* Fri Apr 06 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-3

- Patch for referral with auth-zone: response
This commit is contained in:
Paul Wouters 2018-04-06 17:01:26 +02:00
parent 7760424284
commit bdec72db18
2 changed files with 40 additions and 1 deletions

33
unbound-1.7.0-ref.patch Normal file
View File

@ -0,0 +1,33 @@
--- a/iterator/iterator.c 2018-04-04 19:03:14.483416675 +0200
+++ b/iteratoriterator.c 2018-04-04 19:05:33.444712537 +0200
@@ -2161,11 +2161,15 @@
log_dns_msg("msg from auth zone",
&iq->response->qinfo, iq->response->rep);
}
- iq->num_current_queries++;
- iq->chase_to_rd = 0;
- iq->dnssec_lame_query = 0;
- iq->auth_zone_response = 1;
- return next_state(iq, QUERY_RESP_STATE);
+ if((iq->chase_flags&BIT_RD) && !(iq->response->rep->flags&BIT_AA)) {
+ verbose(VERB_ALGO, "forwarder, ignoring referral from auth zone");
+ } else {
+ iq->num_current_queries++;
+ iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
+ iq->auth_zone_response = 1;
+ return next_state(iq, QUERY_RESP_STATE);
+ }
}
iq->auth_zone_response = 0;
if(auth_fallback == 0) {
@@ -2443,7 +2447,8 @@
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
iq->response, &iq->qchase, iq->dp);
iq->chase_to_rd = 0;
- if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD)) {
+ if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
+ !iq->auth_zone_response) {
/* When forwarding (RD bit is set), we handle referrals
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;

View File

@ -21,7 +21,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.7.0
Release: 2%{?extra_version:.%{extra_version}}%{?dist}
Release: 3%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -43,6 +43,7 @@ Source16: unbound-munin.README
Source17: unbound-anchor.service
Patch1: unbound-1.7.0-aggrnsec.patch
Patch2: unbound-1.7.0-ref.patch
Group: System Environment/Daemons
BuildRequires: flex, openssl-devel
@ -142,9 +143,11 @@ Python 3 modules and extensions for unbound
mv %{pkgname} %{pkgname}_python2
pushd %{pkgname}_python2
%patch1 -p1
%patch2 -p1
%else
pushd %{pkgname}
%patch1 -p1
%patch2 -p1
%endif # with_python
# only for snapshots
@ -439,6 +442,9 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Fri Apr 06 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-3
- Patch for referral with auth-zone: response
* Wed Mar 21 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-2
- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry