diff --git a/unbound-1.7.0-aggrnsec.patch b/unbound-1.7.0-aggrnsec.patch new file mode 100644 index 0000000..3368da0 --- /dev/null +++ b/unbound-1.7.0-aggrnsec.patch @@ -0,0 +1,199 @@ +diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c +index 7eb0df43..43abdc1b 100644 +--- a/cachedb/cachedb.c ++++ b/cachedb/cachedb.c +@@ -589,7 +589,8 @@ cachedb_intcache_lookup(struct module_qstate* qstate) + qstate->region, qstate->env->scratch, + 1 /* no partial messages with only a CNAME */ + ); +- if(!msg && qstate->env->neg_cache) { ++ if(!msg && qstate->env->neg_cache && ++ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) { + /* lookup in negative cache; may result in + * NOERROR/NODATA or NXDOMAIN answers that need validation */ + msg = val_neg_getmsg(qstate->env->neg_cache, &qstate->qinfo, +diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c +index 70cab40f..54844825 100644 +--- a/iterator/iter_utils.c ++++ b/iterator/iter_utils.c +@@ -625,7 +625,7 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, + } + + int +-iter_indicates_dnssec_fwd(struct module_env* env, struct query_info *qinfo) ++iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo) + { + struct trust_anchor* a; + if(!env || !env->anchors || !qinfo || !qinfo->qname) +diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h +index 602fa6db..a866d2c1 100644 +--- a/iterator/iter_utils.h ++++ b/iterator/iter_utils.h +@@ -174,15 +174,14 @@ int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, + struct delegpt* dp); + + /** +- * See if qname has DNSSEC needs in the forwarding case. This is true if +- * there is a trust anchor above it. Whether there is an insecure delegation +- * to the data is unknown, but CD-retry is needed. ++ * See if qname has DNSSEC needs. This is true if there is a trust anchor above ++ * it. Whether there is an insecure delegation to the data is unknown. + * @param env: environment with anchors. + * @param qinfo: query name and class. + * @return true if trust anchor above qname, false if no anchor or insecure + * point above qname. + */ +-int iter_indicates_dnssec_fwd(struct module_env* env, ++int iter_qname_indicates_dnssec(struct module_env* env, + struct query_info *qinfo); + + /** +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 7f3c6573..57fa839b 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -1206,7 +1206,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, + iq->qchase.qname_len, iq->qchase.qtype, + iq->qchase.qclass, qstate->query_flags, + qstate->region, qstate->env->scratch, 0); +- if(!msg && qstate->env->neg_cache) { ++ if(!msg && qstate->env->neg_cache && ++ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) { + /* lookup in negative cache; may result in + * NOERROR/NODATA or NXDOMAIN answers that need validation */ + msg = val_neg_getmsg(qstate->env->neg_cache, &iq->qchase, +@@ -2366,7 +2367,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + * (blacklist nonempty) and no trust-anchors are configured + * above the qname or on the first attempt when dnssec is on */ + EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&& +- !qstate->blacklist&&(!iter_indicates_dnssec_fwd(qstate->env, ++ !qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env, + &iq->qinfo_out)||target->attempts==1)?0:BIT_CD), + iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted( + ie, iq), &target->addr, target->addrlen, +diff --git a/testdata/val_negcache_nta.rpl b/testdata/val_negcache_nta.rpl +new file mode 100755 +index 00000000..2331643f +--- /dev/null ++++ b/testdata/val_negcache_nta.rpl +@@ -0,0 +1,120 @@ ++; config options ++; The island of trust is at testzone.nlnetlabs.nl ++server: ++ trust-anchor: "testzone.nlnetlabs.nl. IN DS 2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b" ++ val-override-date: "20180213111425" ++ target-fetch-policy: "0 0 0 0 0" ++ trust-anchor-signaling: no ++ aggressive-nsec: yes ++ domain-insecure: "ant.testzone.nlnetlabs.nl" ++ ++stub-zone: ++ name: "testzone.nlnetlabs.nl" ++ stub-addr: 185.49.140.60 ++stub-zone: ++ name: "ant.testzone.nlnetlabs.nl" ++ stub-addr: 185.49.140.61 ++CONFIG_END ++ ++SCENARIO_BEGIN Test to not do aggressive NSEC for domains under NTA ++ ++; testzone.nlnetlabs.nl nameserver ++RANGE_BEGIN 0 100 ++ ADDRESS 185.49.140.60 ++ ++; response to DNSKEY priming query ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++testzone.nlnetlabs.nl. IN DNSKEY ++SECTION ANSWER ++testzone.nlnetlabs.nl. 3600 IN DNSKEY 256 3 8 AwEAAbrNEg01ByEpUUiip+GNAkNVjUfeX7sl9kPUssR3JQvhCJWVs7aBY0Ae1cNtQWgzCmidGorlXvEY2nNBiMM4l7IXqopJsgyj+Cb3nQPVLi/7yVwUb+AIwSJw1gRFElMYonsMOL9qUrJi8BBCnCR0EqkL+X4slmtkXSJbzQAwvHI7 ++testzone.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbn0eGV0wqMBQNSVTY//BoiOD7bexC7FcVv0fH9bwjKOA8I+ob377E14vZN2xRLC2b1GG5iBckjeI+N2dB9eC2KRnScU3Gbmtw75BBYfm/y4Hu72zEjEZ0ZGv6gjSZRv/1o87ODAwQaxN8/dQD+5U/5xu12XM39bCJZx2GWTbf5L ++testzone.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20180313101254 20180213101254 2926 testzone.nlnetlabs.nl. gSLZb/dSKutRlAKSo8ZCC1R+SkvABMYBRQsms77WPfYCDbt5GbXeuGqwGdadjEN8gGSU+qrYNxBZRhlYY6d2vtl+DGh67qwteHSwOCw0VvU64eVh38maJA1U673U4JtlBALzBOA/UHmXPlCgPPoW3BG0U3T2Qir/mqOmegmpBcw= ++SECTION AUTHORITY ++testzone.nlnetlabs.nl. 3600 IN NS ns.nlnetlabs.nl. ++testzone.nlnetlabs.nl. 3600 IN RRSIG NS 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. Ox0iKc+z3i1qR1wMr8TBPYzuYO5UTaLrBsDagJAd25fvCkGN+h3HPmWlCIW0cBHsS+IaHXr1JhWutjSCc4UBcY+sT7Y7Fw3V1qdZW2KzbSgWUyPkTXoYcIIVLacSUTXEyltW6jj61WEI/RaUGUCJortvwH5iv1Hzee343isxObI= ++SECTION ADDITIONAL ++ENTRY_END ++ ++; response for antelope.testzone.nlnetlabs.nl. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NXDOMAIN ++SECTION QUESTION ++antelope.testzone.nlnetlabs.nl. IN TXT ++SECTION ANSWER ++SECTION AUTHORITY ++testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY ++testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0= ++alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC ++alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI= ++testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 ++testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0= ++SECTION ADDITIONAL ++ENTRY_END ++ ++RANGE_END ++ ++; ant.testzone.nlnetlabs.nl nameserver ++RANGE_BEGIN 0 100 ++ ADDRESS 185.49.140.61 ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++ant.testzone.nlnetlabs.nl. IN TXT ++SECTION ANSWER ++ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA" ++ENTRY_END ++RANGE_END ++ ++STEP 1 QUERY ++ENTRY_BEGIN ++REPLY RD DO ++SECTION QUESTION ++antelope.testzone.nlnetlabs.nl. IN TXT ++ENTRY_END ++ ++; recursion happens here. ++STEP 10 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA DO AD NXDOMAIN ++SECTION QUESTION ++antelope.testzone.nlnetlabs.nl. IN TXT ++SECTION ANSWER ++SECTION AUTHORITY ++testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY ++testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0= ++alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC ++alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI= ++testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 ++testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0= ++SECTION ADDITIONAL ++ENTRY_END ++ ++; query for ant.testzone.nlnetlabs.nl, which is below an NTA ++STEP 20 QUERY ++ENTRY_BEGIN ++REPLY RD DO ++SECTION QUESTION ++ant.testzone.nlnetlabs.nl. IN TXT ++ENTRY_END ++ ++STEP 30 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA DO NOERROR ++SECTION QUESTION ++ant.testzone.nlnetlabs.nl. IN TXT ++SECTION ANSWER ++ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA" ++ENTRY_END ++ ++SCENARIO_END diff --git a/unbound.spec b/unbound.spec index b76e625..7fb070d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -21,7 +21,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.7.0 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -42,6 +42,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service +Patch1: unbound-1.7.0-aggrnsec.patch + Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel @@ -139,8 +141,10 @@ Python 3 modules and extensions for unbound %if 0%{with_python} mv %{pkgname} %{pkgname}_python2 pushd %{pkgname}_python2 +%patch1 -p1 %else pushd %{pkgname} +%patch1 -p1 %endif # with_python # only for snapshots @@ -435,6 +439,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + * Thu Mar 15 2018 Paul Wouters - 1.7.0-1 - Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)