- Updated to 1.3.0

- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
    minimal-responses
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
This commit is contained in:
Paul Wouters 2009-06-21 04:14:54 +00:00
parent 6d861d8304
commit 41fa06700a
6 changed files with 231 additions and 12 deletions

View File

@ -1,3 +1,4 @@
unbound-1.1.1.tar.gz
unbound-1.2.0.tar.gz
unbound-1.2.1.tar.gz
unbound-1.3.0.tar.gz

View File

@ -1 +1 @@
5437f2a1e698d8aa73ba19a60662a654 unbound-1.2.1.tar.gz
783325c26ae1a47be0e496c94f3e1cca unbound-1.3.0.tar.gz

66
unbound-r1657.patch Normal file
View File

@ -0,0 +1,66 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1656)
+++ validator/validator.c (revision 1657)
@@ -251,9 +251,8 @@
/**
* Check to see if a given response needs to go through the validation
* process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
+ * on in the original request, or the response is a kind of message that
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
*
* @param qstate: query state.
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
@@ -292,14 +291,25 @@
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
return 0;
}
+ return 1;
+}
+/**
+ * Check to see if the response has already been validated.
+ * @param ret_msg: return msg, can be NULL
+ * @return true if the response has already been validated
+ */
+static int
+already_validated(struct dns_msg* ret_msg)
+{
/* validate unchecked, and re-validate bogus messages */
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
{
- verbose(VERB_ALGO, "response has already been validated");
- return 0;
+ verbose(VERB_ALGO, "response has already been validated: %s",
+ sec_status_to_string(ret_msg->rep->security));
+ return 1;
}
- return 1;
+ return 0;
}
/**
@@ -1937,6 +1947,10 @@
qstate->ext_state[id] = module_finished;
return;
}
+ if(already_validated(qstate->return_msg)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
/* create state to start validation */
qstate->ext_state[id] = module_error; /* override this */
if(!vq) {
@@ -2397,7 +2411,8 @@
}
if(msg->rep->security != sec_status_secure) {
vq->dlv_status = dlv_error;
- verbose(VERB_ALGO, "response is not secure");
+ verbose(VERB_ALGO, "response is not secure, %s",
+ sec_status_to_string(msg->rep->security));
return;
}
/* was the lookup a success? validated DLV? */

77
unbound-r1670.patch Normal file
View File

@ -0,0 +1,77 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1669)
+++ validator/validator.c (revision 1670)
@@ -479,6 +479,36 @@
}
/**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+ size_t i;
+ /* no additional, only NS in authority, and it is bogus */
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+ rep->an_numrrsets == 0)
+ return 0;
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+ return 0;
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+ ->entry.data)->security != sec_status_bogus)
+ return 0;
+ /* answer section is present and secure */
+ for(i=0; i<rep->an_numrrsets; i++) {
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
+ ->entry.data)->security != sec_status_secure)
+ return 0;
+ }
+ return 1;
+}
+
+
+/**
* Given a "positive" response -- a response that contains an answer to the
* question, and no CNAME chain, validate this response.
*
@@ -1449,17 +1479,31 @@
vq->chase_reply->security = sec_status_bogus;
return 1;
}
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
/* check signatures in the message;
* answer and authority must be valid, additional is only checked. */
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
vq->chase_reply, vq->key_entry)) {
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
- return 1;
+ /* workaround bad recursor out there that truncates (even
+ * with EDNS4k) to 512 by removing RRSIG from auth section
+ * for positive replies*/
+ if(subtype == VAL_CLASS_POSITIVE &&
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
+ /* truncate the message some more */
+ vq->orig_msg->rep->ns_numrrsets = 0;
+ vq->orig_msg->rep->rrset_count--;
+ vq->chase_reply->ns_numrrsets = 0;
+ vq->chase_reply->rrset_count--;
+ }
+ else {
+ verbose(VERB_DETAIL, "Validate: message contains "
+ "bad rrsets");
+ return 1;
+ }
}
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
switch(subtype) {
case VAL_CLASS_POSITIVE:
verbose(VERB_ALGO, "Validating a positive response");

33
unbound-r1677.patch Normal file
View File

@ -0,0 +1,33 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1677)
+++ validator/validator.c (working copy)
@@ -479,7 +479,7 @@
}
/**
- * Detect wrong truncated response, by a bad recursor out there.
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
* The positive response has a mangled authority section.
* Remove that authority section.
* @param rep: reply
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1677)
+++ iterator/iterator.c (working copy)
@@ -1513,9 +1513,14 @@
/* we know that all other NS rrsets are scrubbed
* away, thus on referral only one is left.
* see if that equals the query name... */
- && reply_find_rrset_section_ns(iq->response->rep,
+ && ( /* auth section, but sometimes in answer section*/
+ reply_find_rrset_section_ns(iq->response->rep,
qstate->qinfo.qname, qstate->qinfo.qname_len,
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ || reply_find_rrset_section_an(iq->response->rep,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ )
)) {
/* Store the referral under the current query */
if(!iter_dns_store(qstate->env, &iq->response->qinfo,

View File

@ -1,19 +1,32 @@
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
# not ready yet
%{?!with_python: %define with_python 0}
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.2.1
Release: 7%{?dist}
Version: 1.3.0
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
Patch0: unbound-iterator.patch
Patch1: unbound-initgroups-r1453.patch
# See the unbound svn repository for further documentation on these
Patch1: unbound-r1657.patch
Patch2: unbound-r1670.patch
Patch3: unbound-r1677.patch
Patch4: unbound-1.2-glob.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0,
BuildRequires: libevent-devel >= 1.4.5
BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
BuildRequires: libevent-devel
%if %{with_python}
BuildRequires: python-devel
%endif
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
@ -21,8 +34,6 @@ Requires(postun): initscripts
Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
Requires(pre): shadow-utils
Requires: dnssec-conf
# Is this obsolete?
#Provides: caching-nameserver
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@ -62,16 +73,32 @@ Requires: openssl >= 0.9.8g-12
%description libs
Contains libraries used by the unbound server and client applications
%if %{with_python}
%package python
Summary: Python modules and extensions for unbound
Group: Applications/System
Requires: %{name}-libs = %{version}-%{release}
%description python
Python modules and extensions for unbound
%endif
%prep
%setup -q
%patch0
%patch1 -p1
%patch1
%patch2
%patch3
%patch4 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
--disable-rpath --enable-debug --disable-static \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
--with-pythonmodule --with-pyunbound \
%endif
--enable-sha2
%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
%install
@ -107,6 +134,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/*
%{_mandir}/*/*
%if %{with_python}
%files python
%{python_sitelib}/*
%endif
%files munin
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
@ -158,6 +190,16 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses)
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
- unbound-iterator.patch was not commited