Do not keep stale records by default

By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
were enabled by mistake when backporting fix for CVE-2023-2828. It
causes increased cache usage on servers not wanting to serve stale
records. Fix that by setting smart defaults based on stale answers
enabled with possible manual tuning.

Resolves: RHEL-11785
This commit is contained in:
Petr Menšík 2023-10-09 19:11:01 +02:00
parent 018fc22e5f
commit d6d7d52c10
2 changed files with 72 additions and 1 deletions

View File

@ -0,0 +1,65 @@
From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 9 Oct 2023 19:00:12 +0200
Subject: [PATCH] Do not keep stale records by default
By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
were enabled by mistake when backporting fix for CVE-2023-2828. It
causes increased cache usage on servers not wanting to serve stale
records. Fix that by setting smart defaults based on stale answers
enabled with possible manual tuning.
---
bin/named/server.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 7af90d0..afdc4fa 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
size_t max_acache_size;
size_t max_adb_size;
uint32_t lame_ttl, fail_ttl;
- uint32_t max_stale_ttl;
+ uint32_t max_stale_ttl = 0;
dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx = NULL, *hmctx = NULL;
@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
if (view->maxncachettl > 7 * 24 * 3600)
view->maxncachettl = 7 * 24 * 3600;
- obj = NULL;
- result = ns_config_get(maps, "max-stale-ttl", &obj);
- INSIST(result == ISC_R_SUCCESS);
- max_stale_ttl = cfg_obj_asuint32(obj);
-
obj = NULL;
result = ns_config_get(maps, "stale-answer-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
view->staleanswersenable = cfg_obj_asboolean(obj);
+ // RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
+ obj = NULL;
+ if (view->staleanswersenable) {
+ result = ns_config_get(maps, "max-stale-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ max_stale_ttl = cfg_obj_asuint32(obj);
+ /*
+ * If 'stale-answer-enable' is false, max_stale_ttl is set
+ * to 0, meaning keeping stale RRsets in cache is disabled.
+ */
+ } else {
+ /* Do not use default value if stale is disabled,
+ * but allow manual overriding, like 'stale-cache-enable' */
+ result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
+ if (result == ISC_R_SUCCESS)
+ max_stale_ttl = cfg_obj_asuint32(obj);
+ }
+
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
view->rdclass, &pview);
if (result == ISC_R_SUCCESS) {
--
2.41.0

View File

@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.36
Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -175,6 +175,8 @@ Patch196: bind-9.16-CVE-2022-3094-test.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
Patch197: bind-9.11-CVE-2023-2828.patch
Patch198: bind-9.16-CVE-2023-3341.patch
# https://issues.redhat.com/browse/RHEL-11785, downstream
Patch199: bind-9.11-stale-cache.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -583,6 +585,7 @@ are used for building ISC DHCP.
%patch196 -p1 -b .CVE-2022-3094-test
%patch197 -p1 -b .CVE-2023-2828
%patch198 -p1 -b .CVE-2023-3341
%patch199 -p1 -b .RHEL-11785
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1635,6 +1638,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
* Mon Oct 09 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-12
- Disable caching of stale records by default (RHEL-11785)
* Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
- Prevent exahustion of memory from control channel (CVE-2023-3341)