DNS_R_NCACHENXRRSET ||
 		   eresult == DNS_R_NCACHENXDOMAIN) {
 -		   result = finddlvsep(val, ISC_TRUE);
 +		result = finddlvsep(val, ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
 -			dns_name_format(dns_fixedname_name(&val->dlvsep),
 -					namebuf, sizeof(namebuf));
 -			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
 -				      namebuf);
 -			dlv_validator_start(val);
 +			if (dlv_algorithm_supported(val)) {
 +				dns_name_format(dns_fixedname_name(&val->dlvsep),
 +						namebuf, sizeof(namebuf));
 +				validator_log(val, ISC_LOG_DEBUG(3),
 +					      "DLV %s found", namebuf);
 +				dlv_validator_start(val);
 +			} else {
 +				validator_log(val, ISC_LOG_DEBUG(3),
 +					      "DLV %s found with no supported "
 +					      "algorithms", namebuf);
 +				markanswer(val);
 +				validator_done(val, ISC_R_SUCCESS);
 +			}
 		} else if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 			markanswer(val);
@@ -3032,9 +3080,16 @@
 	}
 	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 			sizeof(namebuf));
 -	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 -	dlv_validator_start(val);
 -	return (DNS_R_WAIT);
 +	if (dlv_algorithm_supported(val)) {
 +		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 +		dlv_validator_start(val);
 +		return (DNS_R_WAIT);
 +	} 
 +	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
 +		      "algorithms", namebuf);
 +	markanswer(val);
 +	validator_done(val, ISC_R_SUCCESS);
 +	return (ISC_R_SUCCESS);
 }
 /*%