From ad0c012cfc95b247401fd5119e289d31aee69872 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 20 Jun 2025 20:57:37 +0200 Subject: [PATCH] Change additional NS to be served partially When too many NS records are fetched from authoritative zone, limit number of fetched additional records. Instead of not producing any additional record when there is over 13 NS servers, limit number of records for which those records would be fetched. Resolves: RHEL-106784 --- bind-9.18-partial-additional-records.patch | 54 ++++++++++++++++++++++ bind.spec | 7 ++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 bind-9.18-partial-additional-records.patch diff --git a/bind-9.18-partial-additional-records.patch b/bind-9.18-partial-additional-records.patch new file mode 100644 index 0000000..6834616 --- /dev/null +++ b/bind-9.18-partial-additional-records.patch @@ -0,0 +1,54 @@ +From 3f686891729c7d39d879e8b5bb1aa17d874d265d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 19 Jun 2025 19:51:43 +0200 +Subject: [PATCH] Limit number of additional records fetched + +Limit number of started fetches for additional zone instead of doing +none. Keep limit of NS filled with additional records, but present at +least some if possible. + +Might help broken implementations relying on receiving addresses in the +response for NS query in authoritative zone. +--- + lib/dns/rdataset.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index 532e49a..bfa8e37 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -581,6 +581,7 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + size_t limit) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; ++ size_t n = 0; + + /* + * For each rdata in rdataset, call 'add' for each name and type in the +@@ -590,10 +591,6 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + +- if (limit != 0 && dns_rdataset_count(rdataset) > limit) { +- return DNS_R_TOOMANYRECORDS; +- } +- + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) { + return result; +@@ -603,7 +600,11 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_additionaldata(&rdata, owner_name, add, arg); + if (result == ISC_R_SUCCESS) { +- result = dns_rdataset_next(rdataset); ++ if (limit != 0 && ++n >= limit) { ++ result = DNS_R_TOOMANYRECORDS; ++ } else { ++ result = dns_rdataset_next(rdataset); ++ } + } + dns_rdata_reset(&rdata); + } while (result == ISC_R_SUCCESS); +-- +2.50.1 + diff --git a/bind.spec b/bind.spec index 910ddb4..8fc94bc 100644 --- a/bind.spec +++ b/bind.spec @@ -80,7 +80,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it. # Updating just bind will cause freeipa-dns-server package to be uninstallable. Version: 9.18.33 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -134,6 +134,8 @@ Patch31: bind-9.18-pkcs11-provider.patch Patch32: bind-9.21-resume-qmin-cname.patch # downstream only, extra check for above change, RHEL-30407 Patch33: bind-9.18-query-fname-relative.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10611 +Patch34: bind-9.18-partial-additional-records.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers @@ -919,6 +921,9 @@ fi; %endif %changelog +* Fri Jun 20 2025 Petr Menšík - 32:9.18.33-6 +- Change additional NS to be served partially (RHEL-84006) + * Tue Jun 10 2025 Petr Menšík - 32:9.18.33-5 - Backport support for OpenSSL provider required for PKCS11 labels