Do not keep stale records by default
By default set max-stale-ttl to 0, unless stale-answer-enable yes. This were enabled by mistake when backporting fix for CVE-2023-2828. It causes increased cache usage on servers not wanting to serve stale records. Fix that by setting smart defaults based on stale answers enabled with possible manual tuning. Resolves: RHEL-11785
This commit is contained in:
Petr Menšík
parent
018fc22e5f
commit
d6d7d52c10
65
bind-9.11-stale-cache.patch
Normal file
65
bind-9.11-stale-cache.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 9 Oct 2023 19:00:12 +0200
|
||||||
|
Subject: [PATCH] Do not keep stale records by default
|
||||||
|
|
||||||
|
By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
|
||||||
|
were enabled by mistake when backporting fix for CVE-2023-2828. It
|
||||||
|
causes increased cache usage on servers not wanting to serve stale
|
||||||
|
records. Fix that by setting smart defaults based on stale answers
|
||||||
|
enabled with possible manual tuning.
|
||||||
|
---
|
||||||
|
bin/named/server.c | 25 +++++++++++++++++++------
|
||||||
|
1 file changed, 19 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 7af90d0..afdc4fa 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
size_t max_acache_size;
|
||||||
|
size_t max_adb_size;
|
||||||
|
uint32_t lame_ttl, fail_ttl;
|
||||||
|
- uint32_t max_stale_ttl;
|
||||||
|
+ uint32_t max_stale_ttl = 0;
|
||||||
|
dns_tsig_keyring_t *ring = NULL;
|
||||||
|
dns_view_t *pview = NULL; /* Production view */
|
||||||
|
isc_mem_t *cmctx = NULL, *hmctx = NULL;
|
||||||
|
@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
if (view->maxncachettl > 7 * 24 * 3600)
|
||||||
|
view->maxncachettl = 7 * 24 * 3600;
|
||||||
|
|
||||||
|
- obj = NULL;
|
||||||
|
- result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||||
|
- INSIST(result == ISC_R_SUCCESS);
|
||||||
|
- max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
-
|
||||||
|
obj = NULL;
|
||||||
|
result = ns_config_get(maps, "stale-answer-enable", &obj);
|
||||||
|
INSIST(result == ISC_R_SUCCESS);
|
||||||
|
view->staleanswersenable = cfg_obj_asboolean(obj);
|
||||||
|
|
||||||
|
+ // RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
|
||||||
|
+ obj = NULL;
|
||||||
|
+ if (view->staleanswersenable) {
|
||||||
|
+ result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||||
|
+ INSIST(result == ISC_R_SUCCESS);
|
||||||
|
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
+ /*
|
||||||
|
+ * If 'stale-answer-enable' is false, max_stale_ttl is set
|
||||||
|
+ * to 0, meaning keeping stale RRsets in cache is disabled.
|
||||||
|
+ */
|
||||||
|
+ } else {
|
||||||
|
+ /* Do not use default value if stale is disabled,
|
||||||
|
+ * but allow manual overriding, like 'stale-cache-enable' */
|
||||||
|
+ result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
|
||||||
|
+ if (result == ISC_R_SUCCESS)
|
||||||
|
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
|
||||||
|
view->rdclass, &pview);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.11.36
|
Version: 9.11.36
|
||||||
Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
@ -175,6 +175,8 @@ Patch196: bind-9.16-CVE-2022-3094-test.patch
|
|||||||
# https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
|
# https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
|
||||||
Patch197: bind-9.11-CVE-2023-2828.patch
|
Patch197: bind-9.11-CVE-2023-2828.patch
|
||||||
Patch198: bind-9.16-CVE-2023-3341.patch
|
Patch198: bind-9.16-CVE-2023-3341.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-11785, downstream
|
||||||
|
Patch199: bind-9.11-stale-cache.patch
|
||||||
|
|
||||||
# SDB patches
|
# SDB patches
|
||||||
Patch11: bind-9.3.2b2-sdbsrc.patch
|
Patch11: bind-9.3.2b2-sdbsrc.patch
|
||||||
@ -583,6 +585,7 @@ are used for building ISC DHCP.
|
|||||||
%patch196 -p1 -b .CVE-2022-3094-test
|
%patch196 -p1 -b .CVE-2022-3094-test
|
||||||
%patch197 -p1 -b .CVE-2023-2828
|
%patch197 -p1 -b .CVE-2023-2828
|
||||||
%patch198 -p1 -b .CVE-2023-3341
|
%patch198 -p1 -b .CVE-2023-3341
|
||||||
|
%patch199 -p1 -b .RHEL-11785
|
||||||
|
|
||||||
mkdir lib/dns/tests/testdata/dstrandom
|
mkdir lib/dns/tests/testdata/dstrandom
|
||||||
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
||||||
@ -1635,6 +1638,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 09 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-12
|
||||||
|
- Disable caching of stale records by default (RHEL-11785)
|
||||||
|
|
||||||
* Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
|
* Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
|
||||||
- Prevent exahustion of memory from control channel (CVE-2023-3341)
|
- Prevent exahustion of memory from control channel (CVE-2023-3341)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user