- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes

qname minimisation with a forwarder when connectivity has issues from rejecting responses. Resolves: rhbz#1633874
2018-10-01 19:23:54 +02:00 · 2018-10-01 19:23:54 +02:00 · b3942245cb
commit b3942245cb
parent 787382dfd5
2 changed files with 47 additions and 1 deletions
--- a/unbound-1.8.0-rh1633874.patch
+++ b/unbound-1.8.0-rh1633874.patch
@ -0,0 +1,39 @@
+From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Thu, 27 Sep 2018 08:19:29 +0000
+Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL,
+ fixes   qname minimisation with a forwarder when connectivity has issues  
+ from rejecting responses.
+
+git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ iterator/iterator.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 7baf92b7..2f26bd33 100644
+--- a/iterator/iterator.c
+++ b/iterator/iterator.c
+@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 		return 0;
+ 	}
+ 
+-	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
+	if(iq->minimisation_state == INIT_MINIMISE_STATE
+		&& !(iq->chase_flags & BIT_RD)) {
+ 		/* (Re)set qinfo_out to (new) delegation point, except when
+ 		 * qinfo_out is already a subdomain of dp. This happens when
+ 		 * increasing by more than one label at once (QNAMEs with more
+@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ 			sock_list_insert(&qstate->reply_origin, 
+ 				&qstate->reply->addr, qstate->reply->addrlen, 
+ 				qstate->region);
+-		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
+		if(iq->minimisation_state != DONOT_MINIMISE_STATE
+			&& !(iq->chase_flags & BIT_RD)) {
+ 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
+ 				LDNS_RCODE_NOERROR) {
+ 				if(qstate->env->cfg->qname_minimisation_strict)
+-- 
+2.14.4
+
--- a/unbound.spec
+++ b/unbound.spec
@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.8.0
-Release: 1%{?extra_version:.%{extra_version}}%{?dist}
+Release: 2%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -55,6 +55,8 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service

+Patch1: unbound-1.8.0-rh1633874.patch
+
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
@ -150,6 +152,8 @@ Python 3 modules and extensions for unbound

 pushd %{pkgname}

+%patch1 -p1 -b .rh1633874
+
 # only for snapshots
 # autoreconf -iv

@ -420,6 +424,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key

 %changelog
+* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
+- Skip ipv6 forwarders without ipv6 support (#1633874)
+
 * Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
 - Rebase to 1.8.0