Do not keep stale records by default

By default set max-stale-ttl to 0, unless stale-answer-enable yes. This were enabled by mistake when backporting fix for CVE-2023-2828. It causes increased cache usage on servers not wanting to serve stale records. Fix that by setting smart defaults based on stale answers enabled with possible manual tuning. Resolves: RHEL-11785
2023-10-09 19:11:01 +02:00 · 2023-10-09 19:11:01 +02:00 · d6d7d52c10
commit d6d7d52c10
parent 018fc22e5f
2 changed files with 72 additions and 1 deletions
--- a/bind-9.11-stale-cache.patch
+++ b/bind-9.11-stale-cache.patch
@ -0,0 +1,65 @@
+From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 9 Oct 2023 19:00:12 +0200
+Subject: [PATCH] Do not keep stale records by default
+
+By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
+were enabled by mistake when backporting fix for CVE-2023-2828. It
+causes increased cache usage on servers not wanting to serve stale
+records. Fix that by setting smart defaults based on stale answers
+enabled with possible manual tuning.
+---
+ bin/named/server.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 7af90d0..afdc4fa 100644
+--- a/bin/named/server.c
+++ b/bin/named/server.c
+@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	size_t max_acache_size;
+ 	size_t max_adb_size;
+ 	uint32_t lame_ttl, fail_ttl;
+-	uint32_t max_stale_ttl;
+	uint32_t max_stale_ttl = 0;
+ 	dns_tsig_keyring_t *ring = NULL;
+ 	dns_view_t *pview = NULL;	/* Production view */
+ 	isc_mem_t *cmctx = NULL, *hmctx = NULL;
+@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	if (view->maxncachettl > 7 * 24 * 3600)
+ 		view->maxncachettl = 7 * 24 * 3600;
+ 
+-	obj = NULL;
+-	result = ns_config_get(maps, "max-stale-ttl", &obj);
+-	INSIST(result == ISC_R_SUCCESS);
+-	max_stale_ttl = cfg_obj_asuint32(obj);
+-
+ 	obj = NULL;
+ 	result = ns_config_get(maps, "stale-answer-enable", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	view->staleanswersenable = cfg_obj_asboolean(obj);
+ 
+	// RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
+	obj = NULL;
+	if (view->staleanswersenable) {
+		result = ns_config_get(maps, "max-stale-ttl", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		max_stale_ttl = cfg_obj_asuint32(obj);
+		/*
+		 * If 'stale-answer-enable' is false, max_stale_ttl is set
+		 * to 0, meaning keeping stale RRsets in cache is disabled.
+		 */
+	} else {
+		/* Do not use default value if stale is disabled,
+		 * but allow manual overriding, like 'stale-cache-enable' */
+		result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
+		if (result == ISC_R_SUCCESS)
+			max_stale_ttl = cfg_obj_asuint32(obj);
+	}
+
+ 	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
+ 				   view->rdclass, &pview);
+ 	if (result == ISC_R_SUCCESS) {
+-- 
+2.41.0
+
--- a/bind.spec
+++ b/bind.spec
@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.36
-Release:  11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -175,6 +175,8 @@ Patch196: bind-9.16-CVE-2022-3094-test.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
 Patch197: bind-9.11-CVE-2023-2828.patch
 Patch198: bind-9.16-CVE-2023-3341.patch
+# https://issues.redhat.com/browse/RHEL-11785, downstream
+Patch199: bind-9.11-stale-cache.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -583,6 +585,7 @@ are used for building ISC DHCP.
 %patch196 -p1 -b .CVE-2022-3094-test
 %patch197 -p1 -b .CVE-2023-2828
 %patch198 -p1 -b .CVE-2023-3341
+%patch199 -p1 -b .RHEL-11785

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1635,6 +1638,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif

 %changelog
+* Mon Oct 09 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-12
+- Disable caching of stale records by default (RHEL-11785)
+
 * Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
 - Prevent exahustion of memory from control channel (CVE-2023-3341)