- Patch for cmd: unbound-control set_option val-permissive-mode: yes
This commit is contained in:
Paul Wouters
parent
a57c3b8b64
commit
a1c71a375c
131
unbound-1.6.2-permissive.patch
Normal file
131
unbound-1.6.2-permissive.patch
Normal file
@ -0,0 +1,131 @@
|
||||
diff --git a/validator/val_utils.c b/validator/val_utils.c
|
||||
index e3677e1..e4eff1b 100644
|
||||
--- a/validator/val_utils.c
|
||||
+++ b/validator/val_utils.c
|
||||
@@ -54,6 +54,7 @@
|
||||
#include "util/net_help.h"
|
||||
#include "util/module.h"
|
||||
#include "util/regional.h"
|
||||
+#include "util/config_file.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/parseutil.h"
|
||||
|
||||
@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
|
||||
}
|
||||
|
||||
void
|
||||
-val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
|
||||
+val_check_nonsecure(struct module_env* env, struct reply_info* rep)
|
||||
{
|
||||
size_t i;
|
||||
/* authority */
|
||||
@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
|
||||
}
|
||||
}
|
||||
/* additional */
|
||||
- if(!ve->clean_additional)
|
||||
+ if(!env->cfg->val_clean_additional)
|
||||
return;
|
||||
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
|
||||
if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
|
||||
diff --git a/validator/val_utils.h b/validator/val_utils.h
|
||||
index 051824a..649adc2 100644
|
||||
--- a/validator/val_utils.h
|
||||
+++ b/validator/val_utils.h
|
||||
@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
|
||||
* So that unsigned data does not get let through to clients, when we have
|
||||
* found the data to be secure.
|
||||
*
|
||||
- * @param ve: validator environment with cleaning options.
|
||||
+ * @param env: environment with cleaning options.
|
||||
* @param rep: reply to dump all nonsecure stuff out of.
|
||||
*/
|
||||
-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
|
||||
+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
|
||||
|
||||
/**
|
||||
* Mark all unchecked rrset entries not below a trust anchor as indeterminate.
|
||||
diff --git a/validator/validator.c b/validator/validator.c
|
||||
index e8b6317..5f4a1eb 100644
|
||||
--- a/validator/validator.c
|
||||
+++ b/validator/validator.c
|
||||
@@ -113,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
|
||||
{
|
||||
int c;
|
||||
val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
|
||||
- val_env->clean_additional = cfg->val_clean_additional;
|
||||
- val_env->permissive_mode = cfg->val_permissive_mode;
|
||||
if(!env->anchors)
|
||||
env->anchors = anchors_create();
|
||||
if(!env->anchors) {
|
||||
@@ -171,7 +169,6 @@ val_init(struct module_env* env, int id)
|
||||
}
|
||||
env->modinfo[id] = (void*)val_env;
|
||||
env->need_to_validate = 1;
|
||||
- val_env->permissive_mode = 0;
|
||||
lock_basic_init(&val_env->bogus_lock);
|
||||
lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
|
||||
sizeof(val_env->num_rrset_bogus));
|
||||
@@ -619,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
|
||||
}
|
||||
}
|
||||
|
||||
- /* attempt to validate the ADDITIONAL section rrsets */
|
||||
- if(!ve->clean_additional)
|
||||
+ /* If set, the validator should clean the additional section of
|
||||
+ * secure messages. */
|
||||
+ if(!env->cfg->val_clean_additional)
|
||||
return 1;
|
||||
+ /* attempt to validate the ADDITIONAL section rrsets */
|
||||
for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
|
||||
i<chase_reply->rrset_count; i++) {
|
||||
s = chase_reply->rrsets[i];
|
||||
@@ -2129,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* a different signer name). And drop additional rrsets
|
||||
* that are not secure (if clean-additional option is set) */
|
||||
/* this may cause the msg to be marked bogus */
|
||||
- val_check_nonsecure(ve, vq->orig_msg->rep);
|
||||
+ val_check_nonsecure(qstate->env, vq->orig_msg->rep);
|
||||
if(vq->orig_msg->rep->security == sec_status_secure) {
|
||||
log_query_info(VERB_DETAIL, "validation success",
|
||||
&qstate->qinfo);
|
||||
@@ -2170,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
free(err);
|
||||
}
|
||||
}
|
||||
+ /*
|
||||
+ * If set, the validator will not make messages bogus, instead
|
||||
+ * indeterminate is issued, so that no clients receive SERVFAIL.
|
||||
+ * This allows an operator to run validation 'shadow' without
|
||||
+ * hurting responses to clients.
|
||||
+ */
|
||||
/* If we are in permissive mode, bogus gets indeterminate */
|
||||
- if(ve->permissive_mode)
|
||||
+ if(qstate->env->cfg->val_permissive_mode)
|
||||
vq->orig_msg->rep->security = sec_status_indeterminate;
|
||||
}
|
||||
|
||||
diff --git a/validator/validator.h b/validator/validator.h
|
||||
index 23d3072..9a59107 100644
|
||||
--- a/validator/validator.h
|
||||
+++ b/validator/validator.h
|
||||
@@ -93,19 +93,6 @@ struct val_env {
|
||||
* seconds. */
|
||||
uint32_t bogus_ttl;
|
||||
|
||||
- /** If set, the validator should clean the additional section of
|
||||
- * secure messages.
|
||||
- */
|
||||
- int clean_additional;
|
||||
-
|
||||
- /**
|
||||
- * If set, the validator will not make messages bogus, instead
|
||||
- * indeterminate is issued, so that no clients receive SERVFAIL.
|
||||
- * This allows an operator to run validation 'shadow' without
|
||||
- * hurting responses to clients.
|
||||
- */
|
||||
- int permissive_mode;
|
||||
-
|
||||
/**
|
||||
* Number of entries in the NSEC3 maximum iteration count table.
|
||||
* Keep this table short, and sorted by size
|
||||
10
unbound.spec
10
unbound.spec
@ -21,7 +21,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.6.2
|
||||
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 2%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: http://www.nlnetlabs.nl/unbound/
|
||||
Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -43,6 +43,8 @@ Source15: unbound-anchor.timer
|
||||
Source16: unbound-munin.README
|
||||
Source17: unbound-anchor.service
|
||||
|
||||
Patch1: unbound-1.6.2-permissive.patch
|
||||
|
||||
Group: System Environment/Daemons
|
||||
BuildRequires: flex, openssl-devel
|
||||
BuildRequires: libevent-devel expat-devel
|
||||
@ -135,6 +137,9 @@ Python 3 modules and extensions for unbound
|
||||
%prep
|
||||
%{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}}
|
||||
%setup -qcn %{pkgname}
|
||||
pushd %{pkgname}
|
||||
%patch1 -p1
|
||||
popd
|
||||
|
||||
%if 0%{with_python}
|
||||
mv %{pkgname} %{pkgname}_python2
|
||||
@ -439,6 +444,9 @@ popd
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jun 08 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-2
|
||||
- Patch for cmd: unbound-control set_option val-permissive-mode: yes
|
||||
|
||||
* Wed Apr 26 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-1
|
||||
- Update to 1.6.2 (rhbz#1425649)
|
||||
- Updated unbound.conf with new options
|
||||
|
||||
Loading…
Reference in New Issue
Block a user