Backport /etc/resolv.conf enhancements to thelp with RHEL-18039 testing

Related: RHEL-18039
2024-07-31 16:02:44 +02:00 · 2024-07-31 16:02:44 +02:00 · 9404e14f4d
commit 9404e14f4d
parent b30ff9539f
3 changed files with 290 additions and 1 deletions
--- a/RHEL-18039-1.patch
+++ b/RHEL-18039-1.patch
@ -0,0 +1,79 @@
+commit 95f61610f3e481d191b6184432342236fd59186d
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Wed Jul 24 12:06:47 2024 +0200
+
+    resolv: Support clearing option flags with a “-” prefix (bug 14799)
+    
+    I think using a “-” prefix is less confusing than introducing
+    double-negation construct (“no-no-tld-query”).
+    
+    Reviewed-by: DJ Delorie <dj@redhat.com>
+
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index 263263d474721545..243532b3ade338d8 100644
+--- a/resolv/res_init.c
+++ b/resolv/res_init.c
+@@ -682,27 +682,29 @@ res_setoptions (struct resolv_conf_parser *parser, const char *options)
+           {
+             char str[22];
+             uint8_t len;
+-            uint8_t clear;
+             unsigned long int flag;
+           } options[] = {
+ #define STRnLEN(str) str, sizeof (str) - 1
+-            { STRnLEN ("rotate"), 0, RES_ROTATE },
+-            { STRnLEN ("edns0"), 0, RES_USE_EDNS0 },
+-            { STRnLEN ("single-request-reopen"), 0, RES_SNGLKUPREOP },
+-            { STRnLEN ("single-request"), 0, RES_SNGLKUP },
+-            { STRnLEN ("no_tld_query"), 0, RES_NOTLDQUERY },
+-            { STRnLEN ("no-tld-query"), 0, RES_NOTLDQUERY },
+-            { STRnLEN ("no-reload"), 0, RES_NORELOAD },
+-            { STRnLEN ("use-vc"), 0, RES_USEVC },
+-            { STRnLEN ("trust-ad"), 0, RES_TRUSTAD },
+-            { STRnLEN ("no-aaaa"), 0, RES_NOAAAA },
+            { STRnLEN ("rotate"), RES_ROTATE },
+            { STRnLEN ("edns0"),  RES_USE_EDNS0 },
+            { STRnLEN ("single-request-reopen"), RES_SNGLKUPREOP },
+            { STRnLEN ("single-request"), RES_SNGLKUP },
+            { STRnLEN ("no_tld_query"), RES_NOTLDQUERY },
+            { STRnLEN ("no-tld-query"), RES_NOTLDQUERY },
+            { STRnLEN ("no-reload"), RES_NORELOAD },
+            { STRnLEN ("use-vc"),  RES_USEVC },
+            { STRnLEN ("trust-ad"), RES_TRUSTAD },
+            { STRnLEN ("no-aaaa"), RES_NOAAAA },
+           };
+ #define noptions (sizeof (options) / sizeof (options[0]))
+          bool negate_option = *cp == '-';
+          if (negate_option)
+            ++cp;
+           for (int i = 0; i < noptions; ++i)
+             if (strncmp (cp, options[i].str, options[i].len) == 0)
+               {
+-                if (options[i].clear)
+-                  parser->template.options &= options[i].flag;
+                if (negate_option)
+                  parser->template.options &= ~options[i].flag;
+                 else
+                   parser->template.options |= options[i].flag;
+                 break;
+diff --git a/resolv/tst-resolv-res_init-skeleton.c b/resolv/tst-resolv-res_init-skeleton.c
+index 6bef62cde2cbf8cd..d3a19eb305d41467 100644
+--- a/resolv/tst-resolv-res_init-skeleton.c
+++ b/resolv/tst-resolv-res_init-skeleton.c
+@@ -679,6 +679,16 @@ struct test_case test_cases[] =
+      "; nameserver[0]: [192.0.2.1]:53\n",
+      .res_options = "attempts:5 ndots:3 edns0 ",
+     },
+    {.name = "RES_OPTIONS can clear flags",
+     .conf = "options ndots:2 use-vc no-aaaa edns0\n"
+     "nameserver 192.0.2.1\n",
+     .expected = "options ndots:3 use-vc\n"
+     "search example.com\n"
+     "; search[0]: example.com\n"
+     "nameserver 192.0.2.1\n"
+     "; nameserver[0]: [192.0.2.1]:53\n",
+     .res_options = "ndots:3 -edns0 -no-aaaa",
+    },
+     {.name = "many search list entries (bug 19569)",
+      .conf = "nameserver 192.0.2.1\n"
+      "search corp.example.com support.example.com"
--- a/RHEL-18039-2.patch
+++ b/RHEL-18039-2.patch
@ -0,0 +1,204 @@
+commit 765325951ac5c7d072278c9424930b29657e9758
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Wed Jul 24 12:06:47 2024 +0200
+
+    resolv: Implement strict-error stub resolver option (bug 27929)
+    
+    For now, do not enable this mode by default due to the potential
+    impact on compatibility with existing deployments.
+    
+    Reviewed-by: DJ Delorie <dj@redhat.com>
+
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index 243532b3ade338d8..b838dc70642e1935 100644
+--- a/resolv/res_init.c
+++ b/resolv/res_init.c
+@@ -695,6 +695,7 @@ res_setoptions (struct resolv_conf_parser *parser, const char *options)
+             { STRnLEN ("use-vc"),  RES_USEVC },
+             { STRnLEN ("trust-ad"), RES_TRUSTAD },
+             { STRnLEN ("no-aaaa"), RES_NOAAAA },
+            { STRnLEN ("strict-error"), RES_STRICTERR },
+           };
+ #define noptions (sizeof (options) / sizeof (options[0]))
+           bool negate_option = *cp == '-';
+diff --git a/resolv/res_send.c b/resolv/res_send.c
+index 9c77613f374e5469..9a284ed44aa8cc2e 100644
+--- a/resolv/res_send.c
+++ b/resolv/res_send.c
+@@ -1234,21 +1234,38 @@ send_dg(res_state statp,
+ 
+ 		if (thisansp_error) {
+ 		next_ns:
+-			if (recvresp1 || (buf2 != NULL && recvresp2)) {
+-			  *resplen2 = 0;
+-			  return resplen;
+-			}
+-			if (buf2 != NULL && !single_request)
+		        /* Outside of strict-error mode, use the first
+			   response even if the second response is an
+			   error.  This allows parallel resolution to
+			   succeed even if the recursive resolver
+			   always answers with SERVFAIL for AAAA
+			   queries (which still happens in practice
+			   unfortunately).
+
+			   In strict-error mode, always switch to the
+			   next server and try to get a response from
+			   there.  */
+			if ((statp->options & RES_STRICTERR) == 0)
+ 			  {
+-			    /* No data from the first reply.  */
+-			    resplen = 0;
+-			    /* We are waiting for a possible second reply.  */
+-			    if (matching_query == 1)
+-			      recvresp1 = 1;
+-			    else
+-			      recvresp2 = 1;
+-
+-			    goto wait;
+			    if (recvresp1 || (buf2 != NULL && recvresp2))
+			      {
+				*resplen2 = 0;
+				return resplen;
+			      }
+
+			    if (buf2 != NULL && !single_request)
+			      {
+				/* No data from the first reply.  */
+				resplen = 0;
+				/* We are waiting for a possible
+				   second reply.  */
+				if (matching_query == 1)
+				  recvresp1 = 1;
+				else
+				  recvresp2 = 1;
+
+				goto wait;
+			      }
+ 			  }
+ 
+ 			/* don't retry if called from dig */
+diff --git a/resolv/resolv.h b/resolv/resolv.h
+index f40d6c58cee0f585..b8a0f66a5fd50e22 100644
+--- a/resolv/resolv.h
+++ b/resolv/resolv.h
+@@ -133,6 +133,7 @@ struct res_sym {
+ #define RES_NORELOAD    0x02000000 /* No automatic configuration reload.  */
+ #define RES_TRUSTAD     0x04000000 /* Request AD bit, keep it in responses.  */
+ #define RES_NOAAAA      0x08000000 /* Suppress AAAA queries.  */
+#define RES_STRICTERR   0x10000000 /* Report more DNS errors as errors.  */
+ 
+ #define RES_DEFAULT	(RES_RECURSE|RES_DEFNAMES|RES_DNSRCH)
+ 
+diff --git a/resolv/tst-resolv-res_init-skeleton.c b/resolv/tst-resolv-res_init-skeleton.c
+index d3a19eb305d41467..e41bcebd9d9a8024 100644
+--- a/resolv/tst-resolv-res_init-skeleton.c
+++ b/resolv/tst-resolv-res_init-skeleton.c
+@@ -129,6 +129,7 @@ print_resp (FILE *fp, res_state resp)
+         print_option_flag (fp, &options, RES_NORELOAD, "no-reload");
+         print_option_flag (fp, &options, RES_TRUSTAD, "trust-ad");
+         print_option_flag (fp, &options, RES_NOAAAA, "no-aaaa");
+        print_option_flag (fp, &options, RES_STRICTERR, "strict-error");
+         fputc ('\n', fp);
+         if (options != 0)
+           fprintf (fp, "; error: unresolved option bits: 0x%x\n", options);
+@@ -741,6 +742,15 @@ struct test_case test_cases[] =
+      "nameserver 192.0.2.1\n"
+      "; nameserver[0]: [192.0.2.1]:53\n"
+     },
+    {.name = "strict-error flag",
+     .conf = "options strict-error\n"
+     "nameserver 192.0.2.1\n",
+     .expected = "options strict-error\n"
+     "search example.com\n"
+     "; search[0]: example.com\n"
+     "nameserver 192.0.2.1\n"
+     "; nameserver[0]: [192.0.2.1]:53\n"
+    },
+     { NULL }
+   };
+ 
+diff --git a/resolv/tst-resolv-semi-failure.c b/resolv/tst-resolv-semi-failure.c
+index aa9798b5a7dfaa88..b7681210f450bb5a 100644
+--- a/resolv/tst-resolv-semi-failure.c
+++ b/resolv/tst-resolv-semi-failure.c
+@@ -67,6 +67,9 @@ response (const struct resolv_response_context *ctx,
+   resolv_response_close_record (b);
+ }
+ 
+/* Set to 1 if strict error checking is enabled.  */
+static int do_strict_error;
+
+ static void
+ check_one (void)
+ {
+@@ -83,7 +86,10 @@ check_one (void)
+       struct addrinfo *ai;
+       int ret = getaddrinfo ("www.example", "80", &hints, &ai);
+       const char *expected;
+-      if (ret == 0 && ai->ai_next != NULL)
+      /* In strict-error mode, a switch to the second name server
+         happens, and both responses are received, so a single
+         response is a bug.  */
+      if (do_strict_error || (ret == 0 && ai->ai_next != NULL))
+         expected = ("address: STREAM/TCP 192.0.2.17 80\n"
+                     "address: STREAM/TCP 2001:db8::1 80\n");
+       else
+@@ -99,33 +105,36 @@ check_one (void)
+ static int
+ do_test (void)
+ {
+-  for (int do_single_lookup = 0; do_single_lookup < 2; ++do_single_lookup)
+-    {
+-      struct resolv_test *aux = resolv_test_start
+-        ((struct resolv_redirect_config)
+-         {
+-           .response_callback = response,
+-         });
+  for (do_strict_error = 0; do_strict_error < 2; ++do_strict_error)
+    for (int do_single_lookup = 0; do_single_lookup < 2; ++do_single_lookup)
+      {
+        struct resolv_test *aux = resolv_test_start
+          ((struct resolv_redirect_config)
+           {
+             .response_callback = response,
+           });
+ 
+-      if (do_single_lookup)
+-        _res.options |= RES_SNGLKUP;
+        if (do_strict_error)
+          _res.options |= RES_STRICTERR;
+        if (do_single_lookup)
+          _res.options |= RES_SNGLKUP;
+ 
+-      for (int do_fail_aaaa = 0; do_fail_aaaa < 2; ++do_fail_aaaa)
+-        {
+-          fail_aaaa = do_fail_aaaa;
+        for (int do_fail_aaaa = 0; do_fail_aaaa < 2; ++do_fail_aaaa)
+          {
+            fail_aaaa = do_fail_aaaa;
+ 
+-          rcode = 2; /* SERVFAIL.  */
+-          check_one ();
+            rcode = 2; /* SERVFAIL.  */
+            check_one ();
+ 
+-          rcode = 4; /* NOTIMP.  */
+-          check_one ();
+            rcode = 4; /* NOTIMP.  */
+            check_one ();
+ 
+-          rcode = 5; /* REFUSED.  */
+-          check_one ();
+-        }
+            rcode = 5; /* REFUSED.  */
+            check_one ();
+          }
+ 
+-      resolv_test_end (aux);
+-    }
+        resolv_test_end (aux);
+      }
+ 
+   return 0;
+ }
--- a/glibc.spec
+++ b/glibc.spec
@ -170,7 +170,7 @@ Version: %{glibcversion}
 # - It allows using the Release number without the %%dist tag in the dependency
 #   generator to make the generated requires interchangeable between Rawhide
 #   and ELN (.elnYY < .fcXX).
-%global baserelease 21
+%global baserelease 22
 Release: %{baserelease}%{?dist}

 # Licenses:
@ -429,6 +429,8 @@ Patch116: glibc-upstream-2.39-91.patch
 Patch117: glibc-upstream-2.39-92.patch
 Patch118: glibc-upstream-2.39-93.patch
 Patch119: glibc-upstream-2.39-94.patch
+Patch120: RHEL-18039-1.patch
+Patch121: RHEL-18039-2.patch

 ##############################################################################
 # Continued list of core "glibc" package information:
@ -2659,6 +2661,10 @@ update_gconv_modules_cache ()
 %endif

 %changelog
+* Wed Jul 31 2024 Florian Weimer <fweimer@redhat.com> - 2.39-22
+- Support clearing options in /etc/resolv.conf, RES_OPTIONS with a - prefix
+- Introduce the strict-error/RES_STRICTERR stub resolver option (RHEL-18039)
+
 * Wed Jul 31 2024 Arjun Shankar <arjun@redhat.com> - 2.39-21
 - Sync with upstream branch release/2.39/master,
  commit 4bdcc1963bc2b5ba5f8e319e402d9eb2cb6096c1: