diff --git a/bind-9.18-configurable-additional-records.patch b/bind-9.18-configurable-additional-records.patch new file mode 100644 index 0000000..48ac2f6 --- /dev/null +++ b/bind-9.18-configurable-additional-records.patch @@ -0,0 +1,168 @@ +From bddd8950ff3d82d503dfb64e67d24ce364e5a5af Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 16 Jun 2025 19:36:13 +0200 +Subject: [PATCH] Support runtime configurable limit of additional records + +Use environment variable NAMED_MAXADDITIONAL to change default built-in +limit. Uses environment variable to avoid the need to support the variable +option in the more recent versions and after upgrades. + +Use debug 1 verbosity for logging parsed limit at the start, but not +changing production logs. +--- + bin/named/main.c | 5 +++++ + bin/named/named.rst | 9 +++++++++ + lib/ns/include/ns/server.h | 13 +++++++++++++ + lib/ns/query.c | 4 ++-- + lib/ns/server.c | 25 +++++++++++++++++++++++++ + 5 files changed, 54 insertions(+), 2 deletions(-) + +diff --git a/bin/named/main.c b/bin/named/main.c +index f62f82c..0de658a 100644 +--- a/bin/named/main.c ++++ b/bin/named/main.c +@@ -1327,6 +1327,11 @@ setup(void) { + if (sigvalinsecs) { + ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true); + } ++ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, ++ NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), ++ "using max %u additional records", ++ ns_server_getmaxadditionalrecords(sctx)); ++ + } + + static void +diff --git a/bin/named/named.rst b/bin/named/named.rst +index 3cd6350..06af140 100644 +--- a/bin/named/named.rst ++++ b/bin/named/named.rst +@@ -228,6 +228,15 @@ Files + ``/var/run/named/named.pid`` + The default process-id file. + ++Environment ++~~~~~~~~~~~ ++ ++NAMED_MAXADDITIONAL ++ Red Hat specific extension. Accepts numeric value of maximal NS ++ records, which would get fetched additional addresses. Default ++ value is 13. Allows runtime configurable limit introduced in ++ CVE-2024-11187 fixes. ++ + Notes + ~~~~~ + +diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h +index 0abb579..4864ba4 100644 +--- a/lib/ns/include/ns/server.h ++++ b/lib/ns/include/ns/server.h +@@ -122,6 +122,8 @@ struct ns_server { + isc_stats_t *tcpoutstats4; + isc_stats_t *tcpinstats6; + isc_stats_t *tcpoutstats6; ++ ++ unsigned int max_additional_records; + }; + + struct ns_altsecret { +@@ -166,6 +168,17 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid); + *\li 'sctx' is valid. + */ + ++unsigned int ++ns_server_getmaxadditionalrecords(ns_server_t *sctx); ++/*%< ++ * Returns the maximal number of records with additional addresses ++ * provided. ++ * ++ * Requires: ++ *\li 'sctx' is valid. ++ */ ++ ++ + void + ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value); + /*%< +diff --git a/lib/ns/query.c b/lib/ns/query.c +index ce1d710..37893e2 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -2032,7 +2032,7 @@ addname: + if (trdataset != NULL && dns_rdatatype_followadditional(type)) { + eresult = dns_rdataset_additionaldata2( + trdataset, query_additional_cb, qctx, +- DNS_RDATASET_MAXADDITIONAL); ++ client->sctx->max_additional_records); + } + + cleanup: +@@ -2124,7 +2124,7 @@ regular: + * We don't care if dns_rdataset_additionaldata() fails. + */ + (void)dns_rdataset_additionaldata2(rdataset, query_additional_cb, +- qctx, DNS_RDATASET_MAXADDITIONAL); ++ qctx, client->sctx->max_additional_records); + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); + } + +diff --git a/lib/ns/server.c b/lib/ns/server.c +index 540bc2e..0a4abb3 100644 +--- a/lib/ns/server.c ++++ b/lib/ns/server.c +@@ -17,6 +17,7 @@ + #include + #include + ++#include + #include + #include + +@@ -33,6 +34,22 @@ + RUNTIME_CHECK(result == ISC_R_SUCCESS); \ + } while (0) + ++/* ++ * CVE-2024-11187 introduced a limit on maximal number of records, ++ * for which additional records would be fetched. Make this limit ++ * configurable runtime only by environment. ++ */ ++static size_t ++initialize_maxadditional(void) { ++ const char *limits; ++ ++ limits = getenv("NAMED_MAXADDITIONAL"); ++ if (limits != NULL) { ++ return strtol(limits, NULL, 10); ++ } ++ return DNS_RDATASET_MAXADDITIONAL; ++} ++ + isc_result_t + ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp) { +@@ -90,6 +107,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + + sctx->udpsize = 1232; + sctx->transfer_tcp_message_size = 20480; ++ sctx->max_additional_records = initialize_maxadditional(); + + sctx->fuzztype = isc_fuzz_none; + sctx->fuzznotify = NULL; +@@ -213,6 +231,13 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid) { + return (ISC_R_SUCCESS); + } + ++unsigned int ++ns_server_getmaxadditionalrecords(ns_server_t *sctx) { ++ REQUIRE(SCTX_VALID(sctx)); ++ ++ return sctx->max_additional_records; ++} ++ + void + ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) { + REQUIRE(SCTX_VALID(sctx)); +-- +2.49.0 + diff --git a/bind.spec b/bind.spec index 8050f49..6ca9921 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 30%{?dist} +Release: 31%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -186,6 +186,8 @@ Patch217: bind-9.21-resume-qmin-cname.patch # downstream only, extra check for above change, RHEL-30407 Patch218: bind-9.18-query-fname-relative.patch Patch219: bind-9.18-partial-additional-records.patch +# downstream only, RHEL-84006 +Patch220: bind-9.18-configurable-additional-records.patch %{?systemd_ordering} Requires: coreutils @@ -1230,6 +1232,9 @@ fi; %endif %changelog +* Wed Jul 09 2025 Petr Menšík - 32:9.16.23-31 +- Add runtime tunable limit by environment NAMED_MAXADDITIONAL (RHEL-84006) + * Fri Jun 20 2025 Petr Menšík - 32:9.16.23-30 - Change additional NS to be served partially (RHEL-84006)