Compare commits
13 Commits
imports/c8
...
c8
Author | SHA1 | Date | |
---|---|---|---|
26550e8f2c | |||
6650d7fa32 | |||
8d35d07b31 | |||
|
12985e724b | ||
a42ecab1d9 | |||
89e6eee714 | |||
|
d6121a1d3f | ||
|
12f00745d8 | ||
|
99a7c922e4 | ||
|
2ce979a606 | ||
|
d8d371d1e8 | ||
|
0f18d3fb97 | ||
|
7ea3346926 |
@ -1,2 +1,2 @@
|
|||||||
14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz
|
4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
|
||||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/bind-9.11.26.tar.gz
|
SOURCES/bind-9.11.36.tar.gz
|
||||||
SOURCES/random.data
|
SOURCES/random.data
|
||||||
|
@ -143,7 +143,7 @@ index 390aa0c..851a008 100644
|
|||||||
CWARNINGS =
|
CWARNINGS =
|
||||||
|
|
||||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
||||||
index 3166368..a403941 100644
|
index 277a0f5..52a6375 100644
|
||||||
--- a/bin/named-pkcs11/Makefile.in
|
--- a/bin/named-pkcs11/Makefile.in
|
||||||
+++ b/bin/named-pkcs11/Makefile.in
|
+++ b/bin/named-pkcs11/Makefile.in
|
||||||
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
||||||
@ -260,7 +260,7 @@ index 3166368..a403941 100644
|
|||||||
@DLZ_DRIVER_RULES@
|
@DLZ_DRIVER_RULES@
|
||||||
|
|
||||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||||
index 3166368..890574f 100644
|
index 277a0f5..0e00885 100644
|
||||||
--- a/bin/named/Makefile.in
|
--- a/bin/named/Makefile.in
|
||||||
+++ b/bin/named/Makefile.in
|
+++ b/bin/named/Makefile.in
|
||||||
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||||
@ -294,10 +294,10 @@ index 2c19e7e..8223d5e 100644
|
|||||||
DEPLIBS = ${ISCDEPLIBS}
|
DEPLIBS = ${ISCDEPLIBS}
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index c6715b4..8144268 100644
|
index 83cad4a..e1e1a32 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI)
|
@@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
|
||||||
AC_SUBST(DST_GSSAPI_INC)
|
AC_SUBST(DST_GSSAPI_INC)
|
||||||
AC_SUBST(DNS_GSSAPI_LIBS)
|
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
|
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
|
||||||
@ -312,7 +312,7 @@ index c6715b4..8144268 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# was --with-randomdev specified?
|
# was --with-randomdev specified?
|
||||||
@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash,
|
@@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
|
||||||
AC_MSG_CHECKING(for OpenSSL library)
|
AC_MSG_CHECKING(for OpenSSL library)
|
||||||
OPENSSL_WARNING=
|
OPENSSL_WARNING=
|
||||||
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
|
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
|
||||||
@ -331,7 +331,7 @@ index c6715b4..8144268 100644
|
|||||||
|
|
||||||
if test "auto" = "$use_openssl"
|
if test "auto" = "$use_openssl"
|
||||||
then
|
then
|
||||||
@@ -1572,6 +1574,7 @@ then
|
@@ -1574,6 +1576,7 @@ then
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -339,7 +339,7 @@ index c6715b4..8144268 100644
|
|||||||
OPENSSL_ECDSA=""
|
OPENSSL_ECDSA=""
|
||||||
OPENSSL_GOST=""
|
OPENSSL_GOST=""
|
||||||
OPENSSL_ED25519=""
|
OPENSSL_ED25519=""
|
||||||
@@ -1593,11 +1596,10 @@ case "$with_gost" in
|
@@ -1595,11 +1598,10 @@ case "$with_gost" in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -354,7 +354,7 @@ index c6715b4..8144268 100644
|
|||||||
CRYPTOLIB="pkcs11"
|
CRYPTOLIB="pkcs11"
|
||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
@@ -1607,7 +1609,9 @@ case "$use_openssl" in
|
@@ -1609,7 +1611,9 @@ case "$use_openssl" in
|
||||||
OPENSSLGOSTLINKSRCS=""
|
OPENSSLGOSTLINKSRCS=""
|
||||||
OPENSSLLINKOBJS=""
|
OPENSSLLINKOBJS=""
|
||||||
OPENSSLLINKSRCS=""
|
OPENSSLLINKSRCS=""
|
||||||
@ -365,7 +365,7 @@ index c6715b4..8144268 100644
|
|||||||
no)
|
no)
|
||||||
AC_MSG_RESULT(no)
|
AC_MSG_RESULT(no)
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
@@ -1639,7 +1643,7 @@ case "$use_openssl" in
|
@@ -1641,7 +1645,7 @@ case "$use_openssl" in
|
||||||
If you do not want OpenSSL, use --without-openssl])
|
If you do not want OpenSSL, use --without-openssl])
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -374,7 +374,7 @@ index c6715b4..8144268 100644
|
|||||||
then
|
then
|
||||||
AC_MSG_RESULT()
|
AC_MSG_RESULT()
|
||||||
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
|
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
|
||||||
@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519)
|
@@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||||
AC_SUBST(OPENSSL_GOST)
|
AC_SUBST(OPENSSL_GOST)
|
||||||
|
|
||||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||||
@ -382,7 +382,7 @@ index c6715b4..8144268 100644
|
|||||||
|
|
||||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
||||||
if test "yes" = "$with_aes"
|
if test "yes" = "$with_aes"
|
||||||
@@ -2353,6 +2358,7 @@ esac
|
@@ -2363,6 +2368,7 @@ esac
|
||||||
AC_SUBST(PKCS11LINKOBJS)
|
AC_SUBST(PKCS11LINKOBJS)
|
||||||
AC_SUBST(PKCS11LINKSRCS)
|
AC_SUBST(PKCS11LINKSRCS)
|
||||||
AC_SUBST(CRYPTO)
|
AC_SUBST(CRYPTO)
|
||||||
@ -390,7 +390,7 @@ index c6715b4..8144268 100644
|
|||||||
AC_SUBST(PKCS11_ECDSA)
|
AC_SUBST(PKCS11_ECDSA)
|
||||||
AC_SUBST(PKCS11_GOST)
|
AC_SUBST(PKCS11_GOST)
|
||||||
AC_SUBST(PKCS11_ED25519)
|
AC_SUBST(PKCS11_ED25519)
|
||||||
@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([
|
@@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
|
||||||
bin/delv/Makefile
|
bin/delv/Makefile
|
||||||
bin/dig/Makefile
|
bin/dig/Makefile
|
||||||
bin/dnssec/Makefile
|
bin/dnssec/Makefile
|
||||||
@ -402,7 +402,7 @@ index c6715b4..8144268 100644
|
|||||||
bin/nsupdate/Makefile
|
bin/nsupdate/Makefile
|
||||||
bin/pkcs11/Makefile
|
bin/pkcs11/Makefile
|
||||||
bin/python/Makefile
|
bin/python/Makefile
|
||||||
@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([
|
@@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
|
||||||
lib/dns/include/dns/Makefile
|
lib/dns/include/dns/Makefile
|
||||||
lib/dns/include/dst/Makefile
|
lib/dns/include/dst/Makefile
|
||||||
lib/dns/tests/Makefile
|
lib/dns/tests/Makefile
|
||||||
@ -413,7 +413,7 @@ index c6715b4..8144268 100644
|
|||||||
lib/irs/Makefile
|
lib/irs/Makefile
|
||||||
lib/irs/include/Makefile
|
lib/irs/include/Makefile
|
||||||
lib/irs/include/irs/Makefile
|
lib/irs/include/irs/Makefile
|
||||||
@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([
|
@@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
|
||||||
lib/isc/unix/include/Makefile
|
lib/isc/unix/include/Makefile
|
||||||
lib/isc/unix/include/isc/Makefile
|
lib/isc/unix/include/isc/Makefile
|
||||||
lib/isc/unix/include/pkcs11/Makefile
|
lib/isc/unix/include/pkcs11/Makefile
|
||||||
@ -452,21 +452,21 @@ index f089bea..3ed939b 100644
|
|||||||
|
|
||||||
@BIND9_MAKE_RULES@
|
@BIND9_MAKE_RULES@
|
||||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||||
index 8fc4e94..5eefb14 100644
|
index 1d0f5df..98c9ba0 100644
|
||||||
--- a/lib/dns-pkcs11/Makefile.in
|
--- a/lib/dns-pkcs11/Makefile.in
|
||||||
+++ b/lib/dns-pkcs11/Makefile.in
|
+++ b/lib/dns-pkcs11/Makefile.in
|
||||||
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
|
@@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||||
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
|
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
|
||||||
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
|
||||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||||
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
|
||||||
|
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||||
|
|
||||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
|
||||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
|
||||||
|
|
||||||
CWARNINGS =
|
CWARNINGS =
|
||||||
|
|
||||||
@ -478,7 +478,7 @@ index 8fc4e94..5eefb14 100644
|
|||||||
|
|
||||||
LIBS = ${MAXMINDDB_LIBS} @LIBS@
|
LIBS = ${MAXMINDDB_LIBS} @LIBS@
|
||||||
|
|
||||||
@@ -150,15 +149,15 @@ version.@O@: version.c
|
@@ -148,15 +148,15 @@ version.@O@: version.c
|
||||||
-DLIBAGE=${LIBAGE} \
|
-DLIBAGE=${LIBAGE} \
|
||||||
-c ${srcdir}/version.c
|
-c ${srcdir}/version.c
|
||||||
|
|
||||||
@ -498,7 +498,7 @@ index 8fc4e94..5eefb14 100644
|
|||||||
|
|
||||||
include: gen
|
include: gen
|
||||||
${MAKE} include/dns/enumtype.h
|
${MAKE} include/dns/enumtype.h
|
||||||
@@ -189,22 +188,22 @@ gen: gen.c
|
@@ -187,22 +187,22 @@ gen: gen.c
|
||||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
||||||
${BUILD_LIBS} ${LFS_LIBS}
|
${BUILD_LIBS} ${LFS_LIBS}
|
||||||
|
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 9f331a945071365ccc0cfba24241c4af6919af30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Mensik <pemensik@redhat.com>
|
|
||||||
Date: Mon, 15 Feb 2021 12:18:14 +0100
|
|
||||||
Subject: [PATCH] CVE-2020-8625
|
|
||||||
|
|
||||||
5562. [security] Fix off-by-one bug in ISC SPNEGO implementation.
|
|
||||||
(CVE-2020-8625) [GL #2354]
|
|
||||||
---
|
|
||||||
lib/dns/spnego.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
|
||||||
index dea108b..13cf15d 100644
|
|
||||||
--- a/lib/dns/spnego.c
|
|
||||||
+++ b/lib/dns/spnego.c
|
|
||||||
@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
|
|
||||||
return (ASN1_OVERRUN);
|
|
||||||
}
|
|
||||||
|
|
||||||
- data->components = malloc(len * sizeof(*data->components));
|
|
||||||
+ data->components = malloc((len + 1) * sizeof(*data->components));
|
|
||||||
if (data->components == NULL) {
|
|
||||||
return (ENOMEM);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
1171
SOURCES/bind-9.11-CVE-2021-25220-test.patch
Normal file
1171
SOURCES/bind-9.11-CVE-2021-25220-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
254
SOURCES/bind-9.11-CVE-2021-25220.patch
Normal file
254
SOURCES/bind-9.11-CVE-2021-25220.patch
Normal file
@ -0,0 +1,254 @@
|
|||||||
|
From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Tue, 1 Mar 2022 09:48:05 +1100
|
||||||
|
Subject: [PATCH] Add additional name checks when using a forwarder
|
||||||
|
|
||||||
|
When using a forwarder, check that the owner name of response
|
||||||
|
records are within the bailiwick of the forwarded name space.
|
||||||
|
|
||||||
|
(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
|
||||||
|
|
||||||
|
Check that the forward declaration is unchanged and not overridden
|
||||||
|
|
||||||
|
If we are using a fowarder, in addition to checking that names to
|
||||||
|
be cached are subdomains of the forwarded namespace, we must also
|
||||||
|
check that there are no subsidiary forwarded namespaces which would
|
||||||
|
take precedence. To be safe, we don't cache any responses if the
|
||||||
|
forwarding configuration has changed since the query was sent.
|
||||||
|
|
||||||
|
(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
|
||||||
|
|
||||||
|
Check cached names for possible "forward only" clause
|
||||||
|
|
||||||
|
When caching additional and glue data *not* from a forwarder, we must
|
||||||
|
check that there is no "forward only" clause covering the owner name
|
||||||
|
that would take precedence. Such names would normally be allowed by
|
||||||
|
baliwick rules, but a "forward only" zone introduces a new baliwick
|
||||||
|
scope.
|
||||||
|
|
||||||
|
(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
|
||||||
|
|
||||||
|
Look for zones deeper than the current domain or forward name
|
||||||
|
|
||||||
|
When caching glue, we need to ensure that there is no closer
|
||||||
|
source of truth for the name. If the owner name for the glue
|
||||||
|
record would be answered by a locally configured zone, do not
|
||||||
|
cache.
|
||||||
|
|
||||||
|
(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
|
||||||
|
|
||||||
|
Avoid use of compound literals
|
||||||
|
|
||||||
|
Compound literals are not used in BIND 9.11, in order to ensure backward
|
||||||
|
compatibility with ancient compilers. Rework the relevant parts of the
|
||||||
|
BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
|
||||||
|
are not used.
|
||||||
|
|
||||||
|
(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 125 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index c912f3aea8..2c68973899 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -63,6 +63,7 @@
|
||||||
|
#include <dns/stats.h>
|
||||||
|
#include <dns/tsig.h>
|
||||||
|
#include <dns/validator.h>
|
||||||
|
+#include <dns/zone.h>
|
||||||
|
|
||||||
|
#ifdef WANT_QUERYTRACE
|
||||||
|
#define RTRACE(m) isc_log_write(dns_lctx, \
|
||||||
|
@@ -312,6 +313,8 @@ struct fetchctx {
|
||||||
|
bool ns_ttl_ok;
|
||||||
|
uint32_t ns_ttl;
|
||||||
|
isc_counter_t * qc;
|
||||||
|
+ dns_fixedname_t fwdfname;
|
||||||
|
+ dns_name_t *fwdname;
|
||||||
|
|
||||||
|
/*%
|
||||||
|
* The number of events we're waiting for.
|
||||||
|
@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
|
||||||
|
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||||
|
+ dns_name_copy(domain, fctx->fwdname, NULL);
|
||||||
|
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
|
||||||
|
isstrictsubdomain(domain, &fctx->domain)) {
|
||||||
|
fcount_decr(fctx);
|
||||||
|
@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||||
|
fctx->restarts = 0;
|
||||||
|
fctx->querysent = 0;
|
||||||
|
fctx->referrals = 0;
|
||||||
|
+
|
||||||
|
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
|
||||||
|
+
|
||||||
|
TIME_NOW(&fctx->start);
|
||||||
|
fctx->timeouts = 0;
|
||||||
|
fctx->lamecount = 0;
|
||||||
|
@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||||
|
domain = dns_fixedname_initname(&fixed);
|
||||||
|
result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
|
||||||
|
domain, &forwarders);
|
||||||
|
- if (result == ISC_R_SUCCESS)
|
||||||
|
+ if (result == ISC_R_SUCCESS) {
|
||||||
|
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||||
|
+ dns_name_copy(domain, fctx->fwdname, NULL);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
|
||||||
|
/*
|
||||||
|
@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
|
||||||
|
rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Returns true if 'name' is external to the namespace for which
|
||||||
|
+ * the server being queried can answer, either because it's not a
|
||||||
|
+ * subdomain or because it's below a forward declaration or a
|
||||||
|
+ * locally served zone.
|
||||||
|
+ */
|
||||||
|
+static inline bool
|
||||||
|
+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
|
||||||
|
+ isc_result_t result;
|
||||||
|
+ dns_forwarders_t *forwarders = NULL;
|
||||||
|
+ dns_fixedname_t fixed, zfixed;
|
||||||
|
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
|
||||||
|
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
|
||||||
|
+ dns_name_t *apex = NULL;
|
||||||
|
+ dns_name_t suffix;
|
||||||
|
+ dns_zone_t *zone = NULL;
|
||||||
|
+ unsigned int labels;
|
||||||
|
+ dns_namereln_t rel;
|
||||||
|
+ /*
|
||||||
|
+ * The following two variables do not influence code flow; they are
|
||||||
|
+ * only necessary for calling dns_name_fullcompare().
|
||||||
|
+ */
|
||||||
|
+ int _orderp = 0;
|
||||||
|
+ unsigned int _nlabelsp = 0;
|
||||||
|
+
|
||||||
|
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * The name is outside the queried namespace.
|
||||||
|
+ */
|
||||||
|
+ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
|
||||||
|
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If the record lives in the parent zone, adjust the name so we
|
||||||
|
+ * look for the correct zone or forward clause.
|
||||||
|
+ */
|
||||||
|
+ labels = dns_name_countlabels(name);
|
||||||
|
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
|
||||||
|
+ dns_name_init(&suffix, NULL);
|
||||||
|
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
|
||||||
|
+ name = &suffix;
|
||||||
|
+ } else if (rel == dns_namereln_equal) {
|
||||||
|
+ /* If 'name' is 'apex', no further checking is needed. */
|
||||||
|
+ return (false);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If there is a locally served zone between 'apex' and 'name'
|
||||||
|
+ * then don't cache.
|
||||||
|
+ */
|
||||||
|
+ LOCK(&fctx->res->view->lock);
|
||||||
|
+ if (fctx->res->view->zonetable != NULL) {
|
||||||
|
+ unsigned int options = DNS_ZTFIND_NOEXACT;
|
||||||
|
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
|
||||||
|
+ zfname, &zone);
|
||||||
|
+ if (zone != NULL) {
|
||||||
|
+ dns_zone_detach(&zone);
|
||||||
|
+ }
|
||||||
|
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
||||||
|
+ if (dns_name_fullcompare(zfname, apex, &_orderp,
|
||||||
|
+ &_nlabelsp) ==
|
||||||
|
+ dns_namereln_subdomain)
|
||||||
|
+ {
|
||||||
|
+ UNLOCK(&fctx->res->view->lock);
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ UNLOCK(&fctx->res->view->lock);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Look for a forward declaration below 'name'.
|
||||||
|
+ */
|
||||||
|
+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
|
||||||
|
+ &forwarders);
|
||||||
|
+
|
||||||
|
+ if (ISFORWARDER(fctx->addrinfo)) {
|
||||||
|
+ /*
|
||||||
|
+ * See if the forwarder declaration is better.
|
||||||
|
+ */
|
||||||
|
+ if (result == ISC_R_SUCCESS) {
|
||||||
|
+ return (!dns_name_equal(fname, fctx->fwdname));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If the lookup failed, the configuration must have
|
||||||
|
+ * changed: play it safe and don't cache.
|
||||||
|
+ */
|
||||||
|
+ return (true);
|
||||||
|
+ } else if (result == ISC_R_SUCCESS &&
|
||||||
|
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
|
||||||
|
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * If 'name' is covered by a 'forward only' clause then we
|
||||||
|
+ * can't cache this repsonse.
|
||||||
|
+ */
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (false);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static isc_result_t
|
||||||
|
check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
|
||||||
|
dns_section_t section)
|
||||||
|
@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
|
||||||
|
result = dns_message_findname(rmessage, section, addname,
|
||||||
|
dns_rdatatype_any, 0, &name, NULL);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||||
|
+ external = name_external(name, type, fctx);
|
||||||
|
if (type == dns_rdatatype_a) {
|
||||||
|
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||||
|
rdataset != NULL;
|
||||||
|
@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||||
|
break;
|
||||||
|
|
||||||
|
case dns_namereln_subdomain:
|
||||||
|
+ /*
|
||||||
|
+ * Don't accept DNAME from parent namespace.
|
||||||
|
+ */
|
||||||
|
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* In-scope DNAME records must have at least
|
||||||
|
* as many labels as the domain being queried.
|
||||||
|
@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||||
|
*/
|
||||||
|
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
||||||
|
while (!done && result == ISC_R_SUCCESS) {
|
||||||
|
- bool external;
|
||||||
|
name = NULL;
|
||||||
|
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
||||||
|
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||||
|
- if (!external) {
|
||||||
|
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
|
||||||
|
/*
|
||||||
|
* We expect to find NS or SIG NS rdatasets, and
|
||||||
|
* nothing else.
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
61
SOURCES/bind-9.11-CVE-2022-2795.patch
Normal file
61
SOURCES/bind-9.11-CVE-2022-2795.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||||
|
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||||
|
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||||
|
|
||||||
|
Limit the amount of database lookups that can be triggered in
|
||||||
|
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||||
|
query next) by setting a hard limit on the number of NS RRs processed
|
||||||
|
for any delegation encountered. Without any limit in place, named can
|
||||||
|
be forced to perform large amounts of database lookups per each query
|
||||||
|
received, which severely impacts resolver performance.
|
||||||
|
|
||||||
|
The limit used (20) is an arbitrary value that is considered to be big
|
||||||
|
enough for any sane DNS delegation.
|
||||||
|
|
||||||
|
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||||
|
(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index 8ae9a993bb..ac9a9ef5d0 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -180,6 +180,12 @@
|
||||||
|
*/
|
||||||
|
#define NS_FAIL_LIMIT 4
|
||||||
|
#define NS_RR_LIMIT 5
|
||||||
|
+/*
|
||||||
|
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||||
|
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||||
|
+ * large delegations.
|
||||||
|
+ */
|
||||||
|
+#define NS_PROCESSING_LIMIT 20
|
||||||
|
|
||||||
|
/* Number of hash buckets for zone counters */
|
||||||
|
#ifndef RES_DOMAIN_BUCKETS
|
||||||
|
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
bool need_alternate = false;
|
||||||
|
bool all_spilled = true;
|
||||||
|
unsigned int no_addresses = 0;
|
||||||
|
+ unsigned int ns_processed = 0;
|
||||||
|
|
||||||
|
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||||
|
|
||||||
|
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
|
||||||
|
dns_rdata_reset(&rdata);
|
||||||
|
dns_rdata_freestruct(&ns);
|
||||||
|
+
|
||||||
|
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||||
|
+ result = ISC_R_NOMORE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (result != ISC_R_NOMORE) {
|
||||||
|
return (result);
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
46
SOURCES/bind-9.11-CVE-2023-2828-fixup.patch
Normal file
46
SOURCES/bind-9.11-CVE-2023-2828-fixup.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Fri, 23 Feb 2024 10:12:47 +1100
|
||||||
|
Subject: [PATCH] Do not use header_prev in expire_lru_headers
|
||||||
|
|
||||||
|
dns__cacherbt_expireheader can unlink / free header_prev underneath
|
||||||
|
it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
|
||||||
|
instead to get the next pointer to be processed.
|
||||||
|
|
||||||
|
(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
|
||||||
|
(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
|
||||||
|
---
|
||||||
|
lib/dns/rbtdb.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||||
|
index cc40eaec60..ee59c1b18b 100644
|
||||||
|
--- a/lib/dns/rbtdb.c
|
||||||
|
+++ b/lib/dns/rbtdb.c
|
||||||
|
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||||
|
static size_t
|
||||||
|
expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
|
||||||
|
bool tree_locked) {
|
||||||
|
- rdatasetheader_t *header, *header_prev;
|
||||||
|
+ rdatasetheader_t *header;
|
||||||
|
size_t purged = 0;
|
||||||
|
|
||||||
|
for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||||
|
- header != NULL && purged <= purgesize; header = header_prev)
|
||||||
|
+ header != NULL && purged <= purgesize;
|
||||||
|
+ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
|
||||||
|
{
|
||||||
|
- header_prev = ISC_LIST_PREV(header, link);
|
||||||
|
/*
|
||||||
|
* Unlink the entry at this point to avoid checking it
|
||||||
|
* again even if it's currently used someone else and
|
||||||
|
* cannot be purged at this moment. This entry won't be
|
||||||
|
* referenced any more (so unlinking is safe) since the
|
||||||
|
- * TTL was reset to 0.
|
||||||
|
+ * TTL will be reset to 0.
|
||||||
|
*/
|
||||||
|
ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
|
||||||
|
size_t header_size = rdataset_size(header);
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
193
SOURCES/bind-9.11-CVE-2023-2828.patch
Normal file
193
SOURCES/bind-9.11-CVE-2023-2828.patch
Normal file
@ -0,0 +1,193 @@
|
|||||||
|
From f3aa755ba5ae5148dd0567357f8c538072e2eabc Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||||
|
Date: Tue, 30 May 2023 08:46:17 +0200
|
||||||
|
Subject: [PATCH] Improve RBT overmem cache cleaning
|
||||||
|
|
||||||
|
When cache memory usage is over the configured cache size (overmem) and
|
||||||
|
we are cleaning unused entries, it might not be enough to clean just two
|
||||||
|
entries if the entries to be expired are smaller than the newly added
|
||||||
|
rdata. This could be abused by an attacker to cause a remote Denial of
|
||||||
|
Service by possibly running out of the operating system memory.
|
||||||
|
|
||||||
|
Currently, the addrdataset() tries to do a single TTL-based cleaning
|
||||||
|
considering the serve-stale TTL and then optionally moves to overmem
|
||||||
|
cleaning if we are in that condition. Then the overmem_purge() tries to
|
||||||
|
do another single TTL based cleaning from the TTL heap and then continue
|
||||||
|
with LRU-based cleaning up to 2 entries cleaned.
|
||||||
|
|
||||||
|
Squash the TTL-cleaning mechanism into single call from addrdataset(),
|
||||||
|
but ignore the serve-stale TTL if we are currently overmem.
|
||||||
|
|
||||||
|
Then instead of having a fixed number of entries to clean, pass the size
|
||||||
|
of newly added rdatasetheader to the overmem_purge() function and
|
||||||
|
cleanup at least the size of the newly added data. This prevents the
|
||||||
|
cache going over the configured memory limit (`max-cache-size`).
|
||||||
|
|
||||||
|
Additionally, refactor the overmem_purge() function to reduce for-loop
|
||||||
|
nesting for readability.
|
||||||
|
---
|
||||||
|
lib/dns/rbtdb.c | 109 +++++++++++++++++++++++++++++-------------------
|
||||||
|
1 file changed, 67 insertions(+), 42 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||||
|
index 11203e4..cc40eae 100644
|
||||||
|
--- a/lib/dns/rbtdb.c
|
||||||
|
+++ b/lib/dns/rbtdb.c
|
||||||
|
@@ -834,7 +834,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||||
|
static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||||
|
bool tree_locked, expire_t reason);
|
||||||
|
static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
|
||||||
|
- isc_stdtime_t now, bool tree_locked);
|
||||||
|
+ size_t purgesize, bool tree_locked);
|
||||||
|
static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
|
||||||
|
rdatasetheader_t *newheader);
|
||||||
|
static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
|
||||||
|
@@ -6937,6 +6937,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
|
||||||
|
|
||||||
|
static dns_dbmethods_t zone_methods;
|
||||||
|
|
||||||
|
+static size_t
|
||||||
|
+rdataset_size(rdatasetheader_t *header) {
|
||||||
|
+ if (!NONEXISTENT(header)) {
|
||||||
|
+ return (dns_rdataslab_size((unsigned char *)header,
|
||||||
|
+ sizeof(*header)));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (sizeof(*header));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static isc_result_t
|
||||||
|
addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||||
|
isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
|
||||||
|
@@ -7091,7 +7101,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cache_is_overmem)
|
||||||
|
- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
|
||||||
|
+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
|
||||||
|
+ tree_locked);
|
||||||
|
|
||||||
|
NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
|
||||||
|
isc_rwlocktype_write);
|
||||||
|
@@ -7106,9 +7117,19 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||||
|
cleanup_dead_nodes(rbtdb, rbtnode->locknum);
|
||||||
|
|
||||||
|
header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
|
||||||
|
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
|
||||||
|
- expire_header(rbtdb, header, tree_locked,
|
||||||
|
- expire_ttl);
|
||||||
|
+ if (header != NULL) {
|
||||||
|
+ dns_ttl_t rdh_ttl = header->rdh_ttl;
|
||||||
|
+
|
||||||
|
+ /* Only account for stale TTL if cache is not overmem */
|
||||||
|
+ if (!cache_is_overmem) {
|
||||||
|
+ rdh_ttl += rbtdb->serve_stale_ttl;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
|
||||||
|
+ expire_header(rbtdb, header, tree_locked,
|
||||||
|
+ expire_ttl);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If we've been holding a write lock on the tree just for
|
||||||
|
@@ -10643,54 +10664,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||||
|
ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static size_t
|
||||||
|
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
|
||||||
|
+ bool tree_locked) {
|
||||||
|
+ rdatasetheader_t *header, *header_prev;
|
||||||
|
+ size_t purged = 0;
|
||||||
|
+
|
||||||
|
+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||||
|
+ header != NULL && purged <= purgesize; header = header_prev)
|
||||||
|
+ {
|
||||||
|
+ header_prev = ISC_LIST_PREV(header, link);
|
||||||
|
+ /*
|
||||||
|
+ * Unlink the entry at this point to avoid checking it
|
||||||
|
+ * again even if it's currently used someone else and
|
||||||
|
+ * cannot be purged at this moment. This entry won't be
|
||||||
|
+ * referenced any more (so unlinking is safe) since the
|
||||||
|
+ * TTL was reset to 0.
|
||||||
|
+ */
|
||||||
|
+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
|
||||||
|
+ size_t header_size = rdataset_size(header);
|
||||||
|
+ expire_header(rbtdb, header, tree_locked, expire_lru);
|
||||||
|
+ purged += header_size;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (purged);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*%
|
||||||
|
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
|
||||||
|
- * under an overmem condition. To recover from this condition quickly, up to
|
||||||
|
- * 2 entries will be purged. This process is triggered while adding a new
|
||||||
|
- * entry, and we specifically avoid purging entries in the same LRU bucket as
|
||||||
|
- * the one to which the new entry will belong. Otherwise, we might purge
|
||||||
|
- * entries of the same name of different RR types while adding RRsets from a
|
||||||
|
- * single response (consider the case where we're adding A and AAAA glue records
|
||||||
|
- * of the same NS name).
|
||||||
|
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
|
||||||
|
+ * entries under the overmem condition. To recover from this condition quickly,
|
||||||
|
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
|
||||||
|
+ *
|
||||||
|
+ * This process is triggered while adding a new entry, and we specifically avoid
|
||||||
|
+ * purging entries in the same LRU bucket as the one to which the new entry will
|
||||||
|
+ * belong. Otherwise, we might purge entries of the same name of different RR
|
||||||
|
+ * types while adding RRsets from a single response (consider the case where
|
||||||
|
+ * we're adding A and AAAA glue records of the same NS name).
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
|
||||||
|
- isc_stdtime_t now, bool tree_locked)
|
||||||
|
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
|
||||||
|
+ bool tree_locked)
|
||||||
|
{
|
||||||
|
- rdatasetheader_t *header, *header_prev;
|
||||||
|
unsigned int locknum;
|
||||||
|
- int purgecount = 2;
|
||||||
|
+ size_t purged = 0;
|
||||||
|
|
||||||
|
for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
|
||||||
|
- locknum != locknum_start && purgecount > 0;
|
||||||
|
+ locknum != locknum_start && purged <= purgesize;
|
||||||
|
locknum = (locknum + 1) % rbtdb->node_lock_count) {
|
||||||
|
NODE_LOCK(&rbtdb->node_locks[locknum].lock,
|
||||||
|
isc_rwlocktype_write);
|
||||||
|
|
||||||
|
- header = isc_heap_element(rbtdb->heaps[locknum], 1);
|
||||||
|
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
|
||||||
|
- expire_header(rbtdb, header, tree_locked,
|
||||||
|
- expire_ttl);
|
||||||
|
- purgecount--;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||||
|
- header != NULL && purgecount > 0;
|
||||||
|
- header = header_prev) {
|
||||||
|
- header_prev = ISC_LIST_PREV(header, link);
|
||||||
|
- /*
|
||||||
|
- * Unlink the entry at this point to avoid checking it
|
||||||
|
- * again even if it's currently used someone else and
|
||||||
|
- * cannot be purged at this moment. This entry won't be
|
||||||
|
- * referenced any more (so unlinking is safe) since the
|
||||||
|
- * TTL was reset to 0.
|
||||||
|
- */
|
||||||
|
- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
|
||||||
|
- link);
|
||||||
|
- expire_header(rbtdb, header, tree_locked,
|
||||||
|
- expire_lru);
|
||||||
|
- purgecount--;
|
||||||
|
- }
|
||||||
|
+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
|
||||||
|
+ tree_locked);
|
||||||
|
|
||||||
|
NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
|
||||||
|
isc_rwlocktype_write);
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
3154
SOURCES/bind-9.11-CVE-2023-4408.patch
Normal file
3154
SOURCES/bind-9.11-CVE-2023-4408.patch
Normal file
File diff suppressed because it is too large
Load Diff
64
SOURCES/bind-9.11-CVE-2023-50387-fixup.patch
Normal file
64
SOURCES/bind-9.11-CVE-2023-50387-fixup.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From f0fc9d7999a94da3d471c4e0a35b1f447f25eea6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Mon, 26 Feb 2024 21:08:42 +0100
|
||||||
|
Subject: [PATCH] Add normal task queue also to non-thread version
|
||||||
|
|
||||||
|
Non-thread builds are used by us for dhcp package. Make it working
|
||||||
|
again.
|
||||||
|
|
||||||
|
Related to [GL #4424] and [GL #4459].
|
||||||
|
---
|
||||||
|
lib/isc/task.c | 14 ++++++++------
|
||||||
|
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/isc/task.c b/lib/isc/task.c
|
||||||
|
index cc83269..5315b51 100644
|
||||||
|
--- a/lib/isc/task.c
|
||||||
|
+++ b/lib/isc/task.c
|
||||||
|
@@ -1115,7 +1115,7 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||||
|
}
|
||||||
|
#else /* USE_WORKER_THREADS */
|
||||||
|
if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
|
||||||
|
- empty_readyq(manager))
|
||||||
|
+ empty_readyq(manager, qid))
|
||||||
|
break;
|
||||||
|
#endif /* USE_WORKER_THREADS */
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
|
||||||
|
@@ -1318,11 +1318,11 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef USE_WORKER_THREADS
|
||||||
|
- ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link);
|
||||||
|
- ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks,
|
||||||
|
+ ISC_LIST_APPENDLIST(manager->ready_tasks[qid], new_ready_tasks, ready_link);
|
||||||
|
+ ISC_LIST_APPENDLIST(manager->ready_priority_tasks[qid], new_priority_tasks,
|
||||||
|
ready_priority_link);
|
||||||
|
manager->tasks_ready += tasks_ready;
|
||||||
|
- if (empty_readyq(manager))
|
||||||
|
+ if (empty_readyq(manager, qid))
|
||||||
|
manager->mode = isc_taskmgrmode_normal;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -1713,7 +1713,8 @@ isc__taskmgr_ready(isc_taskmgr_t *manager0) {
|
||||||
|
return (false);
|
||||||
|
|
||||||
|
LOCK(&manager->lock);
|
||||||
|
- is_ready = !empty_readyq(manager);
|
||||||
|
+ is_ready = !empty_readyq(manager, isc_taskqueue_normal) ||
|
||||||
|
+ !empty_readyq(manager, isc_taskqueue_slow);
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
|
||||||
|
return (is_ready);
|
||||||
|
@@ -1730,7 +1731,8 @@ isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
|
||||||
|
if (manager == NULL)
|
||||||
|
return (ISC_R_NOTFOUND);
|
||||||
|
|
||||||
|
- dispatch(manager);
|
||||||
|
+ dispatch(manager, isc_taskqueue_normal);
|
||||||
|
+ dispatch(manager, isc_taskqueue_slow);
|
||||||
|
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
737
SOURCES/bind-9.11-CVE-2023-50387.patch
Normal file
737
SOURCES/bind-9.11-CVE-2023-50387.patch
Normal file
@ -0,0 +1,737 @@
|
|||||||
|
From 4c20ab54ec503f65d8ee0b863cbf41103d95130a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Wed, 22 Nov 2023 16:59:03 +1100
|
||||||
|
Subject: [PATCH] Fail the DNSSEC validation on the first failure
|
||||||
|
|
||||||
|
Be more strict when encountering DNSSEC validation failures - fail on
|
||||||
|
the first failure. This will break domains that have DNSSEC signing
|
||||||
|
keys with duplicate key ids, but this is something that's much easier
|
||||||
|
to fix on the authoritative side, so we are just going to be strict
|
||||||
|
on the resolver side where it is causing performance problems.
|
||||||
|
|
||||||
|
(cherry picked from commit 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34)
|
||||||
|
|
||||||
|
Add normal and slow task queues
|
||||||
|
|
||||||
|
Split the task manager queues into normal and slow task queues, so we
|
||||||
|
can move the tasks that blocks processing for a long time (like DNSSEC
|
||||||
|
validation) into the slow queue which doesn't block fast
|
||||||
|
operations (like responding from the cache). This mitigates the whole
|
||||||
|
class of KeyTrap-like issues.
|
||||||
|
|
||||||
|
(cherry picked from commit db083a21726300916fa0b9fd8a433a796fedf636)
|
||||||
|
|
||||||
|
Don't iterate from start every time we select new signing key
|
||||||
|
|
||||||
|
Improve the selecting of the new signing key by remembering where
|
||||||
|
we stopped the iteration and just continue from that place instead
|
||||||
|
of iterating from the start over and over again each time.
|
||||||
|
|
||||||
|
(cherry picked from commit 75faeefcab47e4f1e12b358525190b4be90f97de)
|
||||||
|
|
||||||
|
Optimize selecting the signing key
|
||||||
|
|
||||||
|
Don't parse the crypto data before parsing and matching the id and the
|
||||||
|
algorithm.
|
||||||
|
|
||||||
|
(cherry picked from commit b38552cca7200a72658e482f8407f57516efc5db)
|
||||||
|
|
||||||
|
6322. [security] Specific DNS answers could cause a denial-of-service
|
||||||
|
condition due to DNS validation taking a long time.
|
||||||
|
(CVE-2023-50387) [GL #4424]
|
||||||
|
|
||||||
|
The same code change also addresses another problem:
|
||||||
|
preparing NSEC3 closest encloser proofs could exhaust
|
||||||
|
available CPU resources. (CVE-2023-50868) [GL #4459]
|
||||||
|
---
|
||||||
|
lib/dns/dst_api.c | 25 ++++--
|
||||||
|
lib/dns/include/dns/validator.h | 1 +
|
||||||
|
lib/dns/include/dst/dst.h | 4 +
|
||||||
|
lib/dns/resolver.c | 2 +-
|
||||||
|
lib/dns/validator.c | 97 +++++++++-----------
|
||||||
|
lib/dns/win32/libdns.def.in | 1 +
|
||||||
|
lib/isc/include/isc/task.h | 11 ++-
|
||||||
|
lib/isc/task.c | 153 ++++++++++++++++++++++----------
|
||||||
|
8 files changed, 186 insertions(+), 108 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||||
|
index 2156384ec1..6bcd99796c 100644
|
||||||
|
--- a/lib/dns/dst_api.c
|
||||||
|
+++ b/lib/dns/dst_api.c
|
||||||
|
@@ -105,6 +105,7 @@ static isc_result_t frombuffer(dns_name_t *name,
|
||||||
|
dns_rdataclass_t rdclass,
|
||||||
|
isc_buffer_t *source,
|
||||||
|
isc_mem_t *mctx,
|
||||||
|
+ bool no_rdata,
|
||||||
|
dst_key_t **keyp);
|
||||||
|
|
||||||
|
static isc_result_t algorithm_status(unsigned int alg);
|
||||||
|
@@ -764,6 +765,13 @@ isc_result_t
|
||||||
|
dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||||
|
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
|
||||||
|
{
|
||||||
|
+ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+isc_result_t
|
||||||
|
+dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||||
|
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||||
|
+ dst_key_t **keyp) {
|
||||||
|
uint8_t alg, proto;
|
||||||
|
uint32_t flags, extflags;
|
||||||
|
dst_key_t *key = NULL;
|
||||||
|
@@ -792,7 +800,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||||
|
}
|
||||||
|
|
||||||
|
result = frombuffer(name, alg, flags, proto, rdclass, source,
|
||||||
|
- mctx, &key);
|
||||||
|
+ mctx, no_rdata, &key);
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
return (result);
|
||||||
|
key->key_id = id;
|
||||||
|
@@ -814,7 +822,7 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,
|
||||||
|
REQUIRE(dst_initialized);
|
||||||
|
|
||||||
|
result = frombuffer(name, alg, flags, protocol, rdclass, source,
|
||||||
|
- mctx, &key);
|
||||||
|
+ mctx, false, &key);
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
return (result);
|
||||||
|
|
||||||
|
@@ -1915,7 +1923,8 @@ computeid(dst_key_t *key) {
|
||||||
|
static isc_result_t
|
||||||
|
frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
|
||||||
|
unsigned int protocol, dns_rdataclass_t rdclass,
|
||||||
|
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
|
||||||
|
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||||
|
+ dst_key_t **keyp)
|
||||||
|
{
|
||||||
|
dst_key_t *key;
|
||||||
|
isc_result_t ret;
|
||||||
|
@@ -1940,10 +1949,12 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
|
||||||
|
return (DST_R_UNSUPPORTEDALG);
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = key->func->fromdns(key, source);
|
||||||
|
- if (ret != ISC_R_SUCCESS) {
|
||||||
|
- dst_key_free(&key);
|
||||||
|
- return (ret);
|
||||||
|
+ if (!no_rdata) {
|
||||||
|
+ ret = key->func->fromdns(key, source);
|
||||||
|
+ if (ret != ISC_R_SUCCESS) {
|
||||||
|
+ dst_key_free(&key);
|
||||||
|
+ return (ret);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
|
||||||
|
index cc4478d6d4..b4bf8f29db 100644
|
||||||
|
--- a/lib/dns/include/dns/validator.h
|
||||||
|
+++ b/lib/dns/include/dns/validator.h
|
||||||
|
@@ -160,6 +160,7 @@ struct dns_validator {
|
||||||
|
unsigned int depth;
|
||||||
|
unsigned int authcount;
|
||||||
|
unsigned int authfail;
|
||||||
|
+ bool failed;
|
||||||
|
isc_stdtime_t start;
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
||||||
|
index 180c841307..a8be2daf67 100644
|
||||||
|
--- a/lib/dns/include/dst/dst.h
|
||||||
|
+++ b/lib/dns/include/dst/dst.h
|
||||||
|
@@ -435,6 +435,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
|
||||||
|
*/
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
+dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||||
|
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||||
|
+ dst_key_t **keyp);
|
||||||
|
+isc_result_t
|
||||||
|
dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||||
|
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
|
||||||
|
/*%<
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index 4f71f48039..487107614c 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -9267,7 +9267,7 @@ dns_resolver_create(dns_view_t *view,
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
goto cleanup_buckets;
|
||||||
|
res->buckets[i].task = NULL;
|
||||||
|
- result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
|
||||||
|
+ result = isc_task_create(taskmgr, ISC_TASK_QUANTUM_SLOW, &res->buckets[i].task);
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
DESTROYLOCK(&res->buckets[i].lock);
|
||||||
|
goto cleanup_buckets;
|
||||||
|
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
|
||||||
|
index 2a5c3caa6a..0b257fe874 100644
|
||||||
|
--- a/lib/dns/validator.c
|
||||||
|
+++ b/lib/dns/validator.c
|
||||||
|
@@ -1207,6 +1207,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
|
||||||
|
* val->key at it.
|
||||||
|
*
|
||||||
|
* If val->key is non-NULL, this returns the next matching key.
|
||||||
|
+ * If val->key is already non-NULL, start searching from the next position in
|
||||||
|
+ * 'rdataset' to find the *next* key that could have signed 'siginfo', then
|
||||||
|
+ * set val->key to that.
|
||||||
|
+ *
|
||||||
|
+ * Returns ISC_R_SUCCESS if a possible matching key has been found,
|
||||||
|
+ * ISC_R_NOTFOUND if not. Any other value indicates error.
|
||||||
|
*/
|
||||||
|
static isc_result_t
|
||||||
|
get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
|
||||||
|
@@ -1216,54 +1222,59 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
|
||||||
|
isc_buffer_t b;
|
||||||
|
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
dst_key_t *oldkey = val->key;
|
||||||
|
- bool foundold;
|
||||||
|
+ bool no_rdata = false;
|
||||||
|
|
||||||
|
- if (oldkey == NULL)
|
||||||
|
- foundold = true;
|
||||||
|
- else {
|
||||||
|
- foundold = false;
|
||||||
|
+ if (oldkey == NULL) {
|
||||||
|
+ result = dns_rdataset_first(rdataset);
|
||||||
|
+ } else {
|
||||||
|
+ dst_key_free(&oldkey);
|
||||||
|
val->key = NULL;
|
||||||
|
+ result = dns_rdataset_next(rdataset);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- result = dns_rdataset_first(rdataset);
|
||||||
|
- if (result != ISC_R_SUCCESS)
|
||||||
|
- goto failure;
|
||||||
|
do {
|
||||||
|
dns_rdataset_current(rdataset, &rdata);
|
||||||
|
|
||||||
|
isc_buffer_init(&b, rdata.data, rdata.length);
|
||||||
|
isc_buffer_add(&b, rdata.length);
|
||||||
|
INSIST(val->key == NULL);
|
||||||
|
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
|
||||||
|
- val->view->mctx, &val->key);
|
||||||
|
+ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
|
||||||
|
+ val->view->mctx, no_rdata,
|
||||||
|
+ &val->key);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
if (siginfo->algorithm ==
|
||||||
|
(dns_secalg_t)dst_key_alg(val->key) &&
|
||||||
|
siginfo->keyid ==
|
||||||
|
(dns_keytag_t)dst_key_id(val->key) &&
|
||||||
|
+ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
|
||||||
|
+ 0 &&
|
||||||
|
dst_key_iszonekey(val->key))
|
||||||
|
{
|
||||||
|
- if (foundold) {
|
||||||
|
- /*
|
||||||
|
- * This is the key we're looking for.
|
||||||
|
- */
|
||||||
|
- return (ISC_R_SUCCESS);
|
||||||
|
- } else if (dst_key_compare(oldkey, val->key)) {
|
||||||
|
- foundold = true;
|
||||||
|
- dst_key_free(&oldkey);
|
||||||
|
+ if (no_rdata) {
|
||||||
|
+ /* Retry with full key */
|
||||||
|
+ dns_rdata_reset(&rdata);
|
||||||
|
+ dst_key_free(&val->key);
|
||||||
|
+ no_rdata = false;
|
||||||
|
+ continue;
|
||||||
|
}
|
||||||
|
+ /* This is the key we're looking for. */
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
dst_key_free(&val->key);
|
||||||
|
}
|
||||||
|
dns_rdata_reset(&rdata);
|
||||||
|
result = dns_rdataset_next(rdataset);
|
||||||
|
+ no_rdata = true;
|
||||||
|
} while (result == ISC_R_SUCCESS);
|
||||||
|
- if (result == ISC_R_NOMORE)
|
||||||
|
- result = ISC_R_NOTFOUND;
|
||||||
|
|
||||||
|
- failure:
|
||||||
|
- if (oldkey != NULL)
|
||||||
|
- dst_key_free(&oldkey);
|
||||||
|
+done:
|
||||||
|
+ if (result == ISC_R_NOMORE) {
|
||||||
|
+ result = ISC_R_NOTFOUND;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
@@ -1633,37 +1644,13 @@ validate(dns_validator_t *val, bool resume) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
- do {
|
||||||
|
- vresult = verify(val, val->key, &rdata,
|
||||||
|
- val->siginfo->keyid);
|
||||||
|
- if (vresult == ISC_R_SUCCESS)
|
||||||
|
- break;
|
||||||
|
- if (val->keynode != NULL) {
|
||||||
|
- dns_keynode_t *nextnode = NULL;
|
||||||
|
- result = dns_keytable_findnextkeynode(
|
||||||
|
- val->keytable,
|
||||||
|
- val->keynode,
|
||||||
|
- &nextnode);
|
||||||
|
- dns_keytable_detachkeynode(val->keytable,
|
||||||
|
- &val->keynode);
|
||||||
|
- val->keynode = nextnode;
|
||||||
|
- if (result != ISC_R_SUCCESS) {
|
||||||
|
- val->key = NULL;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- val->key = dns_keynode_key(val->keynode);
|
||||||
|
- if (val->key == NULL)
|
||||||
|
- break;
|
||||||
|
- } else {
|
||||||
|
- if (get_dst_key(val, val->siginfo, val->keyset)
|
||||||
|
- != ISC_R_SUCCESS)
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- } while (1);
|
||||||
|
- if (vresult != ISC_R_SUCCESS)
|
||||||
|
+ vresult = verify(val, val->key, &rdata,
|
||||||
|
+ val->siginfo->keyid);
|
||||||
|
+ if (vresult != ISC_R_SUCCESS) {
|
||||||
|
+ val->failed = true;
|
||||||
|
validator_log(val, ISC_LOG_DEBUG(3),
|
||||||
|
"failed to verify rdataset");
|
||||||
|
- else {
|
||||||
|
+ } else {
|
||||||
|
dns_rdataset_trimttl(event->rdataset,
|
||||||
|
event->sigrdataset,
|
||||||
|
val->siginfo, val->start,
|
||||||
|
@@ -1700,9 +1687,13 @@ validate(dns_validator_t *val, bool resume) {
|
||||||
|
} else {
|
||||||
|
validator_log(val, ISC_LOG_DEBUG(3),
|
||||||
|
"verify failure: %s",
|
||||||
|
- isc_result_totext(result));
|
||||||
|
+ isc_result_totext(vresult));
|
||||||
|
resume = false;
|
||||||
|
}
|
||||||
|
+ if (val->failed) {
|
||||||
|
+ result = ISC_R_NOMORE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (result != ISC_R_NOMORE) {
|
||||||
|
validator_log(val, ISC_LOG_DEBUG(3),
|
||||||
|
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
|
||||||
|
index f597049493..7320653439 100644
|
||||||
|
--- a/lib/dns/win32/libdns.def.in
|
||||||
|
+++ b/lib/dns/win32/libdns.def.in
|
||||||
|
@@ -1439,6 +1439,7 @@ dst_key_format
|
||||||
|
dst_key_free
|
||||||
|
dst_key_frombuffer
|
||||||
|
dst_key_fromdns
|
||||||
|
+dst_key_fromdns_ex
|
||||||
|
dst_key_fromfile
|
||||||
|
dst_key_fromgssapi
|
||||||
|
dst_key_fromlabel
|
||||||
|
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
|
||||||
|
index 28e5e25fc6..42f7763869 100644
|
||||||
|
--- a/lib/isc/include/isc/task.h
|
||||||
|
+++ b/lib/isc/include/isc/task.h
|
||||||
|
@@ -98,8 +98,15 @@ ISC_LANG_BEGINDECLS
|
||||||
|
***/
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
- isc_taskmgrmode_normal = 0,
|
||||||
|
- isc_taskmgrmode_privileged
|
||||||
|
+ isc_taskqueue_normal = 0,
|
||||||
|
+ isc_taskqueue_slow = 1,
|
||||||
|
+} isc_taskqueue_t;
|
||||||
|
+
|
||||||
|
+#define ISC_TASK_QUANTUM_SLOW 1024
|
||||||
|
+
|
||||||
|
+typedef enum {
|
||||||
|
+ isc_taskmgrmode_normal = 0,
|
||||||
|
+ isc_taskmgrmode_privileged
|
||||||
|
} isc_taskmgrmode_t;
|
||||||
|
|
||||||
|
/*% Task and task manager methods */
|
||||||
|
diff --git a/lib/isc/task.c b/lib/isc/task.c
|
||||||
|
index 048639350b..cc83269df2 100644
|
||||||
|
--- a/lib/isc/task.c
|
||||||
|
+++ b/lib/isc/task.c
|
||||||
|
@@ -107,6 +107,7 @@ struct isc__task {
|
||||||
|
isc_eventlist_t on_shutdown;
|
||||||
|
unsigned int nevents;
|
||||||
|
unsigned int quantum;
|
||||||
|
+ unsigned int qid;
|
||||||
|
unsigned int flags;
|
||||||
|
isc_stdtime_t now;
|
||||||
|
isc_time_t tnow;
|
||||||
|
@@ -141,11 +142,11 @@ struct isc__taskmgr {
|
||||||
|
/* Locked by task manager lock. */
|
||||||
|
unsigned int default_quantum;
|
||||||
|
LIST(isc__task_t) tasks;
|
||||||
|
- isc__tasklist_t ready_tasks;
|
||||||
|
- isc__tasklist_t ready_priority_tasks;
|
||||||
|
+ isc__tasklist_t ready_tasks[2];
|
||||||
|
+ isc__tasklist_t ready_priority_tasks[2];
|
||||||
|
isc_taskmgrmode_t mode;
|
||||||
|
#ifdef ISC_PLATFORM_USETHREADS
|
||||||
|
- isc_condition_t work_available;
|
||||||
|
+ isc_condition_t work_available[2];
|
||||||
|
isc_condition_t exclusive_granted;
|
||||||
|
isc_condition_t paused;
|
||||||
|
#endif /* ISC_PLATFORM_USETHREADS */
|
||||||
|
@@ -247,13 +248,13 @@ isc_taskmgrmode_t
|
||||||
|
isc__taskmgr_mode(isc_taskmgr_t *manager0);
|
||||||
|
|
||||||
|
static inline bool
|
||||||
|
-empty_readyq(isc__taskmgr_t *manager);
|
||||||
|
+empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
|
||||||
|
|
||||||
|
static inline isc__task_t *
|
||||||
|
-pop_readyq(isc__taskmgr_t *manager);
|
||||||
|
+pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
|
||||||
|
|
||||||
|
static inline void
|
||||||
|
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task);
|
||||||
|
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid);
|
||||||
|
|
||||||
|
static struct isc__taskmethods {
|
||||||
|
isc_taskmethods_t methods;
|
||||||
|
@@ -324,7 +325,8 @@ task_finished(isc__task_t *task) {
|
||||||
|
* any idle worker threads so they
|
||||||
|
* can exit.
|
||||||
|
*/
|
||||||
|
- BROADCAST(&manager->work_available);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
}
|
||||||
|
#endif /* USE_WORKER_THREADS */
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
@@ -364,7 +366,13 @@ isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
|
||||||
|
INIT_LIST(task->events);
|
||||||
|
INIT_LIST(task->on_shutdown);
|
||||||
|
task->nevents = 0;
|
||||||
|
- task->quantum = quantum;
|
||||||
|
+ if (quantum >= ISC_TASK_QUANTUM_SLOW) {
|
||||||
|
+ task->qid = isc_taskqueue_slow;
|
||||||
|
+ task->quantum = quantum - ISC_TASK_QUANTUM_SLOW;
|
||||||
|
+ } else {
|
||||||
|
+ task->qid = isc_taskqueue_normal;
|
||||||
|
+ task->quantum = quantum;
|
||||||
|
+ }
|
||||||
|
task->flags = 0;
|
||||||
|
task->now = 0;
|
||||||
|
isc_time_settoepoch(&task->tnow);
|
||||||
|
@@ -476,11 +484,11 @@ task_ready(isc__task_t *task) {
|
||||||
|
|
||||||
|
LOCK(&manager->lock);
|
||||||
|
LOCK(&task->lock);
|
||||||
|
- push_readyq(manager, task);
|
||||||
|
+ push_readyq(manager, task, task->qid);
|
||||||
|
UNLOCK(&task->lock);
|
||||||
|
#ifdef USE_WORKER_THREADS
|
||||||
|
if (manager->mode == isc_taskmgrmode_normal || has_privilege)
|
||||||
|
- SIGNAL(&manager->work_available);
|
||||||
|
+ SIGNAL(&manager->work_available[task->qid]);
|
||||||
|
#endif /* USE_WORKER_THREADS */
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
}
|
||||||
|
@@ -961,13 +969,13 @@ isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) {
|
||||||
|
* Caller must hold the task manager lock.
|
||||||
|
*/
|
||||||
|
static inline bool
|
||||||
|
-empty_readyq(isc__taskmgr_t *manager) {
|
||||||
|
+empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||||
|
isc__tasklist_t queue;
|
||||||
|
|
||||||
|
if (manager->mode == isc_taskmgrmode_normal)
|
||||||
|
- queue = manager->ready_tasks;
|
||||||
|
+ queue = manager->ready_tasks[qid];
|
||||||
|
else
|
||||||
|
- queue = manager->ready_priority_tasks;
|
||||||
|
+ queue = manager->ready_priority_tasks[qid];
|
||||||
|
|
||||||
|
return (EMPTY(queue));
|
||||||
|
}
|
||||||
|
@@ -981,18 +989,18 @@ empty_readyq(isc__taskmgr_t *manager) {
|
||||||
|
* Caller must hold the task manager lock.
|
||||||
|
*/
|
||||||
|
static inline isc__task_t *
|
||||||
|
-pop_readyq(isc__taskmgr_t *manager) {
|
||||||
|
+pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||||
|
isc__task_t *task;
|
||||||
|
|
||||||
|
if (manager->mode == isc_taskmgrmode_normal)
|
||||||
|
- task = HEAD(manager->ready_tasks);
|
||||||
|
+ task = HEAD(manager->ready_tasks[qid]);
|
||||||
|
else
|
||||||
|
- task = HEAD(manager->ready_priority_tasks);
|
||||||
|
+ task = HEAD(manager->ready_priority_tasks[qid]);
|
||||||
|
|
||||||
|
if (task != NULL) {
|
||||||
|
- DEQUEUE(manager->ready_tasks, task, ready_link);
|
||||||
|
+ DEQUEUE(manager->ready_tasks[qid], task, ready_link);
|
||||||
|
if (ISC_LINK_LINKED(task, ready_priority_link))
|
||||||
|
- DEQUEUE(manager->ready_priority_tasks, task,
|
||||||
|
+ DEQUEUE(manager->ready_priority_tasks[qid], task,
|
||||||
|
ready_priority_link);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1006,16 +1014,16 @@ pop_readyq(isc__taskmgr_t *manager) {
|
||||||
|
* Caller must hold the task manager lock.
|
||||||
|
*/
|
||||||
|
static inline void
|
||||||
|
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task) {
|
||||||
|
- ENQUEUE(manager->ready_tasks, task, ready_link);
|
||||||
|
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid) {
|
||||||
|
+ ENQUEUE(manager->ready_tasks[qid], task, ready_link);
|
||||||
|
if ((task->flags & TASK_F_PRIVILEGED) != 0)
|
||||||
|
- ENQUEUE(manager->ready_priority_tasks, task,
|
||||||
|
+ ENQUEUE(manager->ready_priority_tasks[qid], task,
|
||||||
|
ready_priority_link);
|
||||||
|
manager->tasks_ready++;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-dispatch(isc__taskmgr_t *manager) {
|
||||||
|
+dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||||
|
isc__task_t *task;
|
||||||
|
#ifndef USE_WORKER_THREADS
|
||||||
|
unsigned int total_dispatch_count = 0;
|
||||||
|
@@ -1094,13 +1102,13 @@ dispatch(isc__taskmgr_t *manager) {
|
||||||
|
* If a pause has been requested, don't do any work
|
||||||
|
* until it's been released.
|
||||||
|
*/
|
||||||
|
- while ((empty_readyq(manager) || manager->pause_requested ||
|
||||||
|
+ while ((empty_readyq(manager, qid) || manager->pause_requested ||
|
||||||
|
manager->exclusive_requested) && !FINISHED(manager))
|
||||||
|
{
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat,
|
||||||
|
ISC_MSGSET_GENERAL,
|
||||||
|
ISC_MSG_WAIT, "wait"));
|
||||||
|
- WAIT(&manager->work_available, &manager->lock);
|
||||||
|
+ WAIT(&manager->work_available[qid], &manager->lock);
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat,
|
||||||
|
ISC_MSGSET_TASK,
|
||||||
|
ISC_MSG_AWAKE, "awake"));
|
||||||
|
@@ -1113,7 +1121,7 @@ dispatch(isc__taskmgr_t *manager) {
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
|
||||||
|
ISC_MSG_WORKING, "working"));
|
||||||
|
|
||||||
|
- task = pop_readyq(manager);
|
||||||
|
+ task = pop_readyq(manager, qid);
|
||||||
|
if (task != NULL) {
|
||||||
|
unsigned int dispatch_count = 0;
|
||||||
|
bool done = false;
|
||||||
|
@@ -1278,7 +1286,7 @@ dispatch(isc__taskmgr_t *manager) {
|
||||||
|
*/
|
||||||
|
#ifdef USE_WORKER_THREADS
|
||||||
|
LOCK(&task->lock);
|
||||||
|
- push_readyq(manager, task);
|
||||||
|
+ push_readyq(manager, task, qid);
|
||||||
|
UNLOCK(&task->lock);
|
||||||
|
#else
|
||||||
|
ENQUEUE(new_ready_tasks, task, ready_link);
|
||||||
|
@@ -1297,10 +1305,14 @@ dispatch(isc__taskmgr_t *manager) {
|
||||||
|
* we're stuck. Automatically drop privileges at that
|
||||||
|
* point and continue with the regular ready queue.
|
||||||
|
*/
|
||||||
|
- if (manager->tasks_running == 0 && empty_readyq(manager)) {
|
||||||
|
+ if (manager->tasks_running == 0 && empty_readyq(manager, isc_taskqueue_normal) && empty_readyq(manager, isc_taskqueue_slow)) {
|
||||||
|
manager->mode = isc_taskmgrmode_normal;
|
||||||
|
- if (!empty_readyq(manager))
|
||||||
|
- BROADCAST(&manager->work_available);
|
||||||
|
+ if (!empty_readyq(manager, isc_taskqueue_normal)) {
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ }
|
||||||
|
+ if (!empty_readyq(manager, isc_taskqueue_slow)) {
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
@@ -1322,13 +1334,37 @@ static isc_threadresult_t
|
||||||
|
#ifdef _WIN32
|
||||||
|
WINAPI
|
||||||
|
#endif
|
||||||
|
-run(void *uap) {
|
||||||
|
+run_normal(void *uap) {
|
||||||
|
isc__taskmgr_t *manager = uap;
|
||||||
|
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
ISC_MSG_STARTING, "starting"));
|
||||||
|
|
||||||
|
- dispatch(manager);
|
||||||
|
+ dispatch(manager, isc_taskqueue_normal);
|
||||||
|
+
|
||||||
|
+ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
+ ISC_MSG_EXITING, "exiting"));
|
||||||
|
+
|
||||||
|
+#ifdef OPENSSL_LEAKS
|
||||||
|
+ ERR_remove_state(0);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return ((isc_threadresult_t)0);
|
||||||
|
+}
|
||||||
|
+#endif /* USE_WORKER_THREADS */
|
||||||
|
+
|
||||||
|
+#ifdef USE_WORKER_THREADS
|
||||||
|
+static isc_threadresult_t
|
||||||
|
+#ifdef _WIN32
|
||||||
|
+WINAPI
|
||||||
|
+#endif
|
||||||
|
+run_slow(void *uap) {
|
||||||
|
+ isc__taskmgr_t *manager = uap;
|
||||||
|
+
|
||||||
|
+ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
+ ISC_MSG_STARTING, "starting"));
|
||||||
|
+
|
||||||
|
+ dispatch(manager, isc_taskqueue_slow);
|
||||||
|
|
||||||
|
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
ISC_MSG_EXITING, "exiting"));
|
||||||
|
@@ -1347,7 +1383,8 @@ manager_free(isc__taskmgr_t *manager) {
|
||||||
|
|
||||||
|
#ifdef USE_WORKER_THREADS
|
||||||
|
(void)isc_condition_destroy(&manager->exclusive_granted);
|
||||||
|
- (void)isc_condition_destroy(&manager->work_available);
|
||||||
|
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
(void)isc_condition_destroy(&manager->paused);
|
||||||
|
isc_mem_free(manager->mctx, manager->threads);
|
||||||
|
#endif /* USE_WORKER_THREADS */
|
||||||
|
@@ -1414,12 +1451,20 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||||
|
#ifdef USE_WORKER_THREADS
|
||||||
|
manager->workers = 0;
|
||||||
|
manager->threads = isc_mem_allocate(mctx,
|
||||||
|
- workers * sizeof(isc_thread_t));
|
||||||
|
+ 2 * workers * sizeof(isc_thread_t));
|
||||||
|
if (manager->threads == NULL) {
|
||||||
|
result = ISC_R_NOMEMORY;
|
||||||
|
goto cleanup_lock;
|
||||||
|
}
|
||||||
|
- if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
|
||||||
|
+ if (isc_condition_init(&manager->work_available[isc_taskqueue_normal]) != ISC_R_SUCCESS) {
|
||||||
|
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||||
|
+ "isc_condition_init() %s",
|
||||||
|
+ isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
+ ISC_MSG_FAILED, "failed"));
|
||||||
|
+ result = ISC_R_UNEXPECTED;
|
||||||
|
+ goto cleanup_threads;
|
||||||
|
+ }
|
||||||
|
+ if (isc_condition_init(&manager->work_available[isc_taskqueue_slow]) != ISC_R_SUCCESS) {
|
||||||
|
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||||
|
"isc_condition_init() %s",
|
||||||
|
isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||||
|
@@ -1448,8 +1493,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||||
|
default_quantum = DEFAULT_DEFAULT_QUANTUM;
|
||||||
|
manager->default_quantum = default_quantum;
|
||||||
|
INIT_LIST(manager->tasks);
|
||||||
|
- INIT_LIST(manager->ready_tasks);
|
||||||
|
- INIT_LIST(manager->ready_priority_tasks);
|
||||||
|
+ INIT_LIST(manager->ready_tasks[isc_taskqueue_normal]);
|
||||||
|
+ INIT_LIST(manager->ready_tasks[isc_taskqueue_slow]);
|
||||||
|
+ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_normal]);
|
||||||
|
+ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_slow]);
|
||||||
|
manager->tasks_running = 0;
|
||||||
|
manager->tasks_ready = 0;
|
||||||
|
manager->exclusive_requested = false;
|
||||||
|
@@ -1465,7 +1512,19 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||||
|
* Start workers.
|
||||||
|
*/
|
||||||
|
for (i = 0; i < workers; i++) {
|
||||||
|
- if (isc_thread_create(run, manager,
|
||||||
|
+ if (isc_thread_create(run_normal, manager,
|
||||||
|
+ &manager->threads[manager->workers]) ==
|
||||||
|
+ ISC_R_SUCCESS) {
|
||||||
|
+ char name[21]; /* thread name limit on Linux */
|
||||||
|
+ snprintf(name, sizeof(name), "isc-worker%04u", i);
|
||||||
|
+ isc_thread_setname(manager->threads[manager->workers],
|
||||||
|
+ name);
|
||||||
|
+ manager->workers++;
|
||||||
|
+ started++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ for (; i < workers * 2; i++) {
|
||||||
|
+ if (isc_thread_create(run_slow, manager,
|
||||||
|
&manager->threads[manager->workers]) ==
|
||||||
|
ISC_R_SUCCESS) {
|
||||||
|
char name[21]; /* thread name limit on Linux */
|
||||||
|
@@ -1482,7 +1541,7 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||||
|
manager_free(manager);
|
||||||
|
return (ISC_R_NOTHREADS);
|
||||||
|
}
|
||||||
|
- isc_thread_setconcurrency(workers);
|
||||||
|
+ isc_thread_setconcurrency(workers * 2);
|
||||||
|
#endif /* USE_WORKER_THREADS */
|
||||||
|
#ifdef USE_SHARED_MANAGER
|
||||||
|
manager->refs = 1;
|
||||||
|
@@ -1497,7 +1556,8 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||||
|
cleanup_exclusivegranted:
|
||||||
|
(void)isc_condition_destroy(&manager->exclusive_granted);
|
||||||
|
cleanup_workavailable:
|
||||||
|
- (void)isc_condition_destroy(&manager->work_available);
|
||||||
|
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
cleanup_threads:
|
||||||
|
isc_mem_free(mctx, manager->threads);
|
||||||
|
cleanup_lock:
|
||||||
|
@@ -1582,7 +1642,7 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
|
||||||
|
task = NEXT(task, link)) {
|
||||||
|
LOCK(&task->lock);
|
||||||
|
if (task_shutdown(task))
|
||||||
|
- push_readyq(manager, task);
|
||||||
|
+ push_readyq(manager, task, task->qid);
|
||||||
|
UNLOCK(&task->lock);
|
||||||
|
}
|
||||||
|
#ifdef USE_WORKER_THREADS
|
||||||
|
@@ -1591,7 +1651,8 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
|
||||||
|
* there's work left to do, and if there are already no tasks left
|
||||||
|
* it will cause the workers to see manager->exiting.
|
||||||
|
*/
|
||||||
|
- BROADCAST(&manager->work_available);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1693,7 +1754,8 @@ isc__taskmgr_resume(isc_taskmgr_t *manager0) {
|
||||||
|
LOCK(&manager->lock);
|
||||||
|
if (manager->pause_requested) {
|
||||||
|
manager->pause_requested = false;
|
||||||
|
- BROADCAST(&manager->work_available);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
}
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
}
|
||||||
|
@@ -1778,7 +1840,8 @@ isc__task_endexclusive(isc_task_t *task0) {
|
||||||
|
LOCK(&manager->lock);
|
||||||
|
REQUIRE(manager->exclusive_requested);
|
||||||
|
manager->exclusive_requested = false;
|
||||||
|
- BROADCAST(&manager->work_available);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||||
|
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
#else
|
||||||
|
UNUSED(task0);
|
||||||
|
@@ -1804,10 +1867,10 @@ isc__task_setprivilege(isc_task_t *task0, bool priv) {
|
||||||
|
|
||||||
|
LOCK(&manager->lock);
|
||||||
|
if (priv && ISC_LINK_LINKED(task, ready_link))
|
||||||
|
- ENQUEUE(manager->ready_priority_tasks, task,
|
||||||
|
+ ENQUEUE(manager->ready_priority_tasks[task->qid], task,
|
||||||
|
ready_priority_link);
|
||||||
|
else if (!priv && ISC_LINK_LINKED(task, ready_priority_link))
|
||||||
|
- DEQUEUE(manager->ready_priority_tasks, task,
|
||||||
|
+ DEQUEUE(manager->ready_priority_tasks[task->qid], task,
|
||||||
|
ready_priority_link);
|
||||||
|
UNLOCK(&manager->lock);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
133
SOURCES/bind-9.11-CVE-2024-1737-runtime-env.patch
Normal file
133
SOURCES/bind-9.11-CVE-2024-1737-runtime-env.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
From 0a7909045f9e1bf74c1f0fd561a8ef5f55481e8f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 29 Jul 2024 16:20:50 +0200
|
||||||
|
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
|
||||||
|
|
||||||
|
Modify rbtdb to not set it only at runtime, but allow setting that also
|
||||||
|
in runtime via environment variable. It is still possible to modify
|
||||||
|
default during the build define. In addition to it allows runtime change
|
||||||
|
also. Can be positive number to set limit, 0 disabled the check.
|
||||||
|
|
||||||
|
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
|
||||||
|
records for a single name. This must be positive number, 0 is no accepted.
|
||||||
|
|
||||||
|
These replaces max-records-per-type and max-types-per-name in later
|
||||||
|
versions. But can be configured only by environment and can be
|
||||||
|
configured only globally, not in each view or zone.
|
||||||
|
---
|
||||||
|
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
|
||||||
|
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
|
||||||
|
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||||
|
index a3cb8dc871..0104c3ee36 100644
|
||||||
|
--- a/lib/dns/rbtdb.c
|
||||||
|
+++ b/lib/dns/rbtdb.c
|
||||||
|
@@ -6320,15 +6320,29 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
|
||||||
|
#define DNS_RBTDB_MAX_RTYPES 100
|
||||||
|
#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||||
|
|
||||||
|
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+init_max_rtypes(void) {
|
||||||
|
+ /* Red Hat change, allow setting different max value by environment. */
|
||||||
|
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
|
||||||
|
+ if (max) {
|
||||||
|
+ char *endp = NULL;
|
||||||
|
+ long l = strtol(max, &endp, 10);
|
||||||
|
+ if (max != endp && endp && !*endp && l >= 0)
|
||||||
|
+ dns_g_rbtdb_max_rtypes = l;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static bool
|
||||||
|
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||||
|
UNUSED(rbtdb);
|
||||||
|
|
||||||
|
- if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||||
|
+ if (dns_g_rbtdb_max_rtypes == 0) {
|
||||||
|
return (false);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||||
|
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
@@ -8831,6 +8845,8 @@ static dns_dbmethods_t cache_methods = {
|
||||||
|
getservestalettl
|
||||||
|
};
|
||||||
|
|
||||||
|
+static isc_once_t once_db = ISC_ONCE_INIT;
|
||||||
|
+
|
||||||
|
isc_result_t
|
||||||
|
#ifdef DNS_RBTDB_VERSION64
|
||||||
|
dns_rbtdb64_create
|
||||||
|
@@ -8850,6 +8866,7 @@ dns_rbtdb_create
|
||||||
|
|
||||||
|
/* Keep the compiler happy. */
|
||||||
|
UNUSED(driverarg);
|
||||||
|
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
|
||||||
|
if (rbtdb == NULL)
|
||||||
|
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
||||||
|
index 347b7d2ce8..9566f79671 100644
|
||||||
|
--- a/lib/dns/rdataslab.c
|
||||||
|
+++ b/lib/dns/rdataslab.c
|
||||||
|
@@ -17,6 +17,7 @@
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
#include <isc/mem.h>
|
||||||
|
+#include <isc/once.h>
|
||||||
|
#include <isc/region.h>
|
||||||
|
#include <isc/string.h> /* Required for HP/UX (and others?) */
|
||||||
|
#include <isc/util.h>
|
||||||
|
@@ -119,6 +120,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||||
|
#define DNS_RDATASET_MAX_RECORDS 100
|
||||||
|
#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||||
|
|
||||||
|
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
|
||||||
|
+static isc_once_t once = ISC_ONCE_INIT;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+init_max_records(void) {
|
||||||
|
+ /* Red Hat change, allow setting different max value by environment. */
|
||||||
|
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
|
||||||
|
+ if (max) {
|
||||||
|
+ char *endp = NULL;
|
||||||
|
+ long l = strtol(max, &endp, 10);
|
||||||
|
+ if (max != endp && endp && !*endp && l > 0)
|
||||||
|
+ dns_g_rdataset_max_records = l;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
isc_result_t
|
||||||
|
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
isc_region_t *region, unsigned int reservelen)
|
||||||
|
@@ -165,7 +183,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
|
||||||
|
+
|
||||||
|
+ if (nitems > dns_g_rdataset_max_records) {
|
||||||
|
return (DNS_R_TOOMANYRECORDS);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -662,7 +682,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||||
|
#endif
|
||||||
|
INSIST(ocount > 0 && ncount > 0);
|
||||||
|
|
||||||
|
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ if (ocount + ncount > dns_g_rdataset_max_records) {
|
||||||
|
return (DNS_R_TOOMANYRECORDS);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
317
SOURCES/bind-9.11-CVE-2024-1737.patch
Normal file
317
SOURCES/bind-9.11-CVE-2024-1737.patch
Normal file
@ -0,0 +1,317 @@
|
|||||||
|
From 71df06e2bf3da31c5d542fb33dbda67b21537322 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||||
|
Date: Fri, 1 Mar 2024 08:26:07 +0100
|
||||||
|
Subject: [PATCH] [9.11][CVE-2024-1737] Add a limit to the number of RRs in
|
||||||
|
RRSets
|
||||||
|
|
||||||
|
Add a limit to the number of RRs in RRSets
|
||||||
|
|
||||||
|
Previously, the number of RRs in the RRSets were internally unlimited.
|
||||||
|
As the data structure that holds the RRs is just a linked list, and
|
||||||
|
there are places where we just walk through all of the RRs, adding an
|
||||||
|
RRSet with huge number of RRs inside would slow down processing of said
|
||||||
|
RRSets.
|
||||||
|
|
||||||
|
The fix for end-of-life branches make the limit compile-time only for
|
||||||
|
simplicity and the limit can be changed at the compile time by adding
|
||||||
|
following define to CFLAGS:
|
||||||
|
|
||||||
|
-DDNS_RDATASET_MAX_RECORDS=<limit>
|
||||||
|
|
||||||
|
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
|
||||||
|
(cherry picked from commit 7f705778af729ada7fec36ac4b456c73329bd996)
|
||||||
|
(cherry picked from commit b9b5485b22c364fb88c27aa04bad4c8f616da3fa)
|
||||||
|
|
||||||
|
Add a limit to the number of RR types for single name
|
||||||
|
|
||||||
|
Previously, the number of RR types for a single owner name was limited
|
||||||
|
only by the maximum number of the types (64k). As the data structure
|
||||||
|
that holds the RR types for the database node is just a linked list, and
|
||||||
|
there are places where we just walk through the whole list (again and
|
||||||
|
again), adding a large number of RR types for a single owner named with
|
||||||
|
would slow down processing of such name (database node).
|
||||||
|
|
||||||
|
Add a hard-coded limit (100) to cap the number of the RR types for a single
|
||||||
|
owner. The limit can be changed at the compile time by adding following
|
||||||
|
define to CFLAGS:
|
||||||
|
|
||||||
|
-DDNS_RBTDB_MAX_RTYPES=<limit>
|
||||||
|
|
||||||
|
(cherry picked from commit 538b843d84f49ba5125ff545e3d0cf1c8434a8f2)
|
||||||
|
(cherry picked from commit 3f10d6eff035702796ba82cd28b9f7cf9836e743)
|
||||||
|
|
||||||
|
Optimize the slabheader placement for certain RRTypes
|
||||||
|
|
||||||
|
Mark the infrastructure RRTypes as "priority" types and place them at
|
||||||
|
the beginning of the rdataslab header data graph. The non-priority
|
||||||
|
types either go right after the priority types (if any).
|
||||||
|
|
||||||
|
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
|
||||||
|
(cherry picked from commit 23a4652346fb2877d6246b1eebaa967969dbde16)
|
||||||
|
|
||||||
|
[9.11][CVE-2024-1737 (part 2)] Be smarter about refusing to add many RR types to the database
|
||||||
|
|
||||||
|
Expand the list of the priority types
|
||||||
|
|
||||||
|
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
|
||||||
|
the priority types that are put at the beginning of the slabheader list
|
||||||
|
for faster access and to avoid eviction when there are more types than
|
||||||
|
the max-types-per-name limit.
|
||||||
|
|
||||||
|
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
|
||||||
|
(cherry picked from commit 3e0a67e4bdb253dae3a03a45c1aa117239a3313d)
|
||||||
|
|
||||||
|
Be smarter about refusing to add many RR types to the database
|
||||||
|
|
||||||
|
Instead of outright refusing to add new RR types to the cache, be a bit
|
||||||
|
smarter:
|
||||||
|
|
||||||
|
1. If the new header type is in our priority list, we always add either
|
||||||
|
positive or negative entry at the beginning of the list.
|
||||||
|
|
||||||
|
2. If the new header type is negative entry, and we are over the limit,
|
||||||
|
we mark it as ancient immediately, so it gets evicted from the cache
|
||||||
|
as soon as possible.
|
||||||
|
|
||||||
|
3. Otherwise add the new header after the priority headers (or at the
|
||||||
|
head of the list).
|
||||||
|
|
||||||
|
4. If we are over the limit, evict the last entry on the normal header
|
||||||
|
list.
|
||||||
|
|
||||||
|
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
|
||||||
|
(cherry picked from commit e4d7ce686bb38428eddc7e33b40057d68eca9a6e)
|
||||||
|
---
|
||||||
|
configure | 2 +-
|
||||||
|
configure.ac | 2 +-
|
||||||
|
lib/dns/rbtdb.c | 114 +++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
lib/dns/rdataslab.c | 12 +++++
|
||||||
|
4 files changed, 126 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure b/configure
|
||||||
|
index e060e9d..6421c9b 100755
|
||||||
|
--- a/configure
|
||||||
|
+++ b/configure
|
||||||
|
@@ -12189,7 +12189,7 @@ fi
|
||||||
|
XTARGETS=
|
||||||
|
case "$enable_developer" in
|
||||||
|
yes)
|
||||||
|
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
|
||||||
|
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||||
|
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||||
|
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||||
|
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 83cad4a..1c35ce9 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
|
||||||
|
XTARGETS=
|
||||||
|
case "$enable_developer" in
|
||||||
|
yes)
|
||||||
|
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
|
||||||
|
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
|
||||||
|
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
|
||||||
|
test "${enable_querytrace+set}" = set || enable_querytrace=yes
|
||||||
|
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
|
||||||
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||||
|
index ee59c1b..a2b2df7 100644
|
||||||
|
--- a/lib/dns/rbtdb.c
|
||||||
|
+++ b/lib/dns/rbtdb.c
|
||||||
|
@@ -1183,6 +1183,44 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
|
||||||
|
isc_heap_decreased(heap, header->heap_index);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+prio_type(rbtdb_rdatatype_t type) {
|
||||||
|
+ switch (type) {
|
||||||
|
+ case dns_rdatatype_soa:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
|
||||||
|
+ case dns_rdatatype_a:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
|
||||||
|
+ case dns_rdatatype_mx:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
|
||||||
|
+ case dns_rdatatype_aaaa:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
|
||||||
|
+ case dns_rdatatype_nsec:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
|
||||||
|
+ case dns_rdatatype_nsec3:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
|
||||||
|
+ case dns_rdatatype_ns:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
|
||||||
|
+ case dns_rdatatype_ds:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
|
||||||
|
+ case dns_rdatatype_cname:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
|
||||||
|
+ case dns_rdatatype_dname:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
|
||||||
|
+ case dns_rdatatype_dnskey:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
|
||||||
|
+ case dns_rdatatype_srv:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
|
||||||
|
+ case dns_rdatatype_txt:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
|
||||||
|
+ case dns_rdatatype_ptr:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
|
||||||
|
+ case dns_rdatatype_naptr:
|
||||||
|
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+ return (false);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*%
|
||||||
|
* These functions allow the heap code to rank the priority of each
|
||||||
|
* element. It returns true if v1 happens "sooner" than v2.
|
||||||
|
@@ -6278,6 +6316,30 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
|
||||||
|
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef DNS_RBTDB_MAX_RTYPES
|
||||||
|
+#define DNS_RBTDB_MAX_RTYPES 100
|
||||||
|
+#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||||
|
+
|
||||||
|
+static bool
|
||||||
|
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||||
|
+ UNUSED(rbtdb);
|
||||||
|
+
|
||||||
|
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||||
|
+ return (false);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static bool
|
||||||
|
+prio_header(rdatasetheader_t *header) {
|
||||||
|
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (prio_type(header->type));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* write lock on rbtnode must be held.
|
||||||
|
*/
|
||||||
|
@@ -6288,6 +6350,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||||
|
{
|
||||||
|
rbtdb_changed_t *changed = NULL;
|
||||||
|
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
|
||||||
|
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
|
||||||
|
unsigned char *merged;
|
||||||
|
isc_result_t result;
|
||||||
|
bool header_nx;
|
||||||
|
@@ -6297,6 +6360,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||||
|
rbtdb_rdatatype_t negtype, sigtype;
|
||||||
|
dns_trust_t trust;
|
||||||
|
int idx;
|
||||||
|
+ uint32_t ntypes = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Add an rdatasetheader_t to a node.
|
||||||
|
@@ -6429,6 +6493,15 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||||
|
for (topheader = rbtnode->data;
|
||||||
|
topheader != NULL;
|
||||||
|
topheader = topheader->next) {
|
||||||
|
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
|
||||||
|
+ ++ntypes;
|
||||||
|
+ expireheader = topheader;
|
||||||
|
+ } else if (!IS_CACHE(rbtdb)) {
|
||||||
|
+ ++ntypes;
|
||||||
|
+ }
|
||||||
|
+ if (prio_header(topheader)) {
|
||||||
|
+ prioheader = topheader;
|
||||||
|
+ }
|
||||||
|
if (topheader->type == newheader->type ||
|
||||||
|
topheader->type == negtype)
|
||||||
|
break;
|
||||||
|
@@ -6792,9 +6865,46 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||||
|
/*
|
||||||
|
* No rdatasets of the given type exist at the node.
|
||||||
|
*/
|
||||||
|
- newheader->next = rbtnode->data;
|
||||||
|
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||||
|
+ free_rdataset(rbtdb, rbtdb->common.mctx,
|
||||||
|
+ newheader);
|
||||||
|
+ return (ISC_R_QUOTA);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
newheader->down = NULL;
|
||||||
|
- rbtnode->data = newheader;
|
||||||
|
+
|
||||||
|
+ if (prio_header(newheader)) {
|
||||||
|
+ /* This is a priority type, prepend it */
|
||||||
|
+ newheader->next = rbtnode->data;
|
||||||
|
+ rbtnode->data = newheader;
|
||||||
|
+ } else if (prioheader != NULL) {
|
||||||
|
+ /* Append after the priority headers */
|
||||||
|
+ newheader->next = prioheader->next;
|
||||||
|
+ prioheader->next = newheader;
|
||||||
|
+ } else {
|
||||||
|
+ /* There were no priority headers */
|
||||||
|
+ newheader->next = rbtnode->data;
|
||||||
|
+ rbtnode->data = newheader;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
|
||||||
|
+ if (expireheader == NULL) {
|
||||||
|
+ expireheader = newheader;
|
||||||
|
+ }
|
||||||
|
+ if (NEGATIVE(newheader) &&
|
||||||
|
+ !prio_header(newheader))
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * Add the new non-priority negative
|
||||||
|
+ * header to the database only
|
||||||
|
+ * temporarily.
|
||||||
|
+ */
|
||||||
|
+ expireheader = newheader;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ set_ttl(rbtdb, expireheader, 0);
|
||||||
|
+ mark_header_ancient(rbtdb, expireheader);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
||||||
|
index b0f77b1..347b7d2 100644
|
||||||
|
--- a/lib/dns/rdataslab.c
|
||||||
|
+++ b/lib/dns/rdataslab.c
|
||||||
|
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifndef DNS_RDATASET_MAX_RECORDS
|
||||||
|
+#define DNS_RDATASET_MAX_RECORDS 100
|
||||||
|
+#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||||
|
+
|
||||||
|
isc_result_t
|
||||||
|
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
isc_region_t *region, unsigned int reservelen)
|
||||||
|
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ return (DNS_R_TOOMANYRECORDS);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (nitems > 0xffff)
|
||||||
|
return (ISC_R_NOSPACE);
|
||||||
|
|
||||||
|
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||||
|
#endif
|
||||||
|
INSIST(ocount > 0 && ncount > 0);
|
||||||
|
|
||||||
|
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ return (DNS_R_TOOMANYRECORDS);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#if DNS_RDATASET_FIXED
|
||||||
|
oncount = ncount;
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
322
SOURCES/bind-9.11-CVE-2024-1975.patch
Normal file
322
SOURCES/bind-9.11-CVE-2024-1975.patch
Normal file
@ -0,0 +1,322 @@
|
|||||||
|
From 5ff88892e43c049659a8a5aef8dfd56c3712daf0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 16 Jul 2024 19:49:09 +0200
|
||||||
|
Subject: [PATCH] Resolve CVE-2024-1975
|
||||||
|
|
||||||
|
6404. [security] Remove SIG(0) support from named as a countermeasure
|
||||||
|
for CVE-2024-1975. [GL #4480]
|
||||||
|
|
||||||
|
Resolves: CVE-2024-1975
|
||||||
|
---
|
||||||
|
bin/named/client.c | 7 +++
|
||||||
|
bin/tests/system/tsiggss/authsock.pl | 5 ++
|
||||||
|
bin/tests/system/tsiggss/tests.sh | 12 ++--
|
||||||
|
bin/tests/system/upforwd/tests.sh | 21 ++++---
|
||||||
|
doc/arm/Bv9ARM-book.xml | 22 +++----
|
||||||
|
lib/dns/message.c | 94 +++-------------------------
|
||||||
|
6 files changed, 49 insertions(+), 112 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||||
|
index 368bc94..ea121b3 100644
|
||||||
|
--- a/bin/named/client.c
|
||||||
|
+++ b/bin/named/client.c
|
||||||
|
@@ -3013,6 +3013,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
|
||||||
|
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||||
|
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||||
|
"request is signed by a nonauthoritative key");
|
||||||
|
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
|
||||||
|
+ client->message->sig0 != NULL)
|
||||||
|
+ {
|
||||||
|
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
|
||||||
|
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||||
|
+ "request has a SIG(0) signature but its support "
|
||||||
|
+ "was removed (CVE-2024-1975)");
|
||||||
|
} else {
|
||||||
|
char tsigrcode[64];
|
||||||
|
isc_buffer_t b;
|
||||||
|
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
|
||||||
|
index ab3833d..0b231ee 100644
|
||||||
|
--- a/bin/tests/system/tsiggss/authsock.pl
|
||||||
|
+++ b/bin/tests/system/tsiggss/authsock.pl
|
||||||
|
@@ -31,6 +31,10 @@ if (!defined($path)) {
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
+# Enable output autoflush so that it's not lost when the parent sends TERM.
|
||||||
|
+select STDOUT;
|
||||||
|
+$| = 1;
|
||||||
|
+
|
||||||
|
unlink($path);
|
||||||
|
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
|
||||||
|
die "unable to create socket $path";
|
||||||
|
@@ -53,6 +57,7 @@ if ($timeout != 0) {
|
||||||
|
}
|
||||||
|
|
||||||
|
while (my $client = $server->accept()) {
|
||||||
|
+ printf("accept()\n");
|
||||||
|
$client->recv(my $buf, 8, 0);
|
||||||
|
my ($version, $req_len) = unpack('N N', $buf);
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
|
||||||
|
index 456ce61..d0db388 100644
|
||||||
|
--- a/bin/tests/system/tsiggss/tests.sh
|
||||||
|
+++ b/bin/tests/system/tsiggss/tests.sh
|
||||||
|
@@ -116,7 +116,7 @@ status=$((status+ret))
|
||||||
|
|
||||||
|
echo_i "testing external update policy (CNAME) with auth sock ($n)"
|
||||||
|
ret=0
|
||||||
|
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
|
||||||
|
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
|
||||||
|
sleep 1
|
||||||
|
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
@@ -130,17 +130,19 @@ n=$((n+1))
|
||||||
|
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
-echo_i "testing external policy with SIG(0) key ($n)"
|
||||||
|
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
|
||||||
|
ret=0
|
||||||
|
-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
|
||||||
|
+$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
|
||||||
|
+debug
|
||||||
|
server 10.53.0.1 ${PORT}
|
||||||
|
zone example.nil
|
||||||
|
update add fred.example.nil 120 cname foo.bar.
|
||||||
|
send
|
||||||
|
END
|
||||||
|
+# update must have failed - SIG(0) signer is not supported
|
||||||
|
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
|
||||||
|
-[ -n "$output" ] || ret=1
|
||||||
|
-[ $ret -eq 0 ] || echo_i "failed"
|
||||||
|
+[ -n "$output" ] && ret=1
|
||||||
|
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
|
||||||
|
n=$((n+1))
|
||||||
|
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status+ret))
|
||||||
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||||
|
index ebc9ded..f5b89d4 100644
|
||||||
|
--- a/bin/tests/system/upforwd/tests.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/tests.sh
|
||||||
|
@@ -181,19 +181,22 @@ n=`expr $n + 1`
|
||||||
|
|
||||||
|
if test -f keyname
|
||||||
|
then
|
||||||
|
- echo_i "checking update forwarding to with sig0 ($n)"
|
||||||
|
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
|
||||||
|
ret=0
|
||||||
|
keyname=`cat keyname`
|
||||||
|
- $NSUPDATE -k $keyname.private -- - <<EOF
|
||||||
|
- local 10.53.0.1
|
||||||
|
- server 10.53.0.3 ${PORT}
|
||||||
|
- zone example2
|
||||||
|
- update add unsigned.example2. 600 A 10.10.10.1
|
||||||
|
- update add unsigned.example2. 600 TXT Foo
|
||||||
|
- send
|
||||||
|
+ # SIG(0) is removed, update is expected to fail.
|
||||||
|
+ {
|
||||||
|
+ $NSUPDATE -k $keyname.private -- - <<EOF
|
||||||
|
+ local 10.53.0.1
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ zone example2
|
||||||
|
+ update add unsigned.example2. 600 A 10.10.10.1
|
||||||
|
+ update add unsigned.example2. 600 TXT Foo
|
||||||
|
+ send
|
||||||
|
EOF
|
||||||
|
+ } >nsupdate.out.$n 2>&1 && ret=1
|
||||||
|
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
|
||||||
|
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
|
||||||
|
+ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1
|
||||||
|
if [ $ret != 0 ] ; then echo_i "failed"; fi
|
||||||
|
status=`expr $status + $ret`
|
||||||
|
n=`expr $n + 1`
|
||||||
|
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||||
|
index acf772b..563dced 100644
|
||||||
|
--- a/doc/arm/Bv9ARM-book.xml
|
||||||
|
+++ b/doc/arm/Bv9ARM-book.xml
|
||||||
|
@@ -2027,7 +2027,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
||||||
|
The TKEY process is initiated by a client or server by sending
|
||||||
|
a query of type TKEY to a TKEY-aware server. The query must include
|
||||||
|
an appropriate KEY record in the additional section, and
|
||||||
|
- must be signed using either TSIG or SIG(0) with a previously
|
||||||
|
+ must be signed using TSIG with a previously
|
||||||
|
established key. The server's response, if successful,
|
||||||
|
contains a TKEY record in its answer section. After this transaction,
|
||||||
|
both participants have enough information to calculate a
|
||||||
|
@@ -2050,24 +2050,24 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
||||||
|
<section xml:id="sig0"><info><title>SIG(0)</title></info>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
- <acronym>BIND</acronym> partially supports DNSSEC SIG(0)
|
||||||
|
+ <acronym>BIND</acronym> partially supported DNSSEC SIG(0)
|
||||||
|
transaction signatures as specified in RFC 2535 and RFC 2931.
|
||||||
|
SIG(0) uses public/private keys to authenticate messages. Access control
|
||||||
|
- is performed in the same manner as with TSIG keys; privileges can be
|
||||||
|
+ were performed in the same manner as with TSIG keys; privileges can be
|
||||||
|
granted or denied in ACL directives based on the key name.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
- When a SIG(0) signed message is received, it is only
|
||||||
|
+ When a SIG(0) signed message were received, it were only
|
||||||
|
verified if the key is known and trusted by the server. The
|
||||||
|
- server does not attempt to recursively fetch or validate the
|
||||||
|
+ server did not attempt to recursively fetch or validate the
|
||||||
|
key.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
- SIG(0) signing of multiple-message TCP streams is not supported.
|
||||||
|
+ SIG(0) signing of multiple-message TCP streams were not supported.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
- The only tool shipped with <acronym>BIND</acronym> 9 that
|
||||||
|
- generates SIG(0) signed messages is <command>nsupdate</command>.
|
||||||
|
+ Support for SIG(0) message verification was removed
|
||||||
|
+ as part of the mitigation of CVE-2024-1975.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
@@ -12655,7 +12655,7 @@ example.com. NS ns2.example.net.
|
||||||
|
either grants or denies permission for one or more
|
||||||
|
names in the zone to be updated by one or more
|
||||||
|
identities. Identity is determined by the key that
|
||||||
|
- signed the update request, using either TSIG or SIG(0).
|
||||||
|
+ signed the update request, using TSIG.
|
||||||
|
In most cases, <command>update-policy</command> rules
|
||||||
|
only apply to key-based identities. There is no way
|
||||||
|
to specify update permissions based on client source
|
||||||
|
@@ -12742,7 +12742,7 @@ example.com. NS ns2.example.net.
|
||||||
|
<para>
|
||||||
|
The <command>identity</command> field must be set to
|
||||||
|
a fully qualified domain name. In most cases, this
|
||||||
|
- represents the name of the TSIG or SIG(0) key that must be
|
||||||
|
+ represents the name of the TSIG key that must be
|
||||||
|
used to sign the update request. If the specified name is a
|
||||||
|
wildcard, it is subject to DNS wildcard expansion, and the
|
||||||
|
rule may apply to multiple identities. When a TKEY exchange
|
||||||
|
@@ -15952,7 +15952,7 @@ HOST-127.EXAMPLE. MX 0 .
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
ACLs match clients on the basis of up to three characteristics:
|
||||||
|
- 1) The client's IP address; 2) the TSIG or SIG(0) key that was
|
||||||
|
+ 1) The client's IP address; 2) the TSIG key that was
|
||||||
|
used to sign the request, if any; and 3) an address prefix
|
||||||
|
encoded in an EDNS Client-Subnet option, if any.
|
||||||
|
</para>
|
||||||
|
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
||||||
|
index a44eb2d..9ea2b9e 100644
|
||||||
|
--- a/lib/dns/message.c
|
||||||
|
+++ b/lib/dns/message.c
|
||||||
|
@@ -3373,103 +3373,23 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
|
||||||
|
- isc_buffer_t b, msgb;
|
||||||
|
+ isc_buffer_t msgb;
|
||||||
|
|
||||||
|
REQUIRE(DNS_MESSAGE_VALID(msg));
|
||||||
|
|
||||||
|
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
|
||||||
|
+ if (msg->tsigkey == NULL && msg->tsig == NULL)
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
INSIST(msg->saved.base != NULL);
|
||||||
|
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
|
||||||
|
isc_buffer_add(&msgb, msg->saved.length);
|
||||||
|
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
|
||||||
|
#ifdef SKAN_MSG_DEBUG
|
||||||
|
- dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||||
|
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
|
||||||
|
#endif
|
||||||
|
- if (view != NULL)
|
||||||
|
- return (dns_view_checksig(view, &msgb, msg));
|
||||||
|
- else
|
||||||
|
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||||
|
- } else {
|
||||||
|
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
- dns_rdata_sig_t sig;
|
||||||
|
- dns_rdataset_t keyset;
|
||||||
|
- isc_result_t result;
|
||||||
|
-
|
||||||
|
- result = dns_rdataset_first(msg->sig0);
|
||||||
|
- INSIST(result == ISC_R_SUCCESS);
|
||||||
|
- dns_rdataset_current(msg->sig0, &rdata);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * This can occur when the message is a dynamic update, since
|
||||||
|
- * the rdata length checking is relaxed. This should not
|
||||||
|
- * happen in a well-formed message, since the SIG(0) is only
|
||||||
|
- * looked for in the additional section, and the dynamic update
|
||||||
|
- * meta-records are in the prerequisite and update sections.
|
||||||
|
- */
|
||||||
|
- if (rdata.length == 0)
|
||||||
|
- return (ISC_R_UNEXPECTEDEND);
|
||||||
|
-
|
||||||
|
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
|
||||||
|
- if (result != ISC_R_SUCCESS)
|
||||||
|
- return (result);
|
||||||
|
-
|
||||||
|
- dns_rdataset_init(&keyset);
|
||||||
|
- if (view == NULL)
|
||||||
|
- return (DNS_R_KEYUNAUTHORIZED);
|
||||||
|
- result = dns_view_simplefind(view, &sig.signer,
|
||||||
|
- dns_rdatatype_key /* SIG(0) */,
|
||||||
|
- 0, 0, false, &keyset, NULL);
|
||||||
|
-
|
||||||
|
- if (result != ISC_R_SUCCESS) {
|
||||||
|
- /* XXXBEW Should possibly create a fetch here */
|
||||||
|
- result = DNS_R_KEYUNAUTHORIZED;
|
||||||
|
- goto freesig;
|
||||||
|
- } else if (keyset.trust < dns_trust_secure) {
|
||||||
|
- /* XXXBEW Should call a validator here */
|
||||||
|
- result = DNS_R_KEYUNAUTHORIZED;
|
||||||
|
- goto freesig;
|
||||||
|
- }
|
||||||
|
- result = dns_rdataset_first(&keyset);
|
||||||
|
- INSIST(result == ISC_R_SUCCESS);
|
||||||
|
- for (;
|
||||||
|
- result == ISC_R_SUCCESS;
|
||||||
|
- result = dns_rdataset_next(&keyset))
|
||||||
|
- {
|
||||||
|
- dst_key_t *key = NULL;
|
||||||
|
-
|
||||||
|
- dns_rdata_reset(&rdata);
|
||||||
|
- dns_rdataset_current(&keyset, &rdata);
|
||||||
|
- isc_buffer_init(&b, rdata.data, rdata.length);
|
||||||
|
- isc_buffer_add(&b, rdata.length);
|
||||||
|
-
|
||||||
|
- result = dst_key_fromdns(&sig.signer, rdata.rdclass,
|
||||||
|
- &b, view->mctx, &key);
|
||||||
|
- if (result != ISC_R_SUCCESS)
|
||||||
|
- continue;
|
||||||
|
- if (dst_key_alg(key) != sig.algorithm ||
|
||||||
|
- dst_key_id(key) != sig.keyid ||
|
||||||
|
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
|
||||||
|
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
|
||||||
|
- {
|
||||||
|
- dst_key_free(&key);
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
- result = dns_dnssec_verifymessage(&msgb, msg, key);
|
||||||
|
- dst_key_free(&key);
|
||||||
|
- if (result == ISC_R_SUCCESS)
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- if (result == ISC_R_NOMORE)
|
||||||
|
- result = DNS_R_KEYUNAUTHORIZED;
|
||||||
|
-
|
||||||
|
- freesig:
|
||||||
|
- if (dns_rdataset_isassociated(&keyset))
|
||||||
|
- dns_rdataset_disassociate(&keyset);
|
||||||
|
- dns_rdata_freestruct(&sig);
|
||||||
|
- return (result);
|
||||||
|
- }
|
||||||
|
+ if (view != NULL)
|
||||||
|
+ return (dns_view_checksig(view, &msgb, msg));
|
||||||
|
+ else
|
||||||
|
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
#define INDENT(sp) \
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001
|
From 1dc81c51cd5c70b783aab8b6156aec4cfedd6fe3 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||||
Subject: [PATCH] FIPS tests changes
|
Subject: [PATCH] FIPS tests changes
|
||||||
@ -96,12 +96,14 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
|||||||
bin/tests/system/rndc/setup.sh | 2 +-
|
bin/tests/system/rndc/setup.sh | 2 +-
|
||||||
bin/tests/system/rndc/tests.sh | 23 ++++---
|
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||||
|
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||||
bin/tests/system/tsig/setup.sh | 5 ++
|
bin/tests/system/tsig/setup.sh | 5 ++
|
||||||
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
|
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
|
||||||
bin/tests/system/tsiggss/setup.sh | 2 +-
|
bin/tests/system/tsiggss/setup.sh | 2 +-
|
||||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||||
43 files changed, 220 insertions(+), 170 deletions(-)
|
44 files changed, 230 insertions(+), 170 deletions(-)
|
||||||
|
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
|
||||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||||
index 9999ada..e3f8d0e 100644
|
index 9999ada..e3f8d0e 100644
|
||||||
@ -598,10 +600,10 @@ index b66207a..359b220 100644
|
|||||||
; TTL of 3 weeks
|
; TTL of 3 weeks
|
||||||
weeks 1814400 A 10.53.0.2
|
weeks 1814400 A 10.53.0.2
|
||||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
||||||
index 2109001..ded5557 100644
|
index a3ebc31..0d9b9b8 100644
|
||||||
--- a/bin/tests/system/digdelv/tests.sh
|
--- a/bin/tests/system/digdelv/tests.sh
|
||||||
+++ b/bin/tests/system/digdelv/tests.sh
|
+++ b/bin/tests/system/digdelv/tests.sh
|
||||||
@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then
|
@@ -173,7 +173,7 @@ if [ -x "$DIG" ] ; then
|
||||||
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||||
@ -610,7 +612,7 @@ index 2109001..ded5557 100644
|
|||||||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then
|
@@ -182,7 +182,7 @@ if [ -x "$DIG" ] ; then
|
||||||
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||||
@ -619,7 +621,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then
|
@@ -190,7 +190,7 @@ if [ -x "$DIG" ] ; then
|
||||||
echo_i "checking dig +short +nosplit works($n)"
|
echo_i "checking dig +short +nosplit works($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||||
@ -628,7 +630,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then
|
@@ -198,7 +198,7 @@ if [ -x "$DIG" ] ; then
|
||||||
echo_i "checking dig +short +rrcomments works($n)"
|
echo_i "checking dig +short +rrcomments works($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||||
@ -637,7 +639,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then
|
@@ -215,7 +215,7 @@ if [ -x "$DIG" ] ; then
|
||||||
echo_i "checking dig +short +rrcomments works($n)"
|
echo_i "checking dig +short +rrcomments works($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||||
@ -646,7 +648,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then
|
@@ -846,7 +846,7 @@ if [ -x ${DELV} ] ; then
|
||||||
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||||
@ -655,7 +657,7 @@ index 2109001..ded5557 100644
|
|||||||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then
|
@@ -855,7 +855,7 @@ if [ -x ${DELV} ] ; then
|
||||||
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||||
@ -664,7 +666,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then
|
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
|
||||||
echo_i "checking delv +short +rrcomments works ($n)"
|
echo_i "checking delv +short +rrcomments works ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||||
@ -673,7 +675,7 @@ index 2109001..ded5557 100644
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then
|
@@ -871,7 +871,7 @@ if [ -x ${DELV} ] ; then
|
||||||
echo_i "checking delv +short +nosplit works ($n)"
|
echo_i "checking delv +short +nosplit works ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||||
@ -682,7 +684,7 @@ index 2109001..ded5557 100644
|
|||||||
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
||||||
f=`awk '{print NF}' < delv.out.test$n`
|
f=`awk '{print NF}' < delv.out.test$n`
|
||||||
test "${f:-0}" -eq 14 || ret=1
|
test "${f:-0}" -eq 14 || ret=1
|
||||||
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
|
@@ -882,7 +882,7 @@ if [ -x ${DELV} ] ; then
|
||||||
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||||
@ -909,7 +911,7 @@ index ba39f90..f20a2dd 100755
|
|||||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||||
|
|
||||||
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
||||||
index e28b3f1..29c169b 100644
|
index d401823..139c7ad 100644
|
||||||
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
||||||
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
||||||
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
||||||
@ -953,10 +955,10 @@ index 75cf699..b4d848c 100644
|
|||||||
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
||||||
};
|
};
|
||||||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||||
index 3e8e4d5..da692f9 100644
|
index 30f7fc5..2f34b6d 100644
|
||||||
--- a/bin/tests/system/dnssec/tests.sh
|
--- a/bin/tests/system/dnssec/tests.sh
|
||||||
+++ b/bin/tests/system/dnssec/tests.sh
|
+++ b/bin/tests/system/dnssec/tests.sh
|
||||||
@@ -3257,8 +3257,8 @@ do
|
@@ -3281,8 +3281,8 @@ do
|
||||||
alg=`expr $alg + 1`
|
alg=`expr $alg + 1`
|
||||||
continue;;
|
continue;;
|
||||||
3) size="-b 512";;
|
3) size="-b 512";;
|
||||||
@ -1112,10 +1114,10 @@ index e6e2382..b0a94e0 100644
|
|||||||
};
|
};
|
||||||
|
|
||||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||||
index 6fbf1d7..a712b17 100644
|
index 2b3b154..8240c42 100644
|
||||||
--- a/bin/tests/system/nsupdate/setup.sh
|
--- a/bin/tests/system/nsupdate/setup.sh
|
||||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||||
@@ -53,7 +53,12 @@ EOF
|
@@ -68,7 +68,12 @@ EOF
|
||||||
|
|
||||||
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
||||||
|
|
||||||
@ -1130,10 +1132,10 @@ index 6fbf1d7..a712b17 100644
|
|||||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||||
index 6b2c8f6..96ad95e 100755
|
index 60cf7ee..f8994ff 100755
|
||||||
--- a/bin/tests/system/nsupdate/tests.sh
|
--- a/bin/tests/system/nsupdate/tests.sh
|
||||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||||
@@ -788,7 +788,14 @@ fi
|
@@ -804,7 +804,14 @@ fi
|
||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
ret=0
|
ret=0
|
||||||
echo_i "check TSIG key algorithms ($n)"
|
echo_i "check TSIG key algorithms ($n)"
|
||||||
@ -1149,7 +1151,7 @@ index 6b2c8f6..96ad95e 100755
|
|||||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||||
server 10.53.0.1 ${PORT}
|
server 10.53.0.1 ${PORT}
|
||||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||||
@@ -796,7 +803,7 @@ send
|
@@ -812,7 +819,7 @@ send
|
||||||
END
|
END
|
||||||
done
|
done
|
||||||
sleep 2
|
sleep 2
|
||||||
@ -1233,6 +1235,22 @@ index 4905ffd..958d9fb 100644
|
|||||||
|
|
||||||
key "sha1-trunc" {
|
key "sha1-trunc" {
|
||||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||||
|
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..0682194
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+# Conditionally included when support for MD5 is available
|
||||||
|
+key "md5" {
|
||||||
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
+ algorithm hmac-md5;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+key "md5-trunc" {
|
||||||
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
+ algorithm hmac-md5-80;
|
||||||
|
+};
|
||||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||||
index f42aa79..bfcf4a6 100644
|
index f42aa79..bfcf4a6 100644
|
||||||
--- a/bin/tests/system/tsig/setup.sh
|
--- a/bin/tests/system/tsig/setup.sh
|
||||||
@ -1247,7 +1265,7 @@ index f42aa79..bfcf4a6 100644
|
|||||||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||||
+fi
|
+fi
|
||||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||||
index ed41e1d..98c542e 100644
|
index e0c2903..327fa50 100644
|
||||||
--- a/bin/tests/system/tsig/tests.sh
|
--- a/bin/tests/system/tsig/tests.sh
|
||||||
+++ b/bin/tests/system/tsig/tests.sh
|
+++ b/bin/tests/system/tsig/tests.sh
|
||||||
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||||
@ -1375,5 +1393,5 @@ index 1cf8d3b..f4c3216 100644
|
|||||||
update add updated.example. 600 A 10.10.10.1
|
update add updated.example. 600 A 10.10.10.1
|
||||||
update add updated.example. 600 TXT Foo
|
update add updated.example. 600 TXT Foo
|
||||||
--
|
--
|
||||||
2.26.2
|
2.31.1
|
||||||
|
|
||||||
|
32
SOURCES/bind-9.11-rh1980757.patch
Normal file
32
SOURCES/bind-9.11-rh1980757.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Fri, 9 Jul 2021 20:52:21 +0200
|
||||||
|
Subject: [PATCH] Use proper entropy to initialize tsig keyname
|
||||||
|
|
||||||
|
Random names used on GSS backed nsupdate can conflict in specific
|
||||||
|
situations. That might include starting a lot of machines from
|
||||||
|
containers, where they took all similar time to start. PID and timestamp
|
||||||
|
would be similar and therefore randomness is quite low. Use entropy to
|
||||||
|
generate more random identifier and reduce chance of conflict.
|
||||||
|
---
|
||||||
|
bin/nsupdate/nsupdate.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||||
|
index 458aa76..d9e5a2b 100644
|
||||||
|
--- a/bin/nsupdate/nsupdate.c
|
||||||
|
+++ b/bin/nsupdate/nsupdate.c
|
||||||
|
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
|
||||||
|
|
||||||
|
keyname = dns_fixedname_initname(&fkname);
|
||||||
|
|
||||||
|
- isc_random_get(&val);
|
||||||
|
+ result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
|
||||||
|
+ if (result != ISC_R_SUCCESS)
|
||||||
|
+ isc_random_get(&val);
|
||||||
|
result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
|
||||||
|
val, namestr);
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
232
SOURCES/bind-9.11-rh2101712.patch
Normal file
232
SOURCES/bind-9.11-rh2101712.patch
Normal file
@ -0,0 +1,232 @@
|
|||||||
|
From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Wed, 24 Aug 2022 12:21:50 +1000
|
||||||
|
Subject: [PATCH] Have dns_zt_apply lock the zone table
|
||||||
|
|
||||||
|
There where a number of places where the zone table should have
|
||||||
|
been locked, but wasn't, when dns_zt_apply was called.
|
||||||
|
|
||||||
|
Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
|
||||||
|
all calls to using it. Removed locks in callers.
|
||||||
|
|
||||||
|
Modified upstream commit for v9_11
|
||||||
|
---
|
||||||
|
bin/named/server.c | 11 ++++++-----
|
||||||
|
bin/named/statschannel.c | 8 ++++----
|
||||||
|
lib/dns/include/dns/zt.h | 4 ++--
|
||||||
|
lib/dns/tests/zt_test.c | 3 ++-
|
||||||
|
lib/dns/view.c | 3 ++-
|
||||||
|
lib/dns/zt.c | 34 +++++++++++++++++++---------------
|
||||||
|
6 files changed, 35 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 9826588e6d..0b4b309461 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||||
|
strcmp(view->name, "_bind") != 0)
|
||||||
|
{
|
||||||
|
dns_view_setviewrevert(view);
|
||||||
|
- (void)dns_zt_apply(view->zonetable, false,
|
||||||
|
- removed, view);
|
||||||
|
+ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||||
|
+ false, removed, view);
|
||||||
|
}
|
||||||
|
dns_view_detach(&view);
|
||||||
|
}
|
||||||
|
@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
|
||||||
|
ISC_LIST_INIT(vle->zonelist);
|
||||||
|
ISC_LIST_APPEND(dctx->viewlist, vle, link);
|
||||||
|
if (dctx->dumpzones)
|
||||||
|
- result = dns_zt_apply(view->zonetable, true,
|
||||||
|
- add_zone_tolist, dctx);
|
||||||
|
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||||
|
+ true, add_zone_tolist, dctx);
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
|
||||||
|
for (view = ISC_LIST_HEAD(server->viewlist);
|
||||||
|
view != NULL;
|
||||||
|
view = ISC_LIST_NEXT(view, link)) {
|
||||||
|
- result = dns_zt_apply(view->zonetable, false,
|
||||||
|
+ result = dns_zt_apply(view->zonetable,
|
||||||
|
+ isc_rwlocktype_none, false,
|
||||||
|
synczone, &cleanup);
|
||||||
|
if (result != ISC_R_SUCCESS &&
|
||||||
|
tresult == ISC_R_SUCCESS)
|
||||||
|
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||||
|
index 12ab048469..9828df0f4e 100644
|
||||||
|
--- a/bin/named/statschannel.c
|
||||||
|
+++ b/bin/named/statschannel.c
|
||||||
|
@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags,
|
||||||
|
if ((flags & STATS_XML_ZONES) != 0) {
|
||||||
|
TRY0(xmlTextWriterStartElement(writer,
|
||||||
|
ISC_XMLCHAR "zones"));
|
||||||
|
- result = dns_zt_apply(view->zonetable, true,
|
||||||
|
- zone_xmlrender, writer);
|
||||||
|
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||||
|
+ true, zone_xmlrender, writer);
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
goto error;
|
||||||
|
TRY0(xmlTextWriterEndElement(writer)); /* /zones */
|
||||||
|
@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen,
|
||||||
|
CHECKMEM(za);
|
||||||
|
|
||||||
|
if ((flags & STATS_JSON_ZONES) != 0) {
|
||||||
|
- result = dns_zt_apply(view->zonetable, true,
|
||||||
|
- zone_jsonrender, za);
|
||||||
|
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||||
|
+ true, zone_jsonrender, za);
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||||
|
index e658e5bb67..94212250da 100644
|
||||||
|
--- a/lib/dns/include/dns/zt.h
|
||||||
|
+++ b/lib/dns/include/dns/zt.h
|
||||||
|
@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze);
|
||||||
|
*/
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
-dns_zt_apply(dns_zt_t *zt, bool stop,
|
||||||
|
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||||
|
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||||
|
+dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
|
||||||
|
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
|
||||||
|
/*%<
|
||||||
|
* Apply a given 'action' to all zone zones in the table.
|
||||||
|
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
|
||||||
|
index 3f1e812d60..ee75303a50 100644
|
||||||
|
--- a/lib/dns/tests/zt_test.c
|
||||||
|
+++ b/lib/dns/tests/zt_test.c
|
||||||
|
@@ -145,7 +145,8 @@ apply(void **state) {
|
||||||
|
assert_non_null(view->zonetable);
|
||||||
|
|
||||||
|
assert_int_equal(nzones, 0);
|
||||||
|
- result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
|
||||||
|
+ result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
|
||||||
|
+ count_zone, &nzones);
|
||||||
|
assert_int_equal(result, ISC_R_SUCCESS);
|
||||||
|
assert_int_equal(nzones, 1);
|
||||||
|
|
||||||
|
diff --git a/lib/dns/view.c b/lib/dns/view.c
|
||||||
|
index f01b4dea0f..bd1ced2863 100644
|
||||||
|
--- a/lib/dns/view.c
|
||||||
|
+++ b/lib/dns/view.c
|
||||||
|
@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) {
|
||||||
|
REQUIRE(DNS_VIEW_VALID(view));
|
||||||
|
REQUIRE(view->zonetable != NULL);
|
||||||
|
|
||||||
|
- (void)dns_zt_apply(view->zonetable, false, dialup, NULL);
|
||||||
|
+ (void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
|
||||||
|
+ dialup, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
|
||||||
|
index 3f12e247e0..af65740325 100644
|
||||||
|
--- a/lib/dns/zt.c
|
||||||
|
+++ b/lib/dns/zt.c
|
||||||
|
@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) {
|
||||||
|
static void
|
||||||
|
zt_destroy(dns_zt_t *zt) {
|
||||||
|
if (zt->flush) {
|
||||||
|
- (void)dns_zt_apply(zt, false, flush, NULL);
|
||||||
|
+ (void)dns_zt_apply(zt, isc_rwlocktype_none,
|
||||||
|
+ false, flush, NULL);
|
||||||
|
}
|
||||||
|
isc_refcount_destroy(&zt->references);
|
||||||
|
dns_rbt_destroy(&zt->table);
|
||||||
|
@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) {
|
||||||
|
|
||||||
|
REQUIRE(VALID_ZT(zt));
|
||||||
|
|
||||||
|
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
- result = dns_zt_apply(zt, stop, load, NULL);
|
||||||
|
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
+ result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL);
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
|
||||||
|
* Prevent loads_pending going to zero while kicking off the loads.
|
||||||
|
*/
|
||||||
|
zt->loads_pending++;
|
||||||
|
- result = dns_zt_apply2(zt, false, NULL, asyncload, ¶ms);
|
||||||
|
+ result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, ¶ms);
|
||||||
|
pending = --zt->loads_pending;
|
||||||
|
if (pending != 0) {
|
||||||
|
zt->loaddone = alldone;
|
||||||
|
@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) {
|
||||||
|
|
||||||
|
REQUIRE(VALID_ZT(zt));
|
||||||
|
|
||||||
|
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
- result = dns_zt_apply(zt, stop, loadnew, NULL);
|
||||||
|
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
+ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL);
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
|
||||||
|
|
||||||
|
REQUIRE(VALID_ZT(zt));
|
||||||
|
|
||||||
|
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
- result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
|
||||||
|
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||||
|
+ result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze);
|
||||||
|
if (tresult == ISC_R_NOTFOUND)
|
||||||
|
tresult = ISC_R_SUCCESS;
|
||||||
|
return ((result == ISC_R_SUCCESS) ? tresult : result);
|
||||||
|
@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
|
||||||
|
}
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
-dns_zt_apply(dns_zt_t *zt, bool stop,
|
||||||
|
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||||
|
isc_result_t (*action)(dns_zone_t *, void *), void *uap)
|
||||||
|
{
|
||||||
|
- return (dns_zt_apply2(zt, stop, NULL, action, uap));
|
||||||
|
+ return (dns_zt_apply2(zt, lock, stop, NULL, action, uap));
|
||||||
|
}
|
||||||
|
|
||||||
|
isc_result_t
|
||||||
|
-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||||
|
+dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
|
||||||
|
isc_result_t (*action)(dns_zone_t *, void *), void *uap)
|
||||||
|
{
|
||||||
|
dns_rbtnode_t *node;
|
||||||
|
@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||||
|
REQUIRE(VALID_ZT(zt));
|
||||||
|
REQUIRE(action != NULL);
|
||||||
|
|
||||||
|
+ if (lock != isc_rwlocktype_none) {
|
||||||
|
+ RWLOCK(&zt->rwlock, lock);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
dns_rbtnodechain_init(&chain, zt->mctx);
|
||||||
|
result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
|
||||||
|
if (result == ISC_R_NOTFOUND) {
|
||||||
|
@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
dns_rbtnodechain_invalidate(&chain);
|
||||||
|
- if (sub != NULL)
|
||||||
|
+ if (sub != NULL) {
|
||||||
|
*sub = tresult;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lock != isc_rwlocktype_none) {
|
||||||
|
+ RWUNLOCK(&zt->rwlock, lock);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.2
|
||||||
|
|
26
SOURCES/bind-9.11-rh2133889.patch
Normal file
26
SOURCES/bind-9.11-rh2133889.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Thu, 13 Oct 2022 15:35:46 +0200
|
||||||
|
Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h
|
||||||
|
|
||||||
|
It got broken as part of bug #2101712 fix. Introduced new definition,
|
||||||
|
which passes during bind build, but breaks bind-dyndb-ldap build.
|
||||||
|
---
|
||||||
|
lib/dns/include/dns/zt.h | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||||
|
index 9421225..64c24d6 100644
|
||||||
|
--- a/lib/dns/include/dns/zt.h
|
||||||
|
+++ b/lib/dns/include/dns/zt.h
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
#include <stdbool.h>
|
||||||
|
|
||||||
|
#include <isc/lang.h>
|
||||||
|
+#include <isc/rwlock.h>
|
||||||
|
|
||||||
|
#include <dns/types.h>
|
||||||
|
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001
|
From 346683631ae0f83ad4f09a69cfa5e5c6ea49e5d9 Mon Sep 17 00:00:00 2001
|
||||||
From: Evan Hunt <each@isc.org>
|
From: Evan Hunt <each@isc.org>
|
||||||
Date: Tue, 12 Sep 2017 19:05:46 -0700
|
Date: Tue, 12 Sep 2017 19:05:46 -0700
|
||||||
Subject: [PATCH] rebased rt31459c
|
Subject: [PATCH] rebased rt31459c
|
||||||
@ -199,10 +199,10 @@ index f017895..2c568fc 100644
|
|||||||
if (verbose > 10)
|
if (verbose > 10)
|
||||||
isc_mem_stats(mctx, stdout);
|
isc_mem_stats(mctx, stdout);
|
||||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||||
index dde1b2f..7308fc6 100644
|
index a097ac8..6567421 100644
|
||||||
--- a/bin/dnssec/dnssec-signzone.c
|
--- a/bin/dnssec/dnssec-signzone.c
|
||||||
+++ b/bin/dnssec/dnssec-signzone.c
|
+++ b/bin/dnssec/dnssec-signzone.c
|
||||||
@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) {
|
@@ -3472,14 +3472,15 @@ main(int argc, char *argv[]) {
|
||||||
if (!pseudorandom)
|
if (!pseudorandom)
|
||||||
eflags |= ISC_ENTROPY_GOODONLY;
|
eflags |= ISC_ENTROPY_GOODONLY;
|
||||||
|
|
||||||
@ -222,7 +222,7 @@ index dde1b2f..7308fc6 100644
|
|||||||
isc_stdtime_get(&now);
|
isc_stdtime_get(&now);
|
||||||
|
|
||||||
if (startstr != NULL) {
|
if (startstr != NULL) {
|
||||||
@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) {
|
@@ -3896,8 +3897,8 @@ main(int argc, char *argv[]) {
|
||||||
dns_master_styledestroy(&dsstyle, mctx);
|
dns_master_styledestroy(&dsstyle, mctx);
|
||||||
|
|
||||||
cleanup_logging(&log);
|
cleanup_logging(&log);
|
||||||
@ -293,7 +293,7 @@ index 7f045e8..2a0f9c6 100644
|
|||||||
usekeyboard);
|
usekeyboard);
|
||||||
|
|
||||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
index 30d38be..b2ae57c 100644
|
index 9826588..b3e3fc3 100644
|
||||||
--- a/bin/named/server.c
|
--- a/bin/named/server.c
|
||||||
+++ b/bin/named/server.c
|
+++ b/bin/named/server.c
|
||||||
@@ -36,6 +36,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
@ -304,7 +304,7 @@ index 30d38be..b2ae57c 100644
|
|||||||
#include <isc/portset.h>
|
#include <isc/portset.h>
|
||||||
#include <isc/print.h>
|
#include <isc/print.h>
|
||||||
#include <isc/random.h>
|
#include <isc/random.h>
|
||||||
@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
@@ -8291,6 +8292,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||||
"no source of entropy found");
|
"no source of entropy found");
|
||||||
} else {
|
} else {
|
||||||
const char *randomdev = cfg_obj_asstring(obj);
|
const char *randomdev = cfg_obj_asstring(obj);
|
||||||
@ -315,7 +315,7 @@ index 30d38be..b2ae57c 100644
|
|||||||
int level = ISC_LOG_ERROR;
|
int level = ISC_LOG_ERROR;
|
||||||
result = isc_entropy_createfilesource(ns_g_entropy,
|
result = isc_entropy_createfilesource(ns_g_entropy,
|
||||||
randomdev);
|
randomdev);
|
||||||
@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
@@ -8325,6 +8330,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||||
}
|
}
|
||||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||||
}
|
}
|
||||||
@ -324,10 +324,10 @@ index 30d38be..b2ae57c 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||||
index 5a2c660..7f15cbc 100644
|
index 52b0274..23b69c9 100644
|
||||||
--- a/bin/nsupdate/nsupdate.c
|
--- a/bin/nsupdate/nsupdate.c
|
||||||
+++ b/bin/nsupdate/nsupdate.c
|
+++ b/bin/nsupdate/nsupdate.c
|
||||||
@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
@@ -279,7 +279,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||||
if (*ectx == NULL) {
|
if (*ectx == NULL) {
|
||||||
result = isc_entropy_create(mctx, ectx);
|
result = isc_entropy_create(mctx, ectx);
|
||||||
if (result != ISC_R_SUCCESS)
|
if (result != ISC_R_SUCCESS)
|
||||||
@ -337,7 +337,7 @@ index 5a2c660..7f15cbc 100644
|
|||||||
ISC_LIST_INIT(sources);
|
ISC_LIST_INIT(sources);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
@@ -288,6 +289,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||||
randomfile = NULL;
|
randomfile = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -351,7 +351,7 @@ index 5a2c660..7f15cbc 100644
|
|||||||
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
||||||
usekeyboard);
|
usekeyboard);
|
||||||
|
|
||||||
@@ -989,11 +997,11 @@ setup_system(void) {
|
@@ -990,11 +998,11 @@ setup_system(void) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -561,10 +561,10 @@ index 34360aa..3236968 100644
|
|||||||
|
|
||||||
isc_mem_destroy(&mctx);
|
isc_mem_destroy(&mctx);
|
||||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||||
index 4b5b901..43fb6b0 100644
|
index a3dd450..350723f 100644
|
||||||
--- a/bin/tests/system/tkey/keydelete.c
|
--- a/bin/tests/system/tkey/keydelete.c
|
||||||
+++ b/bin/tests/system/tkey/keydelete.c
|
+++ b/bin/tests/system/tkey/keydelete.c
|
||||||
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
@@ -137,6 +137,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
||||||
int
|
int
|
||||||
main(int argc, char **argv) {
|
main(int argc, char **argv) {
|
||||||
char *keyname;
|
char *keyname;
|
||||||
@ -572,7 +572,7 @@ index 4b5b901..43fb6b0 100644
|
|||||||
isc_taskmgr_t *taskmgr;
|
isc_taskmgr_t *taskmgr;
|
||||||
isc_timermgr_t *timermgr;
|
isc_timermgr_t *timermgr;
|
||||||
isc_socketmgr_t *socketmgr;
|
isc_socketmgr_t *socketmgr;
|
||||||
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
|
@@ -157,10 +158,21 @@ main(int argc, char **argv) {
|
||||||
|
|
||||||
RUNCHECK(isc_app_start());
|
RUNCHECK(isc_app_start());
|
||||||
|
|
||||||
@ -594,7 +594,7 @@ index 4b5b901..43fb6b0 100644
|
|||||||
keyname = argv[1];
|
keyname = argv[1];
|
||||||
|
|
||||||
dns_result_register();
|
dns_result_register();
|
||||||
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
|
@@ -170,14 +182,22 @@ main(int argc, char **argv) {
|
||||||
|
|
||||||
ectx = NULL;
|
ectx = NULL;
|
||||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||||
@ -619,7 +619,7 @@ index 4b5b901..43fb6b0 100644
|
|||||||
|
|
||||||
taskmgr = NULL;
|
taskmgr = NULL;
|
||||||
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
||||||
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
|
@@ -265,8 +285,8 @@ main(int argc, char **argv) {
|
||||||
|
|
||||||
isc_log_destroy(&log);
|
isc_log_destroy(&log);
|
||||||
|
|
||||||
@ -688,7 +688,7 @@ index 26fa609..fb34aa0 100644
|
|||||||
parse_args(false, argc, argv);
|
parse_args(false, argc, argv);
|
||||||
if (server == NULL)
|
if (server == NULL)
|
||||||
diff --git a/configure b/configure
|
diff --git a/configure b/configure
|
||||||
index 0faca65..d5ffc87 100755
|
index 368112f..e060e9d 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -640,6 +640,7 @@ ac_includes_default="\
|
@@ -640,6 +640,7 @@ ac_includes_default="\
|
||||||
@ -699,7 +699,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
BUILD_LIBS
|
BUILD_LIBS
|
||||||
BUILD_LDFLAGS
|
BUILD_LDFLAGS
|
||||||
BUILD_CPPFLAGS
|
BUILD_CPPFLAGS
|
||||||
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
|
@@ -822,6 +823,7 @@ LIBXML2_CFLAGS
|
||||||
NZDTARGETS
|
NZDTARGETS
|
||||||
NZDSRCS
|
NZDSRCS
|
||||||
NZD_TOOLS
|
NZD_TOOLS
|
||||||
@ -707,7 +707,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
PKCS11_TEST
|
PKCS11_TEST
|
||||||
PKCS11_ED25519
|
PKCS11_ED25519
|
||||||
PKCS11_GOST
|
PKCS11_GOST
|
||||||
@@ -1047,6 +1049,7 @@ with_eddsa
|
@@ -1046,6 +1048,7 @@ with_eddsa
|
||||||
with_aes
|
with_aes
|
||||||
enable_openssl_hash
|
enable_openssl_hash
|
||||||
with_cc_alg
|
with_cc_alg
|
||||||
@ -715,7 +715,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
with_lmdb
|
with_lmdb
|
||||||
with_libxml2
|
with_libxml2
|
||||||
with_libjson
|
with_libjson
|
||||||
@@ -1749,6 +1752,7 @@ Optional Features:
|
@@ -1747,6 +1750,7 @@ Optional Features:
|
||||||
--enable-threads enable multithreading
|
--enable-threads enable multithreading
|
||||||
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
|
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
|
||||||
--enable-openssl-hash use OpenSSL for hash functions [default=no]
|
--enable-openssl-hash use OpenSSL for hash functions [default=no]
|
||||||
@ -723,7 +723,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
--enable-largefile 64-bit file support
|
--enable-largefile 64-bit file support
|
||||||
--enable-backtrace log stack backtrace on abort [default=yes]
|
--enable-backtrace log stack backtrace on abort [default=yes]
|
||||||
--enable-symtable use internal symbol table for backtrace
|
--enable-symtable use internal symbol table for backtrace
|
||||||
@@ -17205,6 +17209,7 @@ case "$use_openssl" in
|
@@ -17204,6 +17208,7 @@ case "$use_openssl" in
|
||||||
$as_echo "disabled because of native PKCS11" >&6; }
|
$as_echo "disabled because of native PKCS11" >&6; }
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO="-DPKCS11CRYPTO"
|
CRYPTO="-DPKCS11CRYPTO"
|
||||||
@ -731,7 +731,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
@@ -17218,6 +17223,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
||||||
$as_echo "no" >&6; }
|
$as_echo "no" >&6; }
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO=""
|
CRYPTO=""
|
||||||
@ -739,7 +739,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; }
|
@@ -17230,6 +17236,7 @@ $as_echo "no" >&6; }
|
||||||
auto)
|
auto)
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO=""
|
CRYPTO=""
|
||||||
@ -747,7 +747,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; }
|
@@ -17239,7 +17246,7 @@ $as_echo "no" >&6; }
|
||||||
OPENSSLLINKOBJS=""
|
OPENSSLLINKOBJS=""
|
||||||
OPENSSLLINKSRCS=""
|
OPENSSLLINKSRCS=""
|
||||||
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||||
@ -756,7 +756,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if test "yes" = "$want_native_pkcs11"
|
if test "yes" = "$want_native_pkcs11"
|
||||||
@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; }
|
@@ -17270,6 +17277,7 @@ $as_echo "not found" >&6; }
|
||||||
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
|
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
|
||||||
fi
|
fi
|
||||||
CRYPTO='-DOPENSSL'
|
CRYPTO='-DOPENSSL'
|
||||||
@ -764,7 +764,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
if test "/usr" = "$use_openssl"
|
if test "/usr" = "$use_openssl"
|
||||||
then
|
then
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
@@ -17897,8 +17905,6 @@ fi
|
@@ -17904,8 +17912,6 @@ fi
|
||||||
# Use OpenSSL for hash functions
|
# Use OpenSSL for hash functions
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -773,7 +773,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||||
case $want_openssl_hash in
|
case $want_openssl_hash in
|
||||||
yes)
|
yes)
|
||||||
@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then
|
@@ -18280,6 +18286,86 @@ if test "rt" = "$have_clock_gt"; then
|
||||||
LIBS="-lrt $LIBS"
|
LIBS="-lrt $LIBS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -860,7 +860,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
#
|
#
|
||||||
# was --with-lmdb specified?
|
# was --with-lmdb specified?
|
||||||
#
|
#
|
||||||
@@ -20549,9 +20635,12 @@ _ACEOF
|
@@ -20556,9 +20642,12 @@ _ACEOF
|
||||||
if ac_fn_c_try_compile "$LINENO"; then :
|
if ac_fn_c_try_compile "$LINENO"; then :
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
|
||||||
$as_echo "size_t for buflen; int for flags" >&6; }
|
$as_echo "size_t for buflen; int for flags" >&6; }
|
||||||
@ -875,7 +875,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
|
|
||||||
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
|
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
|
||||||
|
|
||||||
@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
@@ -21856,12 +21945,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||||
if test "yes" = "$use_atomic"; then
|
if test "yes" = "$use_atomic"; then
|
||||||
@ -889,7 +889,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
||||||
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
||||||
# This bug is HP SR number 8606223364.
|
# This bug is HP SR number 8606223364.
|
||||||
@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF
|
@@ -21894,6 +21978,11 @@ cat >>confdefs.h <<_ACEOF
|
||||||
_ACEOF
|
_ACEOF
|
||||||
|
|
||||||
|
|
||||||
@ -901,7 +901,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
if test $ac_cv_sizeof_void_p = 8; then
|
if test $ac_cv_sizeof_void_p = 8; then
|
||||||
arch=x86_64
|
arch=x86_64
|
||||||
have_xaddq=yes
|
have_xaddq=yes
|
||||||
@@ -21923,39 +22012,6 @@ _ACEOF
|
@@ -21902,39 +21991,6 @@ _ACEOF
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
x86_64-*|amd64-*)
|
x86_64-*|amd64-*)
|
||||||
@ -941,7 +941,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
if test $ac_cv_sizeof_void_p = 8; then
|
if test $ac_cv_sizeof_void_p = 8; then
|
||||||
arch=x86_64
|
arch=x86_64
|
||||||
have_xaddq=yes
|
have_xaddq=yes
|
||||||
@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
@@ -21965,6 +22021,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
||||||
$as_echo "$arch" >&6; }
|
$as_echo "$arch" >&6; }
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -952,7 +952,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
if test "yes" = "$have_atomic"; then
|
if test "yes" = "$have_atomic"; then
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
|
||||||
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
|
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
|
||||||
@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
@@ -24547,6 +24607,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
||||||
#
|
#
|
||||||
dlzdir='${DLZ_DRIVER_DIR}'
|
dlzdir='${DLZ_DRIVER_DIR}'
|
||||||
|
|
||||||
@ -983,7 +983,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
#
|
#
|
||||||
# Private autoconf macro to simplify configuring drivers:
|
# Private autoconf macro to simplify configuring drivers:
|
||||||
#
|
#
|
||||||
@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; }
|
@@ -24877,11 +24961,11 @@ $as_echo "no" >&6; }
|
||||||
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
|
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -998,7 +998,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
|
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
|
||||||
@@ -24986,7 +25070,7 @@ $as_echo "" >&6; }
|
@@ -24966,7 +25050,7 @@ $as_echo "" >&6; }
|
||||||
# Check other locations for includes.
|
# Check other locations for includes.
|
||||||
# Order is important (sigh).
|
# Order is important (sigh).
|
||||||
|
|
||||||
@ -1007,7 +1007,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
# include a blank element first
|
# include a blank element first
|
||||||
for d in "" $bdb_incdirs
|
for d in "" $bdb_incdirs
|
||||||
do
|
do
|
||||||
@@ -25011,57 +25095,9 @@ $as_echo "" >&6; }
|
@@ -24991,57 +25075,9 @@ $as_echo "" >&6; }
|
||||||
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||||
for d in $bdb_libnames
|
for d in $bdb_libnames
|
||||||
do
|
do
|
||||||
@ -1067,7 +1067,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; }
|
@@ -25200,10 +25236,10 @@ $as_echo "no" >&6; }
|
||||||
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
|
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
|
||||||
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
|
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
|
||||||
fi
|
fi
|
||||||
@ -1081,7 +1081,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@@ -25309,11 +25345,11 @@ fi
|
@@ -25289,11 +25325,11 @@ fi
|
||||||
odbcdirs="/usr /usr/local /usr/pkg"
|
odbcdirs="/usr /usr/local /usr/pkg"
|
||||||
for d in $odbcdirs
|
for d in $odbcdirs
|
||||||
do
|
do
|
||||||
@ -1095,7 +1095,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
@@ -25568,6 +25604,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -1104,7 +1104,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
#
|
#
|
||||||
# Commands to run at the end of config.status.
|
# Commands to run at the end of config.status.
|
||||||
# Don't just put these into configure, it won't work right if somebody
|
# Don't just put these into configure, it won't work right if somebody
|
||||||
@@ -27966,6 +28004,8 @@ report() {
|
@@ -27946,6 +27984,8 @@ report() {
|
||||||
echo " IPv6 support (--enable-ipv6)"
|
echo " IPv6 support (--enable-ipv6)"
|
||||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||||
@ -1113,7 +1113,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||||
@@ -28006,6 +28046,8 @@ report() {
|
@@ -27986,6 +28026,8 @@ report() {
|
||||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||||
|
|
||||||
@ -1122,7 +1122,7 @@ index 0faca65..d5ffc87 100755
|
|||||||
echo " Dynamically loadable zone (DLZ) drivers:"
|
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||||
test "no" = "$use_dlz_bdb" || \
|
test "no" = "$use_dlz_bdb" || \
|
||||||
echo " Berkeley DB (--with-dlz-bdb)"
|
echo " Berkeley DB (--with-dlz-bdb)"
|
||||||
@@ -28053,6 +28095,8 @@ report() {
|
@@ -28033,6 +28075,8 @@ report() {
|
||||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||||
echo " EDDSA algorithm support (--with-eddsa)"
|
echo " EDDSA algorithm support (--with-eddsa)"
|
||||||
@ -1132,10 +1132,10 @@ index 0faca65..d5ffc87 100755
|
|||||||
test "yes" = "$enable_seccomp" || \
|
test "yes" = "$enable_seccomp" || \
|
||||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index 78535bd..faef2e8 100644
|
index 11f41e8..fdcfc62 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -1598,6 +1598,7 @@ case "$use_openssl" in
|
@@ -1600,6 +1600,7 @@ case "$use_openssl" in
|
||||||
AC_MSG_RESULT(disabled because of native PKCS11)
|
AC_MSG_RESULT(disabled because of native PKCS11)
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO="-DPKCS11CRYPTO"
|
CRYPTO="-DPKCS11CRYPTO"
|
||||||
@ -1143,7 +1143,7 @@ index 78535bd..faef2e8 100644
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -1611,6 +1612,7 @@ case "$use_openssl" in
|
@@ -1613,6 +1614,7 @@ case "$use_openssl" in
|
||||||
AC_MSG_RESULT(no)
|
AC_MSG_RESULT(no)
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO=""
|
CRYPTO=""
|
||||||
@ -1151,7 +1151,7 @@ index 78535bd..faef2e8 100644
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -1623,6 +1625,7 @@ case "$use_openssl" in
|
@@ -1625,6 +1627,7 @@ case "$use_openssl" in
|
||||||
auto)
|
auto)
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
CRYPTO=""
|
CRYPTO=""
|
||||||
@ -1159,7 +1159,7 @@ index 78535bd..faef2e8 100644
|
|||||||
OPENSSLECDSALINKOBJS=""
|
OPENSSLECDSALINKOBJS=""
|
||||||
OPENSSLECDSALINKSRCS=""
|
OPENSSLECDSALINKSRCS=""
|
||||||
OPENSSLEDDSALINKOBJS=""
|
OPENSSLEDDSALINKOBJS=""
|
||||||
@@ -1633,7 +1636,7 @@ case "$use_openssl" in
|
@@ -1635,7 +1638,7 @@ case "$use_openssl" in
|
||||||
OPENSSLLINKSRCS=""
|
OPENSSLLINKSRCS=""
|
||||||
AC_MSG_ERROR(
|
AC_MSG_ERROR(
|
||||||
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||||
@ -1168,7 +1168,7 @@ index 78535bd..faef2e8 100644
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if test "yes" = "$want_native_pkcs11"
|
if test "yes" = "$want_native_pkcs11"
|
||||||
@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl])
|
@@ -1665,6 +1668,7 @@ If you don't want OpenSSL, use --without-openssl])
|
||||||
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
|
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
|
||||||
fi
|
fi
|
||||||
CRYPTO='-DOPENSSL'
|
CRYPTO='-DOPENSSL'
|
||||||
@ -1176,7 +1176,7 @@ index 78535bd..faef2e8 100644
|
|||||||
if test "/usr" = "$use_openssl"
|
if test "/usr" = "$use_openssl"
|
||||||
then
|
then
|
||||||
DST_OPENSSL_INC=""
|
DST_OPENSSL_INC=""
|
||||||
@@ -2099,7 +2103,6 @@ fi
|
@@ -2109,7 +2113,6 @@ fi
|
||||||
# Use OpenSSL for hash functions
|
# Use OpenSSL for hash functions
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -1184,7 +1184,7 @@ index 78535bd..faef2e8 100644
|
|||||||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||||
case $want_openssl_hash in
|
case $want_openssl_hash in
|
||||||
yes)
|
yes)
|
||||||
@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then
|
@@ -2381,6 +2384,67 @@ if test "rt" = "$have_clock_gt"; then
|
||||||
LIBS="-lrt $LIBS"
|
LIBS="-lrt $LIBS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1252,7 +1252,7 @@ index 78535bd..faef2e8 100644
|
|||||||
#
|
#
|
||||||
# was --with-lmdb specified?
|
# was --with-lmdb specified?
|
||||||
#
|
#
|
||||||
@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
@@ -4174,12 +4238,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||||
if test "yes" = "$use_atomic"; then
|
if test "yes" = "$use_atomic"; then
|
||||||
@ -1266,7 +1266,7 @@ index 78535bd..faef2e8 100644
|
|||||||
if test $ac_cv_sizeof_void_p = 8; then
|
if test $ac_cv_sizeof_void_p = 8; then
|
||||||
arch=x86_64
|
arch=x86_64
|
||||||
have_xaddq=yes
|
have_xaddq=yes
|
||||||
@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then
|
@@ -4188,7 +4252,6 @@ if test "yes" = "$use_atomic"; then
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
x86_64-*|amd64-*)
|
x86_64-*|amd64-*)
|
||||||
@ -1274,7 +1274,7 @@ index 78535bd..faef2e8 100644
|
|||||||
if test $ac_cv_sizeof_void_p = 8; then
|
if test $ac_cv_sizeof_void_p = 8; then
|
||||||
arch=x86_64
|
arch=x86_64
|
||||||
have_xaddq=yes
|
have_xaddq=yes
|
||||||
@@ -5635,6 +5698,8 @@ report() {
|
@@ -5622,6 +5685,8 @@ report() {
|
||||||
echo " IPv6 support (--enable-ipv6)"
|
echo " IPv6 support (--enable-ipv6)"
|
||||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||||
@ -1283,7 +1283,7 @@ index 78535bd..faef2e8 100644
|
|||||||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||||
@@ -5675,6 +5740,8 @@ report() {
|
@@ -5662,6 +5727,8 @@ report() {
|
||||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||||
|
|
||||||
@ -1292,7 +1292,7 @@ index 78535bd..faef2e8 100644
|
|||||||
echo " Dynamically loadable zone (DLZ) drivers:"
|
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||||
test "no" = "$use_dlz_bdb" || \
|
test "no" = "$use_dlz_bdb" || \
|
||||||
echo " Berkeley DB (--with-dlz-bdb)"
|
echo " Berkeley DB (--with-dlz-bdb)"
|
||||||
@@ -5722,6 +5789,8 @@ report() {
|
@@ -5709,6 +5776,8 @@ report() {
|
||||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||||
echo " EDDSA algorithm support (--with-eddsa)"
|
echo " EDDSA algorithm support (--with-eddsa)"
|
||||||
@ -2015,7 +2015,7 @@ index 1f785e0..f9051c3 100644
|
|||||||
* Define if the hash functions must be provided by OpenSSL.
|
* Define if the hash functions must be provided by OpenSSL.
|
||||||
*/
|
*/
|
||||||
diff --git a/win32utils/Configure b/win32utils/Configure
|
diff --git a/win32utils/Configure b/win32utils/Configure
|
||||||
index 5f66a82..ff39910 100644
|
index 7ac30fb..55b6c23 100644
|
||||||
--- a/win32utils/Configure
|
--- a/win32utils/Configure
|
||||||
+++ b/win32utils/Configure
|
+++ b/win32utils/Configure
|
||||||
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
|
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
|
||||||
@ -2026,7 +2026,7 @@ index 5f66a82..ff39910 100644
|
|||||||
"ISC_PLATFORM_HAVEATOMICSTORE",
|
"ISC_PLATFORM_HAVEATOMICSTORE",
|
||||||
"ISC_PLATFORM_HAVEATOMICSTOREQ",
|
"ISC_PLATFORM_HAVEATOMICSTOREQ",
|
||||||
"ISC_PLATFORM_HAVECMPXCHG",
|
"ISC_PLATFORM_HAVECMPXCHG",
|
||||||
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
|
@@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
|
||||||
|
|
||||||
# enable-xxx/disable-xxx
|
# enable-xxx/disable-xxx
|
||||||
|
|
||||||
@ -2035,16 +2035,16 @@ index 5f66a82..ff39910 100644
|
|||||||
+ "developer",
|
+ "developer",
|
||||||
"fixed-rrset",
|
"fixed-rrset",
|
||||||
"intrinsics",
|
"intrinsics",
|
||||||
"isc-spnego",
|
"native-pkcs11",
|
||||||
@@ -580,6 +582,7 @@ my @help = (
|
@@ -578,6 +580,7 @@ my @help = (
|
||||||
"\nOptional Features:\n",
|
"\nOptional Features:\n",
|
||||||
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
|
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
|
||||||
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
|
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
|
||||||
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
|
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
|
||||||
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
|
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
|
||||||
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
|
|
||||||
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
|
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
|
||||||
@@ -628,7 +631,9 @@ my $want_clean = "no";
|
" enable-fixed-rrset enable fixed rrset ordering [default=no]\n",
|
||||||
|
@@ -625,7 +628,9 @@ my $want_clean = "no";
|
||||||
my $want_unknown = "no";
|
my $want_unknown = "no";
|
||||||
my $unknown_value;
|
my $unknown_value;
|
||||||
my $enable_intrinsics = "yes";
|
my $enable_intrinsics = "yes";
|
||||||
@ -2053,8 +2053,8 @@ index 5f66a82..ff39910 100644
|
|||||||
+my $enable_crypto_rand = "yes";
|
+my $enable_crypto_rand = "yes";
|
||||||
my $enable_openssl_hash = "auto";
|
my $enable_openssl_hash = "auto";
|
||||||
my $enable_filter_aaaa = "yes";
|
my $enable_filter_aaaa = "yes";
|
||||||
my $enable_isc_spnego = "yes";
|
my $enable_fixed_rrset = "no";
|
||||||
@@ -848,6 +853,10 @@ sub myenable {
|
@@ -844,6 +849,10 @@ sub myenable {
|
||||||
if ($val =~ /^yes$/i) {
|
if ($val =~ /^yes$/i) {
|
||||||
$enable_native_pkcs11 = "yes";
|
$enable_native_pkcs11 = "yes";
|
||||||
}
|
}
|
||||||
@ -2065,7 +2065,7 @@ index 5f66a82..ff39910 100644
|
|||||||
} elsif ($key =~ /^openssl-hash$/i) {
|
} elsif ($key =~ /^openssl-hash$/i) {
|
||||||
if ($val =~ /^yes$/i) {
|
if ($val =~ /^yes$/i) {
|
||||||
$enable_openssl_hash = "yes";
|
$enable_openssl_hash = "yes";
|
||||||
@@ -1154,6 +1163,11 @@ if ($verbose) {
|
@@ -1146,6 +1155,11 @@ if ($verbose) {
|
||||||
} else {
|
} else {
|
||||||
print "native-pkcs11: disabled\n";
|
print "native-pkcs11: disabled\n";
|
||||||
}
|
}
|
||||||
@ -2077,7 +2077,7 @@ index 5f66a82..ff39910 100644
|
|||||||
if ($enable_openssl_hash eq "yes") {
|
if ($enable_openssl_hash eq "yes") {
|
||||||
print "openssl-hash: enabled\n";
|
print "openssl-hash: enabled\n";
|
||||||
} else {
|
} else {
|
||||||
@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") {
|
@@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") {
|
||||||
|
|
||||||
# enable-native-pkcs11
|
# enable-native-pkcs11
|
||||||
if ($enable_native_pkcs11 eq "yes") {
|
if ($enable_native_pkcs11 eq "yes") {
|
||||||
@ -2085,15 +2085,15 @@ index 5f66a82..ff39910 100644
|
|||||||
if ($use_openssl eq "auto") {
|
if ($use_openssl eq "auto") {
|
||||||
$use_openssl = "no";
|
$use_openssl = "no";
|
||||||
}
|
}
|
||||||
@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") {
|
@@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") {
|
||||||
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
|
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
|
||||||
}
|
}
|
||||||
|
|
||||||
+ $cryptolib = "openssl";
|
+ $cryptolib = "openssl";
|
||||||
$configcond{"OPENSSL"} = 1;
|
$configcond{"OPENSSL"} = 1;
|
||||||
$configdefd{"CRYPTO"} = "OPENSSL";
|
$configdefd{"CRYPTO"} = "OPENSSL";
|
||||||
$configvar{"OPENSSL_PATH"} = "$openssl_path";
|
$configvar{"OPENSSL_PATH"} = "$openssl_path";
|
||||||
@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") {
|
@@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -2109,7 +2109,7 @@ index 5f66a82..ff39910 100644
|
|||||||
# enable-openssl-hash
|
# enable-openssl-hash
|
||||||
if ($enable_openssl_hash eq "yes") {
|
if ($enable_openssl_hash eq "yes") {
|
||||||
if ($use_openssl eq "no") {
|
if ($use_openssl eq "no") {
|
||||||
@@ -3673,6 +3698,7 @@ exit 0;
|
@@ -3650,6 +3675,7 @@ exit 0;
|
||||||
# --enable-developer partially supported
|
# --enable-developer partially supported
|
||||||
# --enable-newstats (9.9/9.9sub only)
|
# --enable-newstats (9.9/9.9sub only)
|
||||||
# --enable-native-pkcs11 supported
|
# --enable-native-pkcs11 supported
|
||||||
@ -2118,5 +2118,5 @@ index 5f66a82..ff39910 100644
|
|||||||
# --enable-openssl-hash supported
|
# --enable-openssl-hash supported
|
||||||
# --enable-threads included without a way to disable it
|
# --enable-threads included without a way to disable it
|
||||||
--
|
--
|
||||||
2.26.2
|
2.31.1
|
||||||
|
|
||||||
|
65
SOURCES/bind-9.11-stale-cache.patch
Normal file
65
SOURCES/bind-9.11-stale-cache.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 9 Oct 2023 19:00:12 +0200
|
||||||
|
Subject: [PATCH] Do not keep stale records by default
|
||||||
|
|
||||||
|
By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
|
||||||
|
were enabled by mistake when backporting fix for CVE-2023-2828. It
|
||||||
|
causes increased cache usage on servers not wanting to serve stale
|
||||||
|
records. Fix that by setting smart defaults based on stale answers
|
||||||
|
enabled with possible manual tuning.
|
||||||
|
---
|
||||||
|
bin/named/server.c | 25 +++++++++++++++++++------
|
||||||
|
1 file changed, 19 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 7af90d0..afdc4fa 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
size_t max_acache_size;
|
||||||
|
size_t max_adb_size;
|
||||||
|
uint32_t lame_ttl, fail_ttl;
|
||||||
|
- uint32_t max_stale_ttl;
|
||||||
|
+ uint32_t max_stale_ttl = 0;
|
||||||
|
dns_tsig_keyring_t *ring = NULL;
|
||||||
|
dns_view_t *pview = NULL; /* Production view */
|
||||||
|
isc_mem_t *cmctx = NULL, *hmctx = NULL;
|
||||||
|
@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
if (view->maxncachettl > 7 * 24 * 3600)
|
||||||
|
view->maxncachettl = 7 * 24 * 3600;
|
||||||
|
|
||||||
|
- obj = NULL;
|
||||||
|
- result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||||
|
- INSIST(result == ISC_R_SUCCESS);
|
||||||
|
- max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
-
|
||||||
|
obj = NULL;
|
||||||
|
result = ns_config_get(maps, "stale-answer-enable", &obj);
|
||||||
|
INSIST(result == ISC_R_SUCCESS);
|
||||||
|
view->staleanswersenable = cfg_obj_asboolean(obj);
|
||||||
|
|
||||||
|
+ // RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
|
||||||
|
+ obj = NULL;
|
||||||
|
+ if (view->staleanswersenable) {
|
||||||
|
+ result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||||
|
+ INSIST(result == ISC_R_SUCCESS);
|
||||||
|
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
+ /*
|
||||||
|
+ * If 'stale-answer-enable' is false, max_stale_ttl is set
|
||||||
|
+ * to 0, meaning keeping stale RRsets in cache is disabled.
|
||||||
|
+ */
|
||||||
|
+ } else {
|
||||||
|
+ /* Do not use default value if stale is disabled,
|
||||||
|
+ * but allow manual overriding, like 'stale-cache-enable' */
|
||||||
|
+ result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
|
||||||
|
+ if (result == ISC_R_SUCCESS)
|
||||||
|
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
|
||||||
|
view->rdclass, &pview);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
58
SOURCES/bind-9.15-resolver-ntasks.patch
Normal file
58
SOURCES/bind-9.15-resolver-ntasks.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From 6d6acf236841da5c2511f8afcd3e4a89af4c5658 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
|
||||||
|
Date: Fri, 14 Feb 2020 09:18:48 +0100
|
||||||
|
Subject: [PATCH] Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for
|
||||||
|
small
|
||||||
|
|
||||||
|
Modify original upstream commit 0d80266f7e3, add high limit of used
|
||||||
|
tasks. Minimum would be lower on machines with few cpus, but maximum
|
||||||
|
would stay unchanged. Should prevent negatives of this change.
|
||||||
|
|
||||||
|
Signed-off-by: Petr Mensik <pemensik@redhat.com>
|
||||||
|
---
|
||||||
|
bin/named/server.c | 12 ++++++++----
|
||||||
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 39b1124..94b4daa 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -148,11 +148,13 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef TUNE_LARGE
|
||||||
|
-#define RESOLVER_NTASKS 523
|
||||||
|
+#define RESOLVER_NTASKS_MAX 523
|
||||||
|
+#define RESOLVER_NTASKS_PERCPU 32
|
||||||
|
#define UDPBUFFERS 32768
|
||||||
|
#define EXCLBUFFERS 32768
|
||||||
|
#else
|
||||||
|
-#define RESOLVER_NTASKS 31
|
||||||
|
+#define RESOLVER_NTASKS_MAX 31
|
||||||
|
+#define RESOLVER_NTASKS_PERCPU 8
|
||||||
|
#define UDPBUFFERS 1000
|
||||||
|
#define EXCLBUFFERS 4096
|
||||||
|
#endif /* TUNE_LARGE */
|
||||||
|
@@ -3318,7 +3320,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
ns_cache_t *nsc;
|
||||||
|
bool zero_no_soattl;
|
||||||
|
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
|
||||||
|
- unsigned int query_timeout, ndisp;
|
||||||
|
+ unsigned int query_timeout, ndisp, ntasks;
|
||||||
|
bool old_rpz_ok = false;
|
||||||
|
isc_dscp_t dscp4 = -1, dscp6 = -1;
|
||||||
|
dns_dyndbctx_t *dctx = NULL;
|
||||||
|
@@ -3926,7 +3928,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||||
|
dns_view_setresquerystats(view, resquerystats);
|
||||||
|
|
||||||
|
ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
|
||||||
|
- CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
|
||||||
|
+ ntasks = ISC_MIN(RESOLVER_NTASKS_PERCPU * ns_g_cpus,
|
||||||
|
+ RESOLVER_NTASKS_MAX);
|
||||||
|
+ CHECK(dns_view_createresolver(view, ns_g_taskmgr, ntasks,
|
||||||
|
ndisp, ns_g_socketmgr, ns_g_timermgr,
|
||||||
|
resopts, ns_g_dispatchmgr,
|
||||||
|
dispatch4, dispatch6));
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
240
SOURCES/bind-9.16-CVE-2022-3094-1.patch
Normal file
240
SOURCES/bind-9.16-CVE-2022-3094-1.patch
Normal file
@ -0,0 +1,240 @@
|
|||||||
|
From 128b3b676eb9413b4d25fb29c560895cfbbfa92e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Thu, 1 Sep 2022 16:05:04 -0700
|
||||||
|
Subject: [PATCH] add an update quota
|
||||||
|
|
||||||
|
limit the number of simultaneous DNS UPDATE events that can be
|
||||||
|
processed by adding a quota for update and update forwarding.
|
||||||
|
this quota currently, arbitrarily, defaults to 100.
|
||||||
|
|
||||||
|
also add a statistics counter to record when the update quota
|
||||||
|
has been exceeded.
|
||||||
|
|
||||||
|
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
|
||||||
|
---
|
||||||
|
bin/named/bind9.xsl | 2 +-
|
||||||
|
bin/named/bind9.xsl.h | 8 +++++++-
|
||||||
|
bin/named/include/named/server.h | 7 ++++++-
|
||||||
|
bin/named/server.c | 3 +++
|
||||||
|
bin/named/statschannel.c | 5 +++--
|
||||||
|
bin/named/update.c | 34 +++++++++++++++++++++++++++++++-
|
||||||
|
doc/arm/Bv9ARM-book.xml | 15 ++++++++++++++
|
||||||
|
7 files changed, 68 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
|
||||||
|
index 9a1c6ff..85fd4c4 100644
|
||||||
|
--- a/bin/named/bind9.xsl
|
||||||
|
+++ b/bin/named/bind9.xsl
|
||||||
|
@@ -12,7 +12,7 @@
|
||||||
|
|
||||||
|
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
|
||||||
|
<xsl:output method="html" indent="yes" version="4.0"/>
|
||||||
|
- <xsl:template match="statistics[@version="3.8"]">
|
||||||
|
+ <xsl:template match="statistics[@version="3.8.1"]">
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
|
||||||
|
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
|
||||||
|
index 9ce8cd7..5e0a892 100644
|
||||||
|
--- a/bin/named/bind9.xsl.h
|
||||||
|
+++ b/bin/named/bind9.xsl.h
|
||||||
|
@@ -17,7 +17,13 @@ static char xslmsg[] =
|
||||||
|
"\n"
|
||||||
|
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
|
||||||
|
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
|
||||||
|
- " <xsl:template match=\"statistics[@version="3.8"]\">\n"
|
||||||
|
+#if 0
|
||||||
|
+ " <!-- the version number **below** must match version in "
|
||||||
|
+ "bin/named/statschannel.c -->\n"
|
||||||
|
+ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
|
||||||
|
+ "the HTTP endpoints listed below -->\n"
|
||||||
|
+#endif
|
||||||
|
+ " <xsl:template match=\"statistics[@version="3.8.1"]\">\n"
|
||||||
|
" <html>\n"
|
||||||
|
" <head>\n"
|
||||||
|
" <script type=\"text/javascript\" src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"></script>\n"
|
||||||
|
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||||
|
index 08a02dc..259acc7 100644
|
||||||
|
--- a/bin/named/include/named/server.h
|
||||||
|
+++ b/bin/named/include/named/server.h
|
||||||
|
@@ -137,6 +137,9 @@ struct ns_server {
|
||||||
|
|
||||||
|
uint16_t transfer_tcp_message_size;
|
||||||
|
isc_rng_t * rngctx;
|
||||||
|
+
|
||||||
|
+/* CVE-2022-3094 */
|
||||||
|
+ isc_quota_t updquota;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct ns_altsecret {
|
||||||
|
@@ -230,7 +233,9 @@ enum {
|
||||||
|
dns_nsstatscounter_trystale = 59,
|
||||||
|
dns_nsstatscounter_usedstale = 60,
|
||||||
|
|
||||||
|
- dns_nsstatscounter_max = 61
|
||||||
|
+ dns_nsstatscounter_updatequota = 61,
|
||||||
|
+
|
||||||
|
+ dns_nsstatscounter_max = 62
|
||||||
|
};
|
||||||
|
|
||||||
|
/*%
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 2d2fa0e..f09b895 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -9143,6 +9143,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||||
|
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||||
|
result = isc_quota_init(&server->recursionquota, 100);
|
||||||
|
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||||
|
+ result = isc_quota_init(&server->updquota, 100);
|
||||||
|
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
result = dns_aclenv_init(mctx, &server->aclenv);
|
||||||
|
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||||
|
@@ -9410,6 +9412,7 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||||
|
|
||||||
|
dns_aclenv_destroy(&server->aclenv);
|
||||||
|
|
||||||
|
+ isc_quota_destroy(&server->updquota);
|
||||||
|
isc_quota_destroy(&server->recursionquota);
|
||||||
|
isc_quota_destroy(&server->tcpquota);
|
||||||
|
isc_quota_destroy(&server->xfroutquota);
|
||||||
|
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||||
|
index 56a9c21..1e8723c 100644
|
||||||
|
--- a/bin/named/statschannel.c
|
||||||
|
+++ b/bin/named/statschannel.c
|
||||||
|
@@ -300,6 +300,7 @@ init_desc(void) {
|
||||||
|
SET_NSSTATDESC(reclimitdropped,
|
||||||
|
"queries dropped due to recursive client limit",
|
||||||
|
"RecLimitDropped");
|
||||||
|
+ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
|
||||||
|
SET_NSSTATDESC(trystale,
|
||||||
|
"attempts to use stale cache data after lookup failure",
|
||||||
|
"QryTryStale");
|
||||||
|
@@ -1546,7 +1547,7 @@ generatexml(ns_server_t *server, uint32_t flags,
|
||||||
|
ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
|
||||||
|
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
|
||||||
|
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
|
||||||
|
- ISC_XMLCHAR "3.8"));
|
||||||
|
+ ISC_XMLCHAR "3.8.1"));
|
||||||
|
|
||||||
|
/* Set common fields for statistics dump */
|
||||||
|
dumparg.type = isc_statsformat_xml;
|
||||||
|
@@ -2303,7 +2304,7 @@ generatejson(ns_server_t *server, size_t *msglen,
|
||||||
|
/*
|
||||||
|
* These statistics are included no matter which URL we use.
|
||||||
|
*/
|
||||||
|
- obj = json_object_new_string("1.2");
|
||||||
|
+ obj = json_object_new_string("1.2.1");
|
||||||
|
CHECKMEM(obj);
|
||||||
|
json_object_object_add(bindstats, "json-stats-version", obj);
|
||||||
|
|
||||||
|
diff --git a/bin/named/update.c b/bin/named/update.c
|
||||||
|
index 6ad7d27..dccc543 100644
|
||||||
|
--- a/bin/named/update.c
|
||||||
|
+++ b/bin/named/update.c
|
||||||
|
@@ -1526,6 +1526,17 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
ns_client_t *evclient;
|
||||||
|
|
||||||
|
+ result = isc_quota_attach(&ns_g_server->updquota,
|
||||||
|
+ &(isc_quota_t *){ NULL });
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||||
|
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||||
|
+ isc_result_totext(result));
|
||||||
|
+ isc_stats_increment(ns_g_server->nsstats,
|
||||||
|
+ dns_nsstatscounter_updatequota);
|
||||||
|
+ CHECK(DNS_R_DROP);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
event = (update_event_t *)
|
||||||
|
isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
|
||||||
|
update_action, NULL, sizeof(*event));
|
||||||
|
@@ -1652,7 +1663,12 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||||
|
* We are still in the client task context, so we can
|
||||||
|
* simply give an error response without switching tasks.
|
||||||
|
*/
|
||||||
|
- respond(client, result);
|
||||||
|
+ if (result == DNS_R_DROP) {
|
||||||
|
+ ns_client_next(client, result);
|
||||||
|
+ } else {
|
||||||
|
+ respond(client, result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (zone != NULL)
|
||||||
|
dns_zone_detach(&zone);
|
||||||
|
}
|
||||||
|
@@ -3385,6 +3401,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
dns_zone_detach(&uev->zone);
|
||||||
|
client->nupdates--;
|
||||||
|
respond(client, uev->result);
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
ns_client_detach(&client);
|
||||||
|
}
|
||||||
|
@@ -3402,6 +3419,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
|
||||||
|
INSIST(client->nupdates > 0);
|
||||||
|
client->nupdates--;
|
||||||
|
respond(client, DNS_R_SERVFAIL);
|
||||||
|
+
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
ns_client_detach(&client);
|
||||||
|
}
|
||||||
|
@@ -3439,6 +3458,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
|
||||||
|
client->nupdates--;
|
||||||
|
ns_client_sendraw(client, uev->answer);
|
||||||
|
dns_message_detach(&uev->answer);
|
||||||
|
+
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
ns_client_detach(&client);
|
||||||
|
}
|
||||||
|
@@ -3472,6 +3493,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
ns_client_t *evclient;
|
||||||
|
|
||||||
|
+ result = isc_quota_attach(&ns_g_server->updquota,
|
||||||
|
+ &(isc_quota_t *){ NULL });
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||||
|
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||||
|
+ isc_result_totext(result));
|
||||||
|
+ isc_stats_increment(ns_g_server->nsstats,
|
||||||
|
+ dns_nsstatscounter_updatequota);
|
||||||
|
+ return (DNS_R_DROP);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This may take some time so replace this client.
|
||||||
|
*/
|
||||||
|
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||||
|
index c17f168..9aca6d7 100644
|
||||||
|
--- a/doc/arm/Bv9ARM-book.xml
|
||||||
|
+++ b/doc/arm/Bv9ARM-book.xml
|
||||||
|
@@ -15105,6 +15105,21 @@ HOST-127.EXAMPLE. MX 0 .
|
||||||
|
</para>
|
||||||
|
</entry>
|
||||||
|
</row>
|
||||||
|
+ <row rowsep="0">
|
||||||
|
+ <entry colname="1">
|
||||||
|
+ <para><command>UpdateQuota</command></para>
|
||||||
|
+ </entry>
|
||||||
|
+ <entry colname="2">
|
||||||
|
+ <para><command/></para>
|
||||||
|
+ </entry>
|
||||||
|
+ <entry colname="3">
|
||||||
|
+ <para>
|
||||||
|
+ This indicates the number of times a dynamic update or update
|
||||||
|
+ forwarding request was rejected because the number of pending
|
||||||
|
+ requests exceeded the update quota.
|
||||||
|
+ </para>
|
||||||
|
+ </entry>
|
||||||
|
+ </row>
|
||||||
|
<row rowsep="0">
|
||||||
|
<entry colname="1">
|
||||||
|
<para><command>RateDropped</command></para>
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
136
SOURCES/bind-9.16-CVE-2022-3094-2.patch
Normal file
136
SOURCES/bind-9.16-CVE-2022-3094-2.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From d9a03233c6ea11f20c2fbeca87b763673859f8b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Thu, 1 Sep 2022 16:22:46 -0700
|
||||||
|
Subject: [PATCH] add a configuration option for the update quota
|
||||||
|
|
||||||
|
add an "update-quota" option to configure the update quota.
|
||||||
|
|
||||||
|
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
|
||||||
|
---
|
||||||
|
bin/named/config.c | 1 +
|
||||||
|
bin/named/named.conf.docbook | 2 ++
|
||||||
|
bin/named/server.c | 1 +
|
||||||
|
bin/tests/system/checkconf/good.conf | 1 +
|
||||||
|
doc/arm/Bv9ARM-book.xml | 11 +++++++++++
|
||||||
|
doc/arm/options.grammar.xml | 1 +
|
||||||
|
doc/misc/options | 1 +
|
||||||
|
lib/isccfg/namedconf.c | 1 +
|
||||||
|
8 files changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||||
|
index 62d1e88..e3731cf 100644
|
||||||
|
--- a/bin/named/config.c
|
||||||
|
+++ b/bin/named/config.c
|
||||||
|
@@ -134,6 +134,7 @@ options {\n\
|
||||||
|
transfers-per-ns 2;\n\
|
||||||
|
# treat-cr-as-space <obsolete>;\n\
|
||||||
|
trust-anchor-telemetry yes;\n\
|
||||||
|
+ update-quota 100;\n\
|
||||||
|
# use-id-pool <obsolete>;\n\
|
||||||
|
# use-ixfr <obsolete>;\n\
|
||||||
|
\n\
|
||||||
|
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
|
||||||
|
index 6565fce..5842cb5 100644
|
||||||
|
--- a/bin/named/named.conf.docbook
|
||||||
|
+++ b/bin/named/named.conf.docbook
|
||||||
|
@@ -455,6 +455,7 @@ options {
|
||||||
|
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
|
||||||
|
try-tcp-refresh <replaceable>boolean</replaceable>;
|
||||||
|
update-check-ksk <replaceable>boolean</replaceable>;
|
||||||
|
+ update-quota <replaceable>integer</replaceable>;
|
||||||
|
use-alt-transfer-source <replaceable>boolean</replaceable>;
|
||||||
|
use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
|
||||||
|
use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
|
||||||
|
@@ -864,6 +865,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
|
||||||
|
type ( delegation-only | forward | hint | master | redirect
|
||||||
|
| slave | static-stub | stub );
|
||||||
|
update-check-ksk <replaceable>boolean</replaceable>;
|
||||||
|
+ update-quota <replaceable>integer</replaceable>;
|
||||||
|
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
|
||||||
|
6to4-self | external | krb5-self | krb5-selfsub |
|
||||||
|
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index f09b895..7af90d0 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -7792,6 +7792,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||||
|
configure_server_quota(maps, "tcp-clients", &server->tcpquota);
|
||||||
|
configure_server_quota(maps, "recursive-clients",
|
||||||
|
&server->recursionquota);
|
||||||
|
+ configure_server_quota(maps, "update-quota", &server->updquota);
|
||||||
|
|
||||||
|
if (server->recursionquota.max > 1000) {
|
||||||
|
int margin = ISC_MAX(100, ns_g_cpus + 1);
|
||||||
|
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||||
|
index 1359cf3..5d9b292 100644
|
||||||
|
--- a/bin/tests/system/checkconf/good.conf
|
||||||
|
+++ b/bin/tests/system/checkconf/good.conf
|
||||||
|
@@ -63,6 +63,7 @@ options {
|
||||||
|
serial-queries 10;
|
||||||
|
serial-query-rate 100;
|
||||||
|
server-id none;
|
||||||
|
+ update-quota 200;
|
||||||
|
max-cache-size 20000000000000;
|
||||||
|
nta-lifetime 604800;
|
||||||
|
nta-recheck 604800;
|
||||||
|
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||||
|
index 9aca6d7..acf772b 100644
|
||||||
|
--- a/doc/arm/Bv9ARM-book.xml
|
||||||
|
+++ b/doc/arm/Bv9ARM-book.xml
|
||||||
|
@@ -8599,6 +8599,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><command>update-quota</command></term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ This is the maximum number of simultaneous DNS UPDATE messages that
|
||||||
|
+ the server will accept for updating local authoritiative zones or
|
||||||
|
+ forwarding to a primary server. The default is <userinput>100</userinput>.
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
</section>
|
||||||
|
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
|
||||||
|
index 793ac0b..1d17ea8 100644
|
||||||
|
--- a/doc/arm/options.grammar.xml
|
||||||
|
+++ b/doc/arm/options.grammar.xml
|
||||||
|
@@ -277,6 +277,7 @@
|
||||||
|
<command>trust-anchor-telemetry</command> <replaceable>boolean</replaceable>; // experimental
|
||||||
|
<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
|
||||||
|
<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
|
||||||
|
+ <command>update-quota</command> <replaceable>integer</replaceable>;
|
||||||
|
<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
|
||||||
|
<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
||||||
|
<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
||||||
|
diff --git a/doc/misc/options b/doc/misc/options
|
||||||
|
index fde93c7..e6d6ba6 100644
|
||||||
|
--- a/doc/misc/options
|
||||||
|
+++ b/doc/misc/options
|
||||||
|
@@ -357,6 +357,7 @@ options {
|
||||||
|
trust-anchor-telemetry <boolean>; // experimental
|
||||||
|
try-tcp-refresh <boolean>;
|
||||||
|
update-check-ksk <boolean>;
|
||||||
|
+ update-quota <integer>;
|
||||||
|
use-alt-transfer-source <boolean>;
|
||||||
|
use-id-pool <boolean>; // obsolete
|
||||||
|
use-ixfr <boolean>; // obsolete
|
||||||
|
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||||
|
index b562f95..667111c 100644
|
||||||
|
--- a/lib/isccfg/namedconf.c
|
||||||
|
+++ b/lib/isccfg/namedconf.c
|
||||||
|
@@ -1136,6 +1136,7 @@ options_clauses[] = {
|
||||||
|
{ "transfers-out", &cfg_type_uint32, 0 },
|
||||||
|
{ "transfers-per-ns", &cfg_type_uint32, 0 },
|
||||||
|
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||||
|
+ { "update-quota", &cfg_type_uint32, 0 },
|
||||||
|
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||||
|
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||||
|
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
553
SOURCES/bind-9.16-CVE-2022-3094-3.patch
Normal file
553
SOURCES/bind-9.16-CVE-2022-3094-3.patch
Normal file
@ -0,0 +1,553 @@
|
|||||||
|
From cba333b262b7ee0034a66cc93cf27f6c4918eea2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Tue, 8 Nov 2022 17:32:41 -0800
|
||||||
|
Subject: [PATCH] move update ACL and update-policy checks before quota
|
||||||
|
|
||||||
|
check allow-update, update-policy, and allow-update-forwarding before
|
||||||
|
consuming quota slots, so that unauthorized clients can't fill the
|
||||||
|
quota.
|
||||||
|
|
||||||
|
(this moves the access check before the prerequisite check, which
|
||||||
|
violates the precise wording of RFC 2136. however, RFC co-author Paul
|
||||||
|
Vixie has stated that the RFC is mistaken on this point; it should have
|
||||||
|
said that access checking must happen *no later than* the completion of
|
||||||
|
prerequisite checks, not that it must happen exactly then.)
|
||||||
|
|
||||||
|
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
|
||||||
|
---
|
||||||
|
bin/named/update.c | 440 ++++++++++++++++++++++++++++++---------------
|
||||||
|
1 file changed, 298 insertions(+), 142 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/update.c b/bin/named/update.c
|
||||||
|
index 8853ee7..4d1fe78 100644
|
||||||
|
--- a/bin/named/update.c
|
||||||
|
+++ b/bin/named/update.c
|
||||||
|
@@ -251,6 +251,9 @@ static void updatedone_action(isc_task_t *task, isc_event_t *event);
|
||||||
|
static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
|
||||||
|
static void forward_done(isc_task_t *task, isc_event_t *event);
|
||||||
|
static isc_result_t add_rr_prepare_action(void *data, rr_t *rr);
|
||||||
|
+static isc_result_t
|
||||||
|
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
||||||
|
+ const dns_rdata_t *rdata, bool *flag);
|
||||||
|
|
||||||
|
/**************************************************************************/
|
||||||
|
|
||||||
|
@@ -328,23 +331,24 @@ checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
|
||||||
|
{
|
||||||
|
char namebuf[DNS_NAME_FORMATSIZE];
|
||||||
|
char classbuf[DNS_RDATACLASS_FORMATSIZE];
|
||||||
|
- int level;
|
||||||
|
isc_result_t result;
|
||||||
|
+ bool update_possible =
|
||||||
|
+ ((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
|
||||||
|
+ ssutable != NULL);
|
||||||
|
|
||||||
|
result = ns_client_checkaclsilent(client, NULL, queryacl, true);
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
|
||||||
|
+
|
||||||
|
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||||
|
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||||
|
sizeof(classbuf));
|
||||||
|
|
||||||
|
- level = (updateacl == NULL && ssutable == NULL) ?
|
||||||
|
- ISC_LOG_INFO : ISC_LOG_ERROR;
|
||||||
|
-
|
||||||
|
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
|
||||||
|
NS_LOGMODULE_UPDATE, level,
|
||||||
|
"update '%s/%s' denied due to allow-query",
|
||||||
|
namebuf, classbuf);
|
||||||
|
- } else if (updateacl == NULL && ssutable == NULL) {
|
||||||
|
+ } else if (!update_possible) {
|
||||||
|
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||||
|
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||||
|
sizeof(classbuf));
|
||||||
|
@@ -1525,6 +1529,277 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
update_event_t *event = NULL;
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
ns_client_t *evclient;
|
||||||
|
+#if 1
|
||||||
|
+ dns_ssutable_t *ssutable = NULL;
|
||||||
|
+ dns_message_t *request = client->message;
|
||||||
|
+ dns_rdataclass_t zoneclass;
|
||||||
|
+ dns_rdatatype_t covers;
|
||||||
|
+ dns_name_t *zonename = NULL;
|
||||||
|
+ dns_db_t *db = NULL;
|
||||||
|
+ dns_dbversion_t *ver = NULL;
|
||||||
|
+
|
||||||
|
+ CHECK(dns_zone_getdb(zone, &db));
|
||||||
|
+ zonename = dns_db_origin(db);
|
||||||
|
+ zoneclass = dns_db_class(db);
|
||||||
|
+ dns_zone_getssutable(zone, &ssutable);
|
||||||
|
+ dns_db_currentversion(db, &ver);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Update message processing can leak record existence information
|
||||||
|
+ * so check that we are allowed to query this zone. Additionally,
|
||||||
|
+ * if we would refuse all updates for this zone, we bail out here.
|
||||||
|
+ */
|
||||||
|
+ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
|
||||||
|
+ dns_zone_getorigin(zone),
|
||||||
|
+ dns_zone_getupdateacl(zone), ssutable));
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Check requestor's permissions.
|
||||||
|
+ */
|
||||||
|
+ if (ssutable == NULL)
|
||||||
|
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||||
|
+ "update", zonename, false, false));
|
||||||
|
+ else if (client->signer == NULL && !TCPCLIENT(client))
|
||||||
|
+ CHECK(checkupdateacl(client, NULL, "update", zonename,
|
||||||
|
+ false, true));
|
||||||
|
+
|
||||||
|
+ if (dns_zone_getupdatedisabled(zone))
|
||||||
|
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||||
|
+ "because the zone is frozen. Use "
|
||||||
|
+ "'rndc thaw' to re-enable updates.");
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Perform the Update Section Prescan.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
+ result == ISC_R_SUCCESS;
|
||||||
|
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
+ {
|
||||||
|
+ dns_name_t *name = NULL;
|
||||||
|
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
+ dns_ttl_t ttl;
|
||||||
|
+ dns_rdataclass_t update_class;
|
||||||
|
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
|
||||||
|
+ &name, &rdata, &covers, &ttl, &update_class);
|
||||||
|
+
|
||||||
|
+ if (! dns_name_issubdomain(name, zonename))
|
||||||
|
+ FAILC(DNS_R_NOTZONE,
|
||||||
|
+ "update RR is outside zone");
|
||||||
|
+ if (update_class == zoneclass) {
|
||||||
|
+ /*
|
||||||
|
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||||
|
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||||
|
+ * "or any other QUERY metatype"
|
||||||
|
+ */
|
||||||
|
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
+ FAILC(DNS_R_FORMERR,
|
||||||
|
+ "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||||
|
+ if (result != ISC_R_SUCCESS)
|
||||||
|
+ FAIL(DNS_R_REFUSED);
|
||||||
|
+ } else if (update_class == dns_rdataclass_any) {
|
||||||
|
+ if (ttl != 0 || rdata.length != 0 ||
|
||||||
|
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||||
|
+ rdata.type != dns_rdatatype_any))
|
||||||
|
+ FAILC(DNS_R_FORMERR,
|
||||||
|
+ "meta-RR in update");
|
||||||
|
+ } else if (update_class == dns_rdataclass_none) {
|
||||||
|
+ if (ttl != 0 ||
|
||||||
|
+ dns_rdatatype_ismeta(rdata.type))
|
||||||
|
+ FAILC(DNS_R_FORMERR,
|
||||||
|
+ "meta-RR in update");
|
||||||
|
+ } else {
|
||||||
|
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||||
|
+ "update RR has incorrect class %d",
|
||||||
|
+ update_class);
|
||||||
|
+ FAIL(DNS_R_FORMERR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||||
|
+ * "Unlike traditional dynamic update, the client
|
||||||
|
+ * is forbidden from updating NSEC records."
|
||||||
|
+ */
|
||||||
|
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||||
|
+ FAILC(DNS_R_REFUSED,
|
||||||
|
+ "explicit NSEC3 updates are not allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||||
|
+ FAILC(DNS_R_REFUSED,
|
||||||
|
+ "explicit NSEC updates are not allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||||
|
+ !dns_name_equal(name, zonename)) {
|
||||||
|
+ FAILC(DNS_R_REFUSED,
|
||||||
|
+ "explicit RRSIG updates are currently "
|
||||||
|
+ "not supported in secure zones except "
|
||||||
|
+ "at the apex");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssutable != NULL) {
|
||||||
|
+ isc_netaddr_t netaddr;
|
||||||
|
+ dst_key_t *tsigkey = NULL;
|
||||||
|
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||||
|
+
|
||||||
|
+ if (client->message->tsigkey != NULL)
|
||||||
|
+ tsigkey = client->message->tsigkey->key;
|
||||||
|
+
|
||||||
|
+ if (rdata.type != dns_rdatatype_any) {
|
||||||
|
+ if (!dns_ssutable_checkrules2
|
||||||
|
+ (ssutable, client->signer, name, &netaddr,
|
||||||
|
+ TCPCLIENT(client),
|
||||||
|
+ &ns_g_server->aclenv,
|
||||||
|
+ rdata.type, tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED,
|
||||||
|
+ "rejected by secure update");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||||
|
+ client->signer,
|
||||||
|
+ &netaddr,
|
||||||
|
+ TCPCLIENT(client),
|
||||||
|
+ tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED,
|
||||||
|
+ "rejected by secure update");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (result != ISC_R_NOMORE)
|
||||||
|
+ FAIL(result);
|
||||||
|
+
|
||||||
|
+ update_log(client, zone, LOGLEVEL_DEBUG,
|
||||||
|
+ "update section prescan OK");
|
||||||
|
+#if 0
|
||||||
|
+ if (ssutable == NULL) {
|
||||||
|
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||||
|
+ // zonename
|
||||||
|
+ "update", dns_zone_getorigin(zone), false,
|
||||||
|
+ false));
|
||||||
|
+ } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||||
|
+ CHECK(checkupdateacl(client, NULL, "update",
|
||||||
|
+ dns_zone_getorigin(zone), false, true));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (dns_zone_getupdatedisabled(zone)) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||||
|
+ "because the zone is frozen. Use "
|
||||||
|
+ "'rndc thaw' to re-enable updates.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Prescan the update section, checking for updates that
|
||||||
|
+ * are illegal or violate policy.
|
||||||
|
+ */
|
||||||
|
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
+ result == ISC_R_SUCCESS;
|
||||||
|
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
+ {
|
||||||
|
+ dns_name_t *name = NULL;
|
||||||
|
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
+ dns_ttl_t ttl;
|
||||||
|
+ dns_rdataclass_t update_class;
|
||||||
|
+
|
||||||
|
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||||
|
+ &rdata, &covers, &ttl, &update_class);
|
||||||
|
+
|
||||||
|
+ if (!dns_name_issubdomain(name, zonename)) {
|
||||||
|
+ FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||||
|
+ }
|
||||||
|
+ if (update_class == zoneclass) {
|
||||||
|
+ /*
|
||||||
|
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||||
|
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||||
|
+ * "or any other QUERY metatype"
|
||||||
|
+ */
|
||||||
|
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ FAIL(DNS_R_REFUSED);
|
||||||
|
+ }
|
||||||
|
+ } else if (update_class == dns_rdataclass_any) {
|
||||||
|
+ if (ttl != 0 || rdata.length != 0 ||
|
||||||
|
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||||
|
+ rdata.type != dns_rdatatype_any))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ } else if (update_class == dns_rdataclass_none) {
|
||||||
|
+ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||||
|
+ "update RR has incorrect class %d",
|
||||||
|
+ update_class);
|
||||||
|
+ FAIL(DNS_R_FORMERR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||||
|
+ * "Unlike traditional dynamic update, the client
|
||||||
|
+ * is forbidden from updating NSEC records."
|
||||||
|
+ */
|
||||||
|
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||||
|
+ "allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||||
|
+ "allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||||
|
+ !dns_name_equal(name, zonename))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||||
|
+ "currently "
|
||||||
|
+ "not supported in secure zones "
|
||||||
|
+ "except "
|
||||||
|
+ "at the apex");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssutable != NULL) {
|
||||||
|
+ isc_netaddr_t netaddr;
|
||||||
|
+ dst_key_t *tsigkey = NULL;
|
||||||
|
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||||
|
+
|
||||||
|
+ if (client->message->tsigkey != NULL) {
|
||||||
|
+ tsigkey = client->message->tsigkey->key;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (rdata.type != dns_rdatatype_any) {
|
||||||
|
+ if (!dns_ssutable_checkrules(
|
||||||
|
+ ssutable, client->signer, name,
|
||||||
|
+ &netaddr, TCPCLIENT(client), env,
|
||||||
|
+ rdata.type, tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
+ "secure update");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||||
|
+ client->signer, &netaddr, env,
|
||||||
|
+ TCPCLIENT(client), tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
+ "secure update");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (result != ISC_R_NOMORE) {
|
||||||
|
+ FAIL(result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
result = isc_quota_attach(&ns_g_server->updquota,
|
||||||
|
&(isc_quota_t *){ NULL });
|
||||||
|
@@ -1558,6 +1833,15 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
failure:
|
||||||
|
if (event != NULL)
|
||||||
|
isc_event_free(ISC_EVENT_PTR(&event));
|
||||||
|
+ if (db != NULL) {
|
||||||
|
+ dns_db_closeversion(db, &ver, false);
|
||||||
|
+ dns_db_detach(&db);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssutable != NULL) {
|
||||||
|
+ dns_ssutable_detach(&ssutable);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1644,9 +1928,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||||
|
CHECK(send_update_event(client, zone));
|
||||||
|
break;
|
||||||
|
case dns_zone_slave:
|
||||||
|
- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||||
|
- "update forwarding", zonename, true,
|
||||||
|
- false));
|
||||||
|
CHECK(send_forward_event(client, zone));
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
@@ -1656,7 +1937,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||||
|
|
||||||
|
failure:
|
||||||
|
if (result == DNS_R_REFUSED) {
|
||||||
|
- INSIST(dns_zone_gettype(zone) == dns_zone_slave);
|
||||||
|
inc_stats(zone, dns_nsstatscounter_updaterej);
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
@@ -2520,7 +2800,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
dns_rdatatype_t covers;
|
||||||
|
dns_message_t *request = client->message;
|
||||||
|
dns_rdataclass_t zoneclass;
|
||||||
|
- dns_name_t *zonename;
|
||||||
|
+ dns_name_t *zonename = NULL;
|
||||||
|
dns_ssutable_t *ssutable = NULL;
|
||||||
|
dns_fixedname_t tmpnamefixed;
|
||||||
|
dns_name_t *tmpname = NULL;
|
||||||
|
@@ -2542,14 +2822,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
zonename = dns_db_origin(db);
|
||||||
|
zoneclass = dns_db_class(db);
|
||||||
|
dns_zone_getssutable(zone, &ssutable);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Update message processing can leak record existence information
|
||||||
|
- * so check that we are allowed to query this zone. Additionally
|
||||||
|
- * if we would refuse all updates for this zone we bail out here.
|
||||||
|
- */
|
||||||
|
- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
|
||||||
|
- dns_zone_getupdateacl(zone), ssutable));
|
||||||
|
+ options = dns_zone_getoptions(zone);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get old and new versions now that queryacl has been checked.
|
||||||
|
@@ -2673,134 +2946,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
update_log(client, zone, LOGLEVEL_DEBUG,
|
||||||
|
"prerequisites are OK");
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Check Requestor's Permissions. It seems a bit silly to do this
|
||||||
|
- * only after prerequisite testing, but that is what RFC2136 says.
|
||||||
|
- */
|
||||||
|
- if (ssutable == NULL)
|
||||||
|
- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||||
|
- "update", zonename, false, false));
|
||||||
|
- else if (client->signer == NULL && !TCPCLIENT(client))
|
||||||
|
- CHECK(checkupdateacl(client, NULL, "update", zonename,
|
||||||
|
- false, true));
|
||||||
|
-
|
||||||
|
- if (dns_zone_getupdatedisabled(zone))
|
||||||
|
- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||||
|
- "because the zone is frozen. Use "
|
||||||
|
- "'rndc thaw' to re-enable updates.");
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Perform the Update Section Prescan.
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
- result == ISC_R_SUCCESS;
|
||||||
|
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
- {
|
||||||
|
- dns_name_t *name = NULL;
|
||||||
|
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
- dns_ttl_t ttl;
|
||||||
|
- dns_rdataclass_t update_class;
|
||||||
|
- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
|
||||||
|
- &name, &rdata, &covers, &ttl, &update_class);
|
||||||
|
-
|
||||||
|
- if (! dns_name_issubdomain(name, zonename))
|
||||||
|
- FAILC(DNS_R_NOTZONE,
|
||||||
|
- "update RR is outside zone");
|
||||||
|
- if (update_class == zoneclass) {
|
||||||
|
- /*
|
||||||
|
- * Check for meta-RRs. The RFC2136 pseudocode says
|
||||||
|
- * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||||
|
- * "or any other QUERY metatype"
|
||||||
|
- */
|
||||||
|
- if (dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
- FAILC(DNS_R_FORMERR,
|
||||||
|
- "meta-RR in update");
|
||||||
|
- }
|
||||||
|
- result = dns_zone_checknames(zone, name, &rdata);
|
||||||
|
- if (result != ISC_R_SUCCESS)
|
||||||
|
- FAIL(DNS_R_REFUSED);
|
||||||
|
- } else if (update_class == dns_rdataclass_any) {
|
||||||
|
- if (ttl != 0 || rdata.length != 0 ||
|
||||||
|
- (dns_rdatatype_ismeta(rdata.type) &&
|
||||||
|
- rdata.type != dns_rdatatype_any))
|
||||||
|
- FAILC(DNS_R_FORMERR,
|
||||||
|
- "meta-RR in update");
|
||||||
|
- } else if (update_class == dns_rdataclass_none) {
|
||||||
|
- if (ttl != 0 ||
|
||||||
|
- dns_rdatatype_ismeta(rdata.type))
|
||||||
|
- FAILC(DNS_R_FORMERR,
|
||||||
|
- "meta-RR in update");
|
||||||
|
- } else {
|
||||||
|
- update_log(client, zone, ISC_LOG_WARNING,
|
||||||
|
- "update RR has incorrect class %d",
|
||||||
|
- update_class);
|
||||||
|
- FAIL(DNS_R_FORMERR);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * draft-ietf-dnsind-simple-secure-update-01 says
|
||||||
|
- * "Unlike traditional dynamic update, the client
|
||||||
|
- * is forbidden from updating NSEC records."
|
||||||
|
- */
|
||||||
|
- if (rdata.type == dns_rdatatype_nsec3) {
|
||||||
|
- FAILC(DNS_R_REFUSED,
|
||||||
|
- "explicit NSEC3 updates are not allowed "
|
||||||
|
- "in secure zones");
|
||||||
|
- } else if (rdata.type == dns_rdatatype_nsec) {
|
||||||
|
- FAILC(DNS_R_REFUSED,
|
||||||
|
- "explicit NSEC updates are not allowed "
|
||||||
|
- "in secure zones");
|
||||||
|
- } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||||
|
- !dns_name_equal(name, zonename)) {
|
||||||
|
- FAILC(DNS_R_REFUSED,
|
||||||
|
- "explicit RRSIG updates are currently "
|
||||||
|
- "not supported in secure zones except "
|
||||||
|
- "at the apex");
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (ssutable != NULL) {
|
||||||
|
- isc_netaddr_t netaddr;
|
||||||
|
- dst_key_t *tsigkey = NULL;
|
||||||
|
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||||
|
-
|
||||||
|
- if (client->message->tsigkey != NULL)
|
||||||
|
- tsigkey = client->message->tsigkey->key;
|
||||||
|
-
|
||||||
|
- if (rdata.type != dns_rdatatype_any) {
|
||||||
|
- if (!dns_ssutable_checkrules2
|
||||||
|
- (ssutable, client->signer, name, &netaddr,
|
||||||
|
- TCPCLIENT(client),
|
||||||
|
- &ns_g_server->aclenv,
|
||||||
|
- rdata.type, tsigkey))
|
||||||
|
- {
|
||||||
|
- FAILC(DNS_R_REFUSED,
|
||||||
|
- "rejected by secure update");
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- if (!ssu_checkall(db, ver, name, ssutable,
|
||||||
|
- client->signer,
|
||||||
|
- &netaddr,
|
||||||
|
- TCPCLIENT(client),
|
||||||
|
- tsigkey))
|
||||||
|
- {
|
||||||
|
- FAILC(DNS_R_REFUSED,
|
||||||
|
- "rejected by secure update");
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (result != ISC_R_NOMORE)
|
||||||
|
- FAIL(result);
|
||||||
|
-
|
||||||
|
- update_log(client, zone, LOGLEVEL_DEBUG,
|
||||||
|
- "update section prescan OK");
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Process the Update Section.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- options = dns_zone_getoptions(zone);
|
||||||
|
options2 = dns_zone_getoptions2(zone);
|
||||||
|
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
result == ISC_R_SUCCESS;
|
||||||
|
@@ -3494,6 +3643,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
ns_client_t *evclient;
|
||||||
|
|
||||||
|
+ result = checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||||
|
+ "update forwarding", dns_zone_getorigin(zone),
|
||||||
|
+ true, false);
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ return (result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
result = isc_quota_attach(&ns_g_server->updquota,
|
||||||
|
&(isc_quota_t *){ NULL });
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
266
SOURCES/bind-9.16-CVE-2022-3094-test.patch
Normal file
266
SOURCES/bind-9.16-CVE-2022-3094-test.patch
Normal file
@ -0,0 +1,266 @@
|
|||||||
|
From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
||||||
|
Subject: [PATCH] test failure conditions
|
||||||
|
|
||||||
|
verify that updates are refused when the client is disallowed by
|
||||||
|
allow-query, and update forwarding is refused when the client is
|
||||||
|
is disallowed by update-forwarding.
|
||||||
|
|
||||||
|
verify that "too many DNS UPDATEs" appears in the log file when too
|
||||||
|
many simultaneous updates are processing.
|
||||||
|
|
||||||
|
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
||||||
|
---
|
||||||
|
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
||||||
|
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
||||||
|
bin/tests/system/upforwd/clean.sh | 2 +
|
||||||
|
.../ns3/{named.conf.in => named1.conf.in} | 7 +++-
|
||||||
|
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
||||||
|
bin/tests/system/upforwd/setup.sh | 2 +-
|
||||||
|
bin/tests/system/upforwd/tests.sh | 40 ++++++++++++++++++
|
||||||
|
7 files changed, 120 insertions(+), 2 deletions(-)
|
||||||
|
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
|
||||||
|
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
index cb80269..228ad6a 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
@@ -20,6 +20,7 @@ options {
|
||||||
|
listen-on-v6 { none; };
|
||||||
|
recursion no;
|
||||||
|
notify yes;
|
||||||
|
+ update-quota 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
key rndc_key {
|
||||||
|
@@ -76,6 +77,7 @@ zone "other.nil" {
|
||||||
|
check-integrity no;
|
||||||
|
check-mx warn;
|
||||||
|
update-policy local;
|
||||||
|
+ allow-query { !10.53.0.2; any; };
|
||||||
|
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
||||||
|
allow-transfer { any; };
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
index f8994ff..4cabf8d 100755
|
||||||
|
--- a/bin/tests/system/nsupdate/tests.sh
|
||||||
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
@@ -1069,6 +1069,34 @@ END
|
||||||
|
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
||||||
|
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if query is not allowed ($n)"
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -d <<END
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.1 ${PORT}
|
||||||
|
+ update add reject.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} > nsupdate.out.test$n 2>&1
|
||||||
|
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
|
||||||
|
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
if $FEATURETEST --gssapi ; then
|
||||||
|
n=`expr $n + 1`
|
||||||
|
ret=0
|
||||||
|
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
||||||
|
index 15cf423..832c727 100644
|
||||||
|
--- a/bin/tests/system/upforwd/clean.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/clean.sh
|
||||||
|
@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
|
||||||
|
rm -f keyname
|
||||||
|
rm -f ns*/named.lock
|
||||||
|
rm -f ns1/example2.db
|
||||||
|
+rm -f nsupdate.out.*
|
||||||
|
+rm -f ns*/named.run.prev
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
similarity index 85%
|
||||||
|
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
index e81cd1a..83a490f 100644
|
||||||
|
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
@@ -22,10 +22,15 @@ options {
|
||||||
|
notify yes;
|
||||||
|
};
|
||||||
|
|
||||||
|
+include "../../common/rndc.key";
|
||||||
|
+controls {
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
zone "example" {
|
||||||
|
type slave;
|
||||||
|
file "example.bk";
|
||||||
|
- allow-update-forwarding { any; };
|
||||||
|
+ allow-update-forwarding { 10.53.0.1; };
|
||||||
|
masters { 10.53.0.1; };
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..992cd69
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
@@ -0,0 +1,41 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: MPL-2.0
|
||||||
|
+ *
|
||||||
|
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||||
|
+ *
|
||||||
|
+ * See the COPYRIGHT file distributed with this work for additional
|
||||||
|
+ * information regarding copyright ownership.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+options {
|
||||||
|
+ query-source address 10.53.0.3;
|
||||||
|
+ notify-source 10.53.0.3;
|
||||||
|
+ transfer-source 10.53.0.3;
|
||||||
|
+ port @PORT@;
|
||||||
|
+ pid-file "named.pid";
|
||||||
|
+ listen-on { 10.53.0.3; };
|
||||||
|
+ listen-on-v6 { none; };
|
||||||
|
+ recursion no;
|
||||||
|
+ notify yes;
|
||||||
|
+ update-quota 1;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+key rndc_key {
|
||||||
|
+ secret "1234abcd8765";
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+controls {
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+zone "example" {
|
||||||
|
+ type slave;
|
||||||
|
+ file "example.bk";
|
||||||
|
+ allow-update-forwarding { any; };
|
||||||
|
+ masters { 10.53.0.1; };
|
||||||
|
+};
|
||||||
|
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
||||||
|
index 74c7ba3..928902b 100644
|
||||||
|
--- a/bin/tests/system/upforwd/setup.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/setup.sh
|
||||||
|
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
||||||
|
|
||||||
|
copy_setports ns1/named.conf.in ns1/named.conf
|
||||||
|
copy_setports ns2/named.conf.in ns2/named.conf
|
||||||
|
-copy_setports ns3/named.conf.in ns3/named.conf
|
||||||
|
+copy_setports ns3/named1.conf.in ns3/named.conf
|
||||||
|
|
||||||
|
#
|
||||||
|
# SIG(0) required cryptographic support which may not be configured.
|
||||||
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||||
|
index f4c3216..ebc9ded 100644
|
||||||
|
--- a/bin/tests/system/upforwd/tests.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/tests.sh
|
||||||
|
@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
|
||||||
|
. $SYSTEMTESTTOP/conf.sh
|
||||||
|
|
||||||
|
DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
|
||||||
|
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
||||||
|
|
||||||
|
status=0
|
||||||
|
n=1
|
||||||
|
@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
echo_i "updating zone (signed) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add updated.example. 600 A 10.10.10.1
|
||||||
|
update add updated.example. 600 TXT Foo
|
||||||
|
@@ -116,6 +118,7 @@ n=`expr $n + 1`
|
||||||
|
echo_i "updating zone (unsigned) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add unsigned.example. 600 A 10.10.10.1
|
||||||
|
update add unsigned.example. 600 TXT Foo
|
||||||
|
@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
||||||
|
do
|
||||||
|
(
|
||||||
|
$NSUPDATE -- - <<EOF
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone nomaster
|
||||||
|
update add unsigned.nomaster. 600 A 10.10.10.1
|
||||||
|
@@ -181,6 +185,7 @@ then
|
||||||
|
ret=0
|
||||||
|
keyname=`cat keyname`
|
||||||
|
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||||
|
+ local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone example2
|
||||||
|
update add unsigned.example2. 600 A 10.10.10.1
|
||||||
|
@@ -194,5 +199,40 @@ EOF
|
||||||
|
n=`expr $n + 1`
|
||||||
|
fi
|
||||||
|
|
||||||
|
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
||||||
|
+ret=0
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - << EOF
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add another.unsigned.example. 600 A 10.10.10.2
|
||||||
|
+ update add another.unsigned.example. 600 TXT Bar
|
||||||
|
+ send
|
||||||
|
+EOF
|
||||||
|
+} > nsupdate.out.$n 2>&1
|
||||||
|
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
||||||
|
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
+n=`expr $n + 1`
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "attempting updates that should exceed quota ($n)"
|
||||||
|
+# lower the update quota to 1.
|
||||||
|
+copy_setports ns3/named2.conf.in ns3/named.conf
|
||||||
|
+$RNDCCMD 10.53.0.3 reconfig
|
||||||
|
+nextpart ns3/named.run > /dev/null
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
|
||||||
|
+ local 10.53.0.1
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
echo_i "exit status: $status"
|
||||||
|
[ $status -eq 0 ] || exit 1
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
27
SOURCES/bind-9.16-CVE-2022-38177.patch
Normal file
27
SOURCES/bind-9.16-CVE-2022-38177.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 0095b8a6b09173ab5eb48611dc0233d2a6337dc1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 20 Sep 2022 11:21:45 +0200
|
||||||
|
Subject: [PATCH] Fix CVE-2022-38177
|
||||||
|
|
||||||
|
5961. [security] Fix memory leak in ECDSA verify processing.
|
||||||
|
(CVE-2022-38177) [GL #3487]
|
||||||
|
---
|
||||||
|
lib/dns/opensslecdsa_link.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||||
|
index 83b5b51..7576e04 100644
|
||||||
|
--- a/lib/dns/opensslecdsa_link.c
|
||||||
|
+++ b/lib/dns/opensslecdsa_link.c
|
||||||
|
@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||||
|
siglen = DNS_SIG_ECDSA384SIZE;
|
||||||
|
|
||||||
|
if (sig->length != siglen)
|
||||||
|
- return (DST_R_VERIFYFAILURE);
|
||||||
|
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||||
|
|
||||||
|
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
|
||||||
|
DST_RET (dst__openssl_toresult3(dctx->category,
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
27
SOURCES/bind-9.16-CVE-2022-38178.patch
Normal file
27
SOURCES/bind-9.16-CVE-2022-38178.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From bb68864bf05d29df644427ec841bc3db6a336519 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 20 Sep 2022 11:22:47 +0200
|
||||||
|
Subject: [PATCH] Fix CVE-2022-38178
|
||||||
|
|
||||||
|
5962. [security] Fix memory leak in EdDSA verify processing.
|
||||||
|
(CVE-2022-38178) [GL #3487]
|
||||||
|
---
|
||||||
|
lib/dns/openssleddsa_link.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
|
||||||
|
index 8b115ec..4f3c2a8 100644
|
||||||
|
--- a/lib/dns/openssleddsa_link.c
|
||||||
|
+++ b/lib/dns/openssleddsa_link.c
|
||||||
|
@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||||
|
siglen = DNS_SIG_ED448SIZE;
|
||||||
|
|
||||||
|
if (sig->length != siglen)
|
||||||
|
- return (DST_R_VERIFYFAILURE);
|
||||||
|
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||||
|
|
||||||
|
isc_buffer_usedregion(buf, &tbsreg);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
166
SOURCES/bind-9.16-CVE-2023-3341.patch
Normal file
166
SOURCES/bind-9.16-CVE-2023-3341.patch
Normal file
@ -0,0 +1,166 @@
|
|||||||
|
From 3883ec072e5feed1237dc864854ab95ded7302d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 19 Sep 2023 13:14:52 +0200
|
||||||
|
Subject: [PATCH] Backport of CVE-2023-3341 fix
|
||||||
|
|
||||||
|
Taken from BIND 9.16.44 change.
|
||||||
|
---
|
||||||
|
lib/isccc/cc.c | 36 +++++++++++++++++++++++---------
|
||||||
|
lib/isccc/include/isccc/result.h | 4 +++-
|
||||||
|
lib/isccc/result.c | 4 +++-
|
||||||
|
3 files changed, 32 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
|
||||||
|
index 463a053..a54e60c 100644
|
||||||
|
--- a/lib/isccc/cc.c
|
||||||
|
+++ b/lib/isccc/cc.c
|
||||||
|
@@ -53,6 +53,10 @@
|
||||||
|
|
||||||
|
#define MAX_TAGS 256
|
||||||
|
#define DUP_LIFETIME 900
|
||||||
|
+#ifndef ISCCC_MAXDEPTH
|
||||||
|
+#define ISCCC_MAXDEPTH \
|
||||||
|
+ 10 /* Big enough for rndc which just sends a string each way. */
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
typedef isccc_sexpr_t *sexpr_ptr;
|
||||||
|
|
||||||
|
@@ -573,19 +577,23 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||||
|
- uint32_t algorithm, isccc_sexpr_t **alistp);
|
||||||
|
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
|
||||||
|
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp);
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||||
|
+value_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **valuep) {
|
||||||
|
unsigned int msgtype;
|
||||||
|
uint32_t len;
|
||||||
|
isccc_sexpr_t *value;
|
||||||
|
isccc_region_t active;
|
||||||
|
isc_result_t result;
|
||||||
|
|
||||||
|
+ if (depth > ISCCC_MAXDEPTH) {
|
||||||
|
+ return (ISCCC_R_MAXDEPTH);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (REGION_SIZE(*source) < 1 + 4)
|
||||||
|
return (ISC_R_UNEXPECTEDEND);
|
||||||
|
GET8(msgtype, source->rstart);
|
||||||
|
@@ -603,9 +611,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||||
|
} else
|
||||||
|
result = ISC_R_NOMEMORY;
|
||||||
|
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
|
||||||
|
- result = table_fromwire(&active, NULL, 0, valuep);
|
||||||
|
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
|
||||||
|
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
|
||||||
|
- result = list_fromwire(&active, valuep);
|
||||||
|
+ result = list_fromwire(&active, depth + 1, valuep);
|
||||||
|
else
|
||||||
|
result = ISCCC_R_SYNTAX;
|
||||||
|
|
||||||
|
@@ -614,7 +622,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||||
|
- uint32_t algorithm, isccc_sexpr_t **alistp)
|
||||||
|
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
|
||||||
|
{
|
||||||
|
char key[256];
|
||||||
|
uint32_t len;
|
||||||
|
@@ -625,6 +633,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||||
|
|
||||||
|
REQUIRE(alistp != NULL && *alistp == NULL);
|
||||||
|
|
||||||
|
+ if (depth > ISCCC_MAXDEPTH) {
|
||||||
|
+ return (ISCCC_R_MAXDEPTH);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
checksum_rstart = NULL;
|
||||||
|
first_tag = true;
|
||||||
|
alist = isccc_alist_create();
|
||||||
|
@@ -640,7 +652,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||||
|
GET_MEM(key, len, source->rstart);
|
||||||
|
key[len] = '\0'; /* Ensure NUL termination. */
|
||||||
|
value = NULL;
|
||||||
|
- result = value_fromwire(source, &value);
|
||||||
|
+ result = value_fromwire(source, depth + 1, &value);
|
||||||
|
if (result != ISC_R_SUCCESS)
|
||||||
|
goto bad;
|
||||||
|
if (isccc_alist_define(alist, key, value) == NULL) {
|
||||||
|
@@ -673,14 +685,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||||
|
}
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
|
||||||
|
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
|
||||||
|
isccc_sexpr_t *list, *value;
|
||||||
|
isc_result_t result;
|
||||||
|
|
||||||
|
+ if (depth > ISCCC_MAXDEPTH) {
|
||||||
|
+ return (ISCCC_R_MAXDEPTH);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
list = NULL;
|
||||||
|
while (!REGION_EMPTY(*source)) {
|
||||||
|
value = NULL;
|
||||||
|
- result = value_fromwire(source, &value);
|
||||||
|
+ result = value_fromwire(source, depth + 1, &value);
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
isccc_sexpr_free(&list);
|
||||||
|
return (result);
|
||||||
|
@@ -711,7 +727,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
||||||
|
if (version != 1)
|
||||||
|
return (ISCCC_R_UNKNOWNVERSION);
|
||||||
|
|
||||||
|
- return (table_fromwire(source, secret, algorithm, alistp));
|
||||||
|
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
|
||||||
|
}
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
|
||||||
|
index 6c79dd7..b30b08a 100644
|
||||||
|
--- a/lib/isccc/include/isccc/result.h
|
||||||
|
+++ b/lib/isccc/include/isccc/result.h
|
||||||
|
@@ -47,8 +47,10 @@
|
||||||
|
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
|
||||||
|
/*% Duplicate */
|
||||||
|
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
|
||||||
|
+/*% Maximum recursion depth */
|
||||||
|
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
|
||||||
|
|
||||||
|
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
|
||||||
|
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
|
||||||
|
|
||||||
|
ISC_LANG_BEGINDECLS
|
||||||
|
|
||||||
|
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
|
||||||
|
index 8419bbb..a3a3b9a 100644
|
||||||
|
--- a/lib/isccc/result.c
|
||||||
|
+++ b/lib/isccc/result.c
|
||||||
|
@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
|
||||||
|
"bad auth", /* 3 */
|
||||||
|
"expired", /* 4 */
|
||||||
|
"clock skew", /* 5 */
|
||||||
|
- "duplicate" /* 6 */
|
||||||
|
+ "duplicate", /* 6 */
|
||||||
|
+ "max depth", /* 7 */
|
||||||
|
};
|
||||||
|
|
||||||
|
static const char *ids[ISCCC_R_NRESULTS] = {
|
||||||
|
@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
|
||||||
|
"ISCCC_R_EXPIRED",
|
||||||
|
"ISCCC_R_CLOCKSKEW",
|
||||||
|
"ISCCC_R_DUPLICATE",
|
||||||
|
+ "ISCCC_R_MAXDEPTH"
|
||||||
|
};
|
||||||
|
|
||||||
|
#define ISCCC_RESULT_RESULTSET 2
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
31
SOURCES/bind-9.16-update-b.root-servers.net.patch
Normal file
31
SOURCES/bind-9.16-update-b.root-servers.net.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 4e595a6b961e73af43350833109ccba0950119f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Thu, 12 Oct 2023 10:19:38 +1100
|
||||||
|
Subject: [PATCH] Update b.root-servers.net IP addresses
|
||||||
|
|
||||||
|
This covers both root hints and the default primaries for the root
|
||||||
|
zone mirror. The official change date is Nov 27, 2023.
|
||||||
|
|
||||||
|
(cherry picked from commit 2ca2f7e9852a3d6e93f065c01ea4679f723688f7)
|
||||||
|
---
|
||||||
|
lib/dns/rootns.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
|
||||||
|
index 9653f3b..d6ff76e 100644
|
||||||
|
--- a/lib/dns/rootns.c
|
||||||
|
+++ b/lib/dns/rootns.c
|
||||||
|
@@ -56,8 +56,8 @@ static char root_ns[] =
|
||||||
|
". 518400 IN NS M.ROOT-SERVERS.NET.\n"
|
||||||
|
"A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n"
|
||||||
|
"A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n"
|
||||||
|
-"B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n"
|
||||||
|
-"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n"
|
||||||
|
+"B.ROOT-SERVERS.NET. 3600000 IN A 170.247.170.2\n"
|
||||||
|
+"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2801:1b8:10::b\n"
|
||||||
|
"C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n"
|
||||||
|
"C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c\n"
|
||||||
|
"D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13\n"
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
0
SOURCES/generate-rndc-key.sh
Executable file → Normal file
0
SOURCES/generate-rndc-key.sh
Executable file → Normal file
@ -18,6 +18,7 @@
|
|||||||
/usr/lib/bind
|
/usr/lib/bind
|
||||||
/usr/share/GeoIP
|
/usr/share/GeoIP
|
||||||
/run/named
|
/run/named
|
||||||
|
/proc/sys/net/ipv4/ip_local_port_range
|
||||||
# Warning: the order is important
|
# Warning: the order is important
|
||||||
# If a directory containing $ROOTDIR is listed here,
|
# If a directory containing $ROOTDIR is listed here,
|
||||||
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
|
|
||||||
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
|
; <<>> DiG 9.18.20 <<>> -4 +tcp +norec +nostats @d.root-servers.net
|
||||||
; (2 servers found)
|
; (1 server found)
|
||||||
;; global options: +cmd
|
;; global options: +cmd
|
||||||
;; Got answer:
|
;; Got answer:
|
||||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286
|
||||||
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
|
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
|
||||||
|
|
||||||
;; OPT PSEUDOSECTION:
|
;; OPT PSEUDOSECTION:
|
||||||
; EDNS: version: 0, flags:; udp: 1472
|
; EDNS: version: 0, flags:; udp: 1450
|
||||||
;; QUESTION SECTION:
|
;; QUESTION SECTION:
|
||||||
;. IN NS
|
;. IN NS
|
||||||
|
|
||||||
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
;; ADDITIONAL SECTION:
|
;; ADDITIONAL SECTION:
|
||||||
a.root-servers.net. 518400 IN A 198.41.0.4
|
a.root-servers.net. 518400 IN A 198.41.0.4
|
||||||
b.root-servers.net. 518400 IN A 199.9.14.201
|
b.root-servers.net. 518400 IN A 170.247.170.2
|
||||||
c.root-servers.net. 518400 IN A 192.33.4.12
|
c.root-servers.net. 518400 IN A 192.33.4.12
|
||||||
d.root-servers.net. 518400 IN A 199.7.91.13
|
d.root-servers.net. 518400 IN A 199.7.91.13
|
||||||
e.root-servers.net. 518400 IN A 192.203.230.10
|
e.root-servers.net. 518400 IN A 192.203.230.10
|
||||||
@ -41,7 +41,7 @@ k.root-servers.net. 518400 IN A 193.0.14.129
|
|||||||
l.root-servers.net. 518400 IN A 199.7.83.42
|
l.root-servers.net. 518400 IN A 199.7.83.42
|
||||||
m.root-servers.net. 518400 IN A 202.12.27.33
|
m.root-servers.net. 518400 IN A 202.12.27.33
|
||||||
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
|
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
|
||||||
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
|
b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b
|
||||||
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
|
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
|
||||||
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
|
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
|
||||||
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
|
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
|
||||||
@ -54,8 +54,3 @@ k.root-servers.net. 518400 IN AAAA 2001:7fd::1
|
|||||||
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
|
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
|
||||||
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
|
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
|
||||||
|
|
||||||
;; Query time: 24 msec
|
|
||||||
;; SERVER: 198.41.0.4#53(198.41.0.4)
|
|
||||||
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
|
|
||||||
;; MSG SIZE rcvd: 811
|
|
||||||
|
|
||||||
|
0
SOURCES/setup-named-chroot.sh
Executable file → Normal file
0
SOURCES/setup-named-chroot.sh
Executable file → Normal file
0
SOURCES/setup-named-softhsm.sh
Executable file → Normal file
0
SOURCES/setup-named-softhsm.sh
Executable file → Normal file
178
SPECS/bind.spec
178
SPECS/bind.spec
@ -47,7 +47,7 @@
|
|||||||
%endif
|
%endif
|
||||||
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
|
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
|
||||||
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
|
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
|
||||||
%{_libdir}/bind %{_datadir}/GeoIP
|
%{_libdir}/bind %{_datadir}/GeoIP %{_datadir}/GeoIP /proc/sys/net/ipv4
|
||||||
|
|
||||||
## The order of libs is important. See lib/Makefile.in for details
|
## The order of libs is important. See lib/Makefile.in for details
|
||||||
%define bind_export_libs isc dns isccfg irs
|
%define bind_export_libs isc dns isccfg irs
|
||||||
@ -59,7 +59,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# lib*.so.X versions of selected libraries
|
# lib*.so.X versions of selected libraries
|
||||||
%global sover_dns 1112
|
%global sover_dns 1115
|
||||||
%global sover_isc 1107
|
%global sover_isc 1107
|
||||||
%global sover_irs 161
|
%global sover_irs 161
|
||||||
%global sover_isccfg 163
|
%global sover_isccfg 163
|
||||||
@ -67,12 +67,12 @@
|
|||||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.11.26
|
Version: 9.11.36
|
||||||
Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
|
Source: https://downloads.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
|
||||||
Source1: named.sysconfig
|
Source1: named.sysconfig
|
||||||
Source3: named.logrotate
|
Source3: named.logrotate
|
||||||
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
|
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
|
||||||
@ -154,7 +154,49 @@ Patch174:bind-9.11-fips-disable.patch
|
|||||||
Patch175:bind-9.11-json-c.patch
|
Patch175:bind-9.11-json-c.patch
|
||||||
Patch177:bind-9.11-serve-stale.patch
|
Patch177:bind-9.11-serve-stale.patch
|
||||||
Patch178:bind-9.11-dhcp-time-monotonic.patch
|
Patch178:bind-9.11-dhcp-time-monotonic.patch
|
||||||
Patch179:bind-9.11-CVE-2020-8625.patch
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253
|
||||||
|
Patch183:bind-9.11-rh1980757.patch
|
||||||
|
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
|
||||||
|
Patch184: bind-9.15-resolver-ntasks.patch
|
||||||
|
Patch185: bind-9.11-CVE-2021-25220.patch
|
||||||
|
Patch186: bind-9.11-CVE-2021-25220-test.patch
|
||||||
|
Patch188: bind-9.16-CVE-2022-38177.patch
|
||||||
|
Patch189: bind-9.16-CVE-2022-38178.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
|
||||||
|
Patch190: bind-9.11-rh2101712.patch
|
||||||
|
Patch191: bind-9.11-CVE-2022-2795.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376
|
||||||
|
Patch192: bind-9.11-rh2133889.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/82185f4f80d2fa39a4569f6740cb360ffff8f5c4
|
||||||
|
Patch193: bind-9.16-CVE-2022-3094-1.patch
|
||||||
|
Patch194: bind-9.16-CVE-2022-3094-2.patch
|
||||||
|
Patch195: bind-9.16-CVE-2022-3094-3.patch
|
||||||
|
Patch196: bind-9.16-CVE-2022-3094-test.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
|
||||||
|
Patch197: bind-9.11-CVE-2023-2828.patch
|
||||||
|
Patch198: bind-9.16-CVE-2023-3341.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-11785, downstream
|
||||||
|
Patch199: bind-9.11-stale-cache.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
|
||||||
|
Patch200: bind-9.16-update-b.root-servers.net.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8768
|
||||||
|
Patch201: bind-9.11-CVE-2023-4408.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8769
|
||||||
|
Patch202: bind-9.11-CVE-2023-50387.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8778
|
||||||
|
Patch203: bind-9.11-CVE-2023-2828-fixup.patch
|
||||||
|
# addition to patch 200
|
||||||
|
Patch204: bind-9.11-CVE-2023-50387-fixup.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/225f2861920b8f8d42a0ea6c34dd1faa93aa8726
|
||||||
|
Patch205: bind-9.11-CVE-2024-1975.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/3e0a67e4bdb253dae3a03a45c1aa117239a3313d
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/e4d7ce686bb38428eddc7e33b40057d68eca9a6e
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/b9b5485b22c364fb88c27aa04bad4c8f616da3fa
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/3f10d6eff035702796ba82cd28b9f7cf9836e743
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/23a4652346fb2877d6246b1eebaa967969dbde16
|
||||||
|
Patch206: bind-9.11-CVE-2024-1737.patch
|
||||||
|
# RH downstream, allow changing by environment
|
||||||
|
Patch208: bind-9.11-CVE-2024-1737-runtime-env.patch
|
||||||
|
|
||||||
# SDB patches
|
# SDB patches
|
||||||
Patch11: bind-9.3.2b2-sdbsrc.patch
|
Patch11: bind-9.3.2b2-sdbsrc.patch
|
||||||
@ -180,6 +222,12 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
|
|||||||
Provides: caching-nameserver = 31:9.4.1-7.fc8
|
Provides: caching-nameserver = 31:9.4.1-7.fc8
|
||||||
Obsoletes: dnssec-conf < 1.27-2
|
Obsoletes: dnssec-conf < 1.27-2
|
||||||
Provides: dnssec-conf = 1.27-2
|
Provides: dnssec-conf = 1.27-2
|
||||||
|
# Fixes of CVE-2023-50387 and CVE-2023-50868 caused ABI change
|
||||||
|
# Enforce updated rebuild is accepted only
|
||||||
|
Conflicts: bind-dyndb-ldap < 11.6-5
|
||||||
|
Conflicts: dhcp-client < 12:4.3.6-50
|
||||||
|
Conflicts: dhcp-server < 12:4.3.6-50
|
||||||
|
Conflicts: dhcp-relay < 12:4.3.6-50
|
||||||
BuildRequires: gcc, make
|
BuildRequires: gcc, make
|
||||||
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
|
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
|
||||||
BuildRequires: libidn2-devel, libxml2-devel
|
BuildRequires: libidn2-devel, libxml2-devel
|
||||||
@ -198,7 +246,7 @@ BuildRequires: libdb-devel
|
|||||||
# make unit dependencies
|
# make unit dependencies
|
||||||
BuildRequires: libcmocka-devel kyua
|
BuildRequires: libcmocka-devel kyua
|
||||||
%endif
|
%endif
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||||
BuildRequires: softhsm
|
BuildRequires: softhsm
|
||||||
%endif
|
%endif
|
||||||
%if %{with SYSTEMTEST}
|
%if %{with SYSTEMTEST}
|
||||||
@ -246,7 +294,6 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
|||||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Recommends: softhsm
|
|
||||||
|
|
||||||
%description pkcs11
|
%description pkcs11
|
||||||
This is a version of BIND server built with native PKCS#11 functionality.
|
This is a version of BIND server built with native PKCS#11 functionality.
|
||||||
@ -549,7 +596,30 @@ are used for building ISC DHCP.
|
|||||||
%patch175 -p1 -b .json-c
|
%patch175 -p1 -b .json-c
|
||||||
%patch177 -p1 -b .serve-stale
|
%patch177 -p1 -b .serve-stale
|
||||||
%patch178 -p1 -b .time-monotonic
|
%patch178 -p1 -b .time-monotonic
|
||||||
%patch179 -p1 -b .CVE-2020-8625
|
%patch183 -p1 -b .rh1980757
|
||||||
|
%patch184 -p1 -b .rh2030239
|
||||||
|
%patch185 -p1 -b .CVE-2021-25220
|
||||||
|
%patch186 -p1 -b .CVE-2021-25220-test
|
||||||
|
%patch188 -p1 -b .CVE-2022-38177
|
||||||
|
%patch189 -p1 -b .CVE-2022-38178
|
||||||
|
%patch190 -p1 -b .rh2101712
|
||||||
|
%patch191 -p1 -b .CVE-2022-2795
|
||||||
|
%patch192 -p1 -b .rh2133889
|
||||||
|
%patch193 -p1 -b .CVE-2022-3094
|
||||||
|
%patch194 -p1 -b .CVE-2022-3094
|
||||||
|
%patch195 -p1 -b .CVE-2022-3094
|
||||||
|
%patch196 -p1 -b .CVE-2022-3094-test
|
||||||
|
%patch197 -p1 -b .CVE-2023-2828
|
||||||
|
%patch198 -p1 -b .CVE-2023-3341
|
||||||
|
%patch199 -p1 -b .RHEL-11785
|
||||||
|
%patch200 -p1 -b .b.root-servers.net
|
||||||
|
%patch201 -p1 -b .CVE-2023-4408
|
||||||
|
%patch202 -p1 -b .CVE-2023-50387+50868
|
||||||
|
%patch203 -p1 -b .CVE-2023-2828-fixup
|
||||||
|
%patch204 -p1 -b .CVE-2023-50387-fixup
|
||||||
|
%patch205 -p1 -b .CVE-2024-1975
|
||||||
|
%patch206 -p1 -b .CVE-2024-1737
|
||||||
|
%patch208 -p1 -b .CVE-2024-1737-env
|
||||||
|
|
||||||
mkdir lib/dns/tests/testdata/dstrandom
|
mkdir lib/dns/tests/testdata/dstrandom
|
||||||
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
||||||
@ -565,13 +635,13 @@ find bin lib/lwres/man -name '*.docbook' -exec \
|
|||||||
-i '{}' ';'
|
-i '{}' ';'
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
|
%patch150 -p1 -b .engine-pkcs11
|
||||||
cp -r bin/named{,-pkcs11}
|
cp -r bin/named{,-pkcs11}
|
||||||
cp -r bin/dnssec{,-pkcs11}
|
cp -r bin/dnssec{,-pkcs11}
|
||||||
cp -r lib/isc{,-pkcs11}
|
cp -r lib/isc{,-pkcs11}
|
||||||
cp -r lib/dns{,-pkcs11}
|
cp -r lib/dns{,-pkcs11}
|
||||||
%patch136 -p1 -b .dist_pkcs11
|
%patch136 -p1 -b .dist_pkcs11
|
||||||
%patch149 -p1 -b .kyua-pkcs11
|
%patch149 -p1 -b .kyua-pkcs11
|
||||||
%patch150 -p1 -b .engine-pkcs11
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with SDB}
|
%if %{with SDB}
|
||||||
@ -838,7 +908,7 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%check
|
%check
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||||
# Tests require initialization of pkcs11 token
|
# Tests require initialization of pkcs11 token
|
||||||
export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
|
export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
|
||||||
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
|
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
|
||||||
@ -1161,7 +1231,7 @@ fi
|
|||||||
%triggerin -- selinux-policy < 3.14.1-44
|
%triggerin -- selinux-policy < 3.14.1-44
|
||||||
# Failsafe for upgrades, set to new default
|
# Failsafe for upgrades, set to new default
|
||||||
if [ -x "%{_sbindir}/selinuxenabled" -a -x "%{_sbindir}/setsebool" ] && %{_sbindir}/selinuxenabled; then
|
if [ -x "%{_sbindir}/selinuxenabled" -a -x "%{_sbindir}/setsebool" ] && %{_sbindir}/selinuxenabled; then
|
||||||
"%{_sbindir}/setsebool" -P named_write_master_zones=1
|
"%{_sbindir}/setsebool" -P named_write_master_zones=1
|
||||||
fi
|
fi
|
||||||
%end
|
%end
|
||||||
|
|
||||||
@ -1448,6 +1518,7 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%dir %{chroot_prefix}/%{_libdir}
|
%dir %{chroot_prefix}/%{_libdir}
|
||||||
%dir %{chroot_prefix}/%{_libdir}/bind
|
%dir %{chroot_prefix}/%{_libdir}/bind
|
||||||
%dir %{chroot_prefix}/%{_datadir}/GeoIP
|
%dir %{chroot_prefix}/%{_datadir}/GeoIP
|
||||||
|
%{chroot_prefix}/proc
|
||||||
%defattr(0660,root,named,01770)
|
%defattr(0660,root,named,01770)
|
||||||
%dir %{chroot_prefix}%{_localstatedir}/named
|
%dir %{chroot_prefix}%{_localstatedir}/named
|
||||||
%defattr(0660,named,named,0770)
|
%defattr(0660,named,named,0770)
|
||||||
@ -1601,6 +1672,89 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 06 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.2
|
||||||
|
- Rebuild after CI change
|
||||||
|
|
||||||
|
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.1
|
||||||
|
- Resolve CVE-2024-1975
|
||||||
|
- Resolve CVE-2024-1737
|
||||||
|
- Add ability to change runtime limits for max types and records per name
|
||||||
|
|
||||||
|
* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16
|
||||||
|
- Ensure incompatible dhcp is not accepted
|
||||||
|
|
||||||
|
* Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-15
|
||||||
|
- Ensure incompatible bind-dyndb-ldap is not accepted
|
||||||
|
|
||||||
|
* Mon Feb 26 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-14
|
||||||
|
- Speed up parsing of DNS messages with many different names (CVE-2023-4408)
|
||||||
|
- Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387 CVE-2023-50868)
|
||||||
|
- Do not use header_prev in expire_lru_headers
|
||||||
|
|
||||||
|
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-13
|
||||||
|
- Update addresses of b.root-servers.net (RHEL-18449)
|
||||||
|
|
||||||
|
* Mon Oct 09 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-12
|
||||||
|
- Disable caching of stale records by default (RHEL-11785)
|
||||||
|
|
||||||
|
* Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
|
||||||
|
- Prevent exahustion of memory from control channel (CVE-2023-3341)
|
||||||
|
|
||||||
|
* Thu Jun 22 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-10
|
||||||
|
- Prevent the cache going over the configured limit (CVE-2023-2828)
|
||||||
|
|
||||||
|
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
|
||||||
|
- Prevent flooding with UPDATE requests (CVE-2022-3094)
|
||||||
|
- include upstream test for that change
|
||||||
|
|
||||||
|
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
|
||||||
|
- Correct regression preventing bind-dyndb-ldap build (#2133889)
|
||||||
|
|
||||||
|
* Thu Sep 29 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-7
|
||||||
|
- Prevent excessive resource use while processing large delegations.
|
||||||
|
(CVE-2022-2795)
|
||||||
|
|
||||||
|
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-6
|
||||||
|
- Prevent freeing zone during statistics rendering (#2101712)
|
||||||
|
|
||||||
|
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
|
||||||
|
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
||||||
|
- Fix memory leak in EdDSA verify processing (CVE-2022-38178)
|
||||||
|
|
||||||
|
* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
|
||||||
|
- Tighten cache protection against record from forwarders (CVE-2021-25220)
|
||||||
|
- Include test of forwarders
|
||||||
|
|
||||||
|
* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
|
||||||
|
- Reduce memory used per-view on machine with few processors (#2030239)
|
||||||
|
|
||||||
|
* Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
|
||||||
|
- Rebuilt on a new side-tag (#2013993)
|
||||||
|
|
||||||
|
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-1
|
||||||
|
- Update to 9.11.36
|
||||||
|
|
||||||
|
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-9
|
||||||
|
- Correct tsig system test
|
||||||
|
|
||||||
|
* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-8
|
||||||
|
- Propagate ephemeral port ranges to chroot (#1950714)
|
||||||
|
|
||||||
|
* Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-7
|
||||||
|
- Do not request softhsm from bind-pkcs11, it is only in modular build
|
||||||
|
(#1934035)
|
||||||
|
|
||||||
|
* Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6
|
||||||
|
- Use random entropy to generate unique TKEY identifiers (#1980916)
|
||||||
|
|
||||||
|
* Fri May 07 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-5
|
||||||
|
- Fix possible assertion failure isc_refcount_current == 0 in free_rbtdb
|
||||||
|
(#1953056)
|
||||||
|
|
||||||
|
* Tue Apr 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-4
|
||||||
|
- Possible assertion failure on DNAME processing (CVE-2021-25215)
|
||||||
|
- Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214)
|
||||||
|
|
||||||
* Mon Feb 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-3
|
* Mon Feb 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-3
|
||||||
- Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625)
|
- Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user