- fall back to insecure mode when no supported DNSSEC algorithm is found

instead of SERVFAIL - don't fall back to non-EDNS0 queries when DO bit is set
2009-03-17 11:41:17 +00:00 · 2009-03-17 11:41:17 +00:00 · 913b3afd3d
commit 913b3afd3d
parent fc276131b5
2 changed files with 227 additions and 1 deletions
--- a/bind.spec
+++ b/bind.spec
@ -20,7 +20,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.6.0
-Release:  10.%{PATCHVER}%{?dist}
+Release:  11.%{PATCHVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -54,6 +54,7 @@ Patch99: bind-96-libtool2.patch
 Patch101:bind-96-old-api.patch
 Patch102:bind-95-rh452060.patch
 Patch103:bind-96-realloc.patch
+Patch106:bind9-fedora-0001.diff

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -220,6 +221,7 @@ mkdir m4

 %patch102 -p1 -b .rh452060
 %patch103 -p0 -b .realloc
+%patch106 -p1 -b .nsec3

 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
@ -569,6 +571,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %ghost %{chroot_prefix}/etc/localtime

 %changelog
+* Tue Mar 17 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.P1
+- fall back to insecure mode when no supported DNSSEC algorithm is found
+  instead of SERVFAIL
+- don't fall back to non-EDNS0 queries when DO bit is set
+
 * Tue Mar 10 2009 Adam Tkac <atkac redhat com> 32:9.6.0-10.P1
 - enable DNSSEC only if it is enabled in sysconfig/dnssec

--- a/bind9-fedora-0001.diff
+++ b/bind9-fedora-0001.diff
@ -0,0 +1,219 @@
+diff -ur bind-9.6.0-P1.pristine/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
+--- bind-9.6.0-P1.pristine/lib/dns/resolver.c	2008-11-06 18:52:34.000000000 -0600
+++ bind-9.6.0-P1/lib/dns/resolver.c	2009-03-16 21:15:44.000000000 -0500
+@@ -222,6 +222,7 @@
+ 	 * is used for EDNS0 black hole detection.
+ 	 */
+ 	unsigned int			timeouts;
+
+ 	/*%
+ 	 * Look aside state for DS lookups.
+ 	 */
+@@ -245,6 +246,7 @@
+ 	 */
+ 	isc_uint32_t                    rand_buf;
+ 	isc_uint32_t                    rand_bits;
+	isc_boolean_t			timeout;
+ };
+ 
+ #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
+@@ -1575,28 +1577,44 @@
+ 				    DNS_FETCHOPT_NOEDNS0);
+ 	}
+ 
+-	/* Sync NOEDNS0 flag in addrinfo->flags and options now */
+	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
+ 	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
+ 		query->options |= DNS_FETCHOPT_NOEDNS0;
+ 
+ 	/*
+	 * Handle timeouts by reducing the UDP response size to 512 bytes
+	 * then if that doesn't work disabling EDNS (includes DO) and CD.
+	 *
+	 * These timeout can be due to:
+	 *	* broken nameservers that don't respond to EDNS queries.
+	 *	* broken/misconfigured firewalls and NAT implementations
+	 *	  that don't handle IP fragmentation.
+	 *	* broken/misconfigured firewalls that don't handle responses
+	 *	  greater than 512 bytes.
+	 *	* broken/misconfigured firewalls that don't handle EDNS, DO
+	 *	  or CD.
+	 *	* packet loss / link outage.
+	 */
+	if (fctx->timeout) {
+		if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
+		     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
+		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			fctx->reason = "disabling EDNS";
+		} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
+			    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
+			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			query->options |= DNS_FETCHOPT_EDNS512;
+			fctx->reason = "reducing the advertised EDNS UDP "
+				       "packet size to 512 octets";
+		}
+		fctx->timeout = ISC_FALSE;
+	}
+
+	/*
+ 	 * Use EDNS0, unless the caller doesn't want it, or we know that
+ 	 * the remote server doesn't like it.
+ 	 */
+-
+-	if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
+-	     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
+-	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+-		query->options |= DNS_FETCHOPT_NOEDNS0;
+-		fctx->reason = "disabling EDNS";
+-	} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
+-		    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
+-		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+-		query->options |= DNS_FETCHOPT_EDNS512;
+-		fctx->reason = "reducing the advertised EDNS UDP packet "
+-			       "size to 512 octets";
+-	}
+-
+ 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+ 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+ 			unsigned int version = 0;       /* Default version. */
+@@ -2909,6 +2927,7 @@
+ 		isc_result_t result;
+ 
+ 		fctx->timeouts++;
+		fctx->timeout = ISC_TRUE;
+ 		/*
+ 		 * We could cancel the running queries here, or we could let
+ 		 * them keep going.  Since we normally use separate sockets for
+@@ -3242,6 +3261,7 @@
+ 	fctx->reason = NULL;
+ 	fctx->rand_buf = 0;
+ 	fctx->rand_bits = 0;
+	fctx->timeout = ISC_FALSE;
+ 
+ 	dns_name_init(&fctx->nsname, NULL);
+ 	fctx->nsfetch = NULL;
+@@ -4508,7 +4528,8 @@
+ 	 */
+ 	ttl = fctx->res->view->maxncachettl;
+ 	if (fctx->type == dns_rdatatype_soa &&
+-	    covers == dns_rdatatype_any)
+	    covers == dns_rdatatype_any &&
+	    fctx->res->zero_no_soa_ttl)
+ 		ttl = 0;
+ 
+ 	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+@@ -5768,6 +5789,7 @@
+ 	}
+ 
+ 	fctx->timeouts = 0;
+	fctx->timeout = ISC_FALSE;
+ 
+ 	/*
+ 	 * XXXRTH  We should really get the current time just once.  We
+diff -ur bind-9.6.0-P1.pristine/lib/dns/validator.c bind-9.6.0-P1/lib/dns/validator.c
+--- bind-9.6.0-P1.pristine/lib/dns/validator.c	2008-11-14 17:47:33.000000000 -0600
+++ bind-9.6.0-P1/lib/dns/validator.c	2009-03-16 21:13:56.000000000 -0500
+@@ -218,6 +218,37 @@
+ 	return (ISC_TRUE);
+ }
+ 
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dlv_t dlv;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&val->dlv, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+		    dlv.digest_type != DNS_DSDIGEST_SHA1)
+			continue;
+
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+ /*%
+  * Look in the NSEC record returned from a DS query to see if there is
+  * a NS RRset at this name.  If it is found we are at a delegation point.
+@@ -2957,19 +2988,36 @@
+ 				sizeof(namebuf));
+ 		dns_rdataset_clone(&val->frdataset, &val->dlv);
+ 		val->havedlvsep = ISC_TRUE;
+-		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+-		dlv_validator_start(val);
+		if (dlv_algorithm_supported(val)) {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+				      namebuf);
+			dlv_validator_start(val);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "DLV %s found with no supported algorithms",
+				      namebuf);
+			markanswer(val);
+			validator_done(val, ISC_R_SUCCESS);
+		}
+ 	} else if (eresult == DNS_R_NXRRSET ||
+ 		   eresult == DNS_R_NXDOMAIN ||
+ 		   eresult == DNS_R_NCACHENXRRSET ||
+ 		   eresult == DNS_R_NCACHENXDOMAIN) {
+-		   result = finddlvsep(val, ISC_TRUE);
+		result = finddlvsep(val, ISC_TRUE);
+ 		if (result == ISC_R_SUCCESS) {
+-			dns_name_format(dns_fixedname_name(&val->dlvsep),
+-					namebuf, sizeof(namebuf));
+-			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+-				      namebuf);
+-			dlv_validator_start(val);
+			if (dlv_algorithm_supported(val)) {
+				dns_name_format(dns_fixedname_name(&val->dlvsep),
+						namebuf, sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found", namebuf);
+				dlv_validator_start(val);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found with no supported "
+					      "algorithms", namebuf);
+				markanswer(val);
+				validator_done(val, ISC_R_SUCCESS);
+			}
+ 		} else if (result == ISC_R_NOTFOUND) {
+ 			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
+ 			markanswer(val);
+@@ -3032,9 +3080,16 @@
+ 	}
+ 	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
+ 			sizeof(namebuf));
+-	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+-	dlv_validator_start(val);
+-	return (DNS_R_WAIT);
+	if (dlv_algorithm_supported(val)) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+		dlv_validator_start(val);
+		return (DNS_R_WAIT);
+	} 
+	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+		      "algorithms", namebuf);
+	markanswer(val);
+	validator_done(val, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+ }
+ 
+ /*%