diff --git a/SOURCES/bind-9.18-configurable-additional-records.patch b/SOURCES/bind-9.18-configurable-additional-records.patch new file mode 100644 index 0000000..48ac2f6 --- /dev/null +++ b/SOURCES/bind-9.18-configurable-additional-records.patch @@ -0,0 +1,168 @@ +From bddd8950ff3d82d503dfb64e67d24ce364e5a5af Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 16 Jun 2025 19:36:13 +0200 +Subject: [PATCH] Support runtime configurable limit of additional records + +Use environment variable NAMED_MAXADDITIONAL to change default built-in +limit. Uses environment variable to avoid the need to support the variable +option in the more recent versions and after upgrades. + +Use debug 1 verbosity for logging parsed limit at the start, but not +changing production logs. +--- + bin/named/main.c | 5 +++++ + bin/named/named.rst | 9 +++++++++ + lib/ns/include/ns/server.h | 13 +++++++++++++ + lib/ns/query.c | 4 ++-- + lib/ns/server.c | 25 +++++++++++++++++++++++++ + 5 files changed, 54 insertions(+), 2 deletions(-) + +diff --git a/bin/named/main.c b/bin/named/main.c +index f62f82c..0de658a 100644 +--- a/bin/named/main.c ++++ b/bin/named/main.c +@@ -1327,6 +1327,11 @@ setup(void) { + if (sigvalinsecs) { + ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true); + } ++ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, ++ NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), ++ "using max %u additional records", ++ ns_server_getmaxadditionalrecords(sctx)); ++ + } + + static void +diff --git a/bin/named/named.rst b/bin/named/named.rst +index 3cd6350..06af140 100644 +--- a/bin/named/named.rst ++++ b/bin/named/named.rst +@@ -228,6 +228,15 @@ Files + ``/var/run/named/named.pid`` + The default process-id file. + ++Environment ++~~~~~~~~~~~ ++ ++NAMED_MAXADDITIONAL ++ Red Hat specific extension. Accepts numeric value of maximal NS ++ records, which would get fetched additional addresses. Default ++ value is 13. Allows runtime configurable limit introduced in ++ CVE-2024-11187 fixes. ++ + Notes + ~~~~~ + +diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h +index 0abb579..4864ba4 100644 +--- a/lib/ns/include/ns/server.h ++++ b/lib/ns/include/ns/server.h +@@ -122,6 +122,8 @@ struct ns_server { + isc_stats_t *tcpoutstats4; + isc_stats_t *tcpinstats6; + isc_stats_t *tcpoutstats6; ++ ++ unsigned int max_additional_records; + }; + + struct ns_altsecret { +@@ -166,6 +168,17 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid); + *\li 'sctx' is valid. + */ + ++unsigned int ++ns_server_getmaxadditionalrecords(ns_server_t *sctx); ++/*%< ++ * Returns the maximal number of records with additional addresses ++ * provided. ++ * ++ * Requires: ++ *\li 'sctx' is valid. ++ */ ++ ++ + void + ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value); + /*%< +diff --git a/lib/ns/query.c b/lib/ns/query.c +index ce1d710..37893e2 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -2032,7 +2032,7 @@ addname: + if (trdataset != NULL && dns_rdatatype_followadditional(type)) { + eresult = dns_rdataset_additionaldata2( + trdataset, query_additional_cb, qctx, +- DNS_RDATASET_MAXADDITIONAL); ++ client->sctx->max_additional_records); + } + + cleanup: +@@ -2124,7 +2124,7 @@ regular: + * We don't care if dns_rdataset_additionaldata() fails. + */ + (void)dns_rdataset_additionaldata2(rdataset, query_additional_cb, +- qctx, DNS_RDATASET_MAXADDITIONAL); ++ qctx, client->sctx->max_additional_records); + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); + } + +diff --git a/lib/ns/server.c b/lib/ns/server.c +index 540bc2e..0a4abb3 100644 +--- a/lib/ns/server.c ++++ b/lib/ns/server.c +@@ -17,6 +17,7 @@ + #include + #include + ++#include + #include + #include + +@@ -33,6 +34,22 @@ + RUNTIME_CHECK(result == ISC_R_SUCCESS); \ + } while (0) + ++/* ++ * CVE-2024-11187 introduced a limit on maximal number of records, ++ * for which additional records would be fetched. Make this limit ++ * configurable runtime only by environment. ++ */ ++static size_t ++initialize_maxadditional(void) { ++ const char *limits; ++ ++ limits = getenv("NAMED_MAXADDITIONAL"); ++ if (limits != NULL) { ++ return strtol(limits, NULL, 10); ++ } ++ return DNS_RDATASET_MAXADDITIONAL; ++} ++ + isc_result_t + ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp) { +@@ -90,6 +107,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + + sctx->udpsize = 1232; + sctx->transfer_tcp_message_size = 20480; ++ sctx->max_additional_records = initialize_maxadditional(); + + sctx->fuzztype = isc_fuzz_none; + sctx->fuzznotify = NULL; +@@ -213,6 +231,13 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid) { + return (ISC_R_SUCCESS); + } + ++unsigned int ++ns_server_getmaxadditionalrecords(ns_server_t *sctx) { ++ REQUIRE(SCTX_VALID(sctx)); ++ ++ return sctx->max_additional_records; ++} ++ + void + ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) { + REQUIRE(SCTX_VALID(sctx)); +-- +2.49.0 + diff --git a/SOURCES/bind-9.18-partial-additional-records.patch b/SOURCES/bind-9.18-partial-additional-records.patch new file mode 100644 index 0000000..5aaf66f --- /dev/null +++ b/SOURCES/bind-9.18-partial-additional-records.patch @@ -0,0 +1,54 @@ +From 9140eac85cda21fa86f2768f7ccaf6800776c726 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 19 Jun 2025 19:51:43 +0200 +Subject: [PATCH] Limit number of additional records fetched + +Limit number of started fetches for additional zone instead of doing +none. Keep limit of NS filled with additional records, but present at +least some if possible. + +Might help broken implementations relying on receiving addresses in the +response for NS query in authoritative zone. +--- + lib/dns/rdataset.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index ffe6163..cfdb7d5 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -586,6 +586,7 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset, + dns_additionaldatafunc_t add, void *arg, size_t limit) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; ++ size_t n = 0; + + /* + * For each rdata in rdataset, call 'add' for each name and type in the +@@ -595,10 +596,6 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + +- if (limit != 0 && dns_rdataset_count(rdataset) > limit) { +- return DNS_R_TOOMANYRECORDS; +- } +- + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) { + return (result); +@@ -608,7 +605,11 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset, + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_additionaldata(&rdata, add, arg); + if (result == ISC_R_SUCCESS) { +- result = dns_rdataset_next(rdataset); ++ if (limit != 0 && ++n >= limit) { ++ result = DNS_R_TOOMANYRECORDS; ++ } else { ++ result = dns_rdataset_next(rdataset); ++ } + } + dns_rdata_reset(&rdata); + } while (result == ISC_R_SUCCESS); +-- +2.49.0 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index b5daf6b..6ca9921 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -56,7 +56,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 29%{?dist} +Release: 31%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -185,6 +185,9 @@ Patch216: bind-9.18-CVE-2024-11187.patch Patch217: bind-9.21-resume-qmin-cname.patch # downstream only, extra check for above change, RHEL-30407 Patch218: bind-9.18-query-fname-relative.patch +Patch219: bind-9.18-partial-additional-records.patch +# downstream only, RHEL-84006 +Patch220: bind-9.18-configurable-additional-records.patch %{?systemd_ordering} Requires: coreutils @@ -1229,6 +1232,12 @@ fi; %endif %changelog +* Wed Jul 09 2025 Petr Menšík - 32:9.16.23-31 +- Add runtime tunable limit by environment NAMED_MAXADDITIONAL (RHEL-84006) + +* Fri Jun 20 2025 Petr Menšík - 32:9.16.23-30 +- Change additional NS to be served partially (RHEL-84006) + * Tue Jun 10 2025 Petr Menšík - 32:9.18.23-29 - Prevent name.c:670 attributes assertion failed (RHEL-30407) - Add extra checks for relative names