diff --git a/SOURCES/bind-9.11-edns512-tcp-loops.patch b/SOURCES/bind-9.11-edns512-tcp-loops.patch index 7c66164..ce2d478 100644 --- a/SOURCES/bind-9.11-edns512-tcp-loops.patch +++ b/SOURCES/bind-9.11-edns512-tcp-loops.patch @@ -1,4 +1,4 @@ -From b2822c93b89588bceb5213ab7c2e8c30d91e5e6c Mon Sep 17 00:00:00 2001 +From a6331686a8e3a5a2b0d1313de84978cd6d9ef65c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 31 Oct 2019 08:48:35 +0100 Subject: [PATCH] Prevent query loops for misbehaving servers @@ -21,14 +21,13 @@ server gets reduced to 512 bytes and it is impossible to reach it using TCP. (cherry picked from commit 6cd115994e0d10631172c56a7dab1ace83e946b4) -(cherry picked from commit a6331686a8e3a5a2b0d1313de84978cd6d9ef65c) --- bin/tests/system/legacy/tests.sh | 11 +++++++++++ lib/dns/resolver.c | 13 +++++++++++++ 2 files changed, 24 insertions(+) diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh -index c4356f2456..7c30dcbc12 100755 +index c4356f2..7c30dcb 100755 --- a/bin/tests/system/legacy/tests.sh +++ b/bin/tests/system/legacy/tests.sh @@ -142,6 +142,17 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 @@ -50,10 +49,10 @@ index c4356f2456..7c30dcbc12 100755 then $PERL $SYSTEMTESTTOP/stop.pl . ns1 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index e13d684a4a..93ba77056e 100644 +index 0384b15..36f6b6c 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c -@@ -2744,6 +2744,19 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { +@@ -2744,10 +2744,22 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { * No route to remote. */ isc_socket_detach(&query->tcpsocket); @@ -73,6 +72,7 @@ index e13d684a4a..93ba77056e 100644 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE, ISC_FALSE); retry = ISC_TRUE; break; --- -2.21.3 - +- + default: + FCTXTRACE3("query canceled in connected() due to " + "unexpected event result; responding", diff --git a/SOURCES/bind-9.11-rh1300636.patch b/SOURCES/bind-9.11-rh1300636.patch new file mode 100644 index 0000000..5f0cdf1 --- /dev/null +++ b/SOURCES/bind-9.11-rh1300636.patch @@ -0,0 +1,77 @@ +From cfbb8a96570959a3d7471edbd8df559ea4e73123 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 14 Nov 2018 15:17:48 +1100 +Subject: [PATCH] free tmpzonename and restart_master + +(cherry picked from commit 50714a9b35ce80bd8839a52106778d65b6d4d7ba) +(cherry picked from commit e409b8c6982a275e3fad960b2e66437890ff08e2) +--- + bin/nsupdate/nsupdate.c | 14 ++++++++++++-- + lib/dns/include/dns/name.h | 5 +++++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index a0d0278635..7e241c17e9 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -158,8 +158,8 @@ static dns_fixedname_t fuserzone; + static dns_fixedname_t fzname; + static dns_name_t *userzone = NULL; + static dns_name_t *zname = NULL; +-static dns_name_t tmpzonename; +-static dns_name_t restart_master; ++static dns_name_t tmpzonename = DNS_NAME_INITEMPTY; ++static dns_name_t restart_master = DNS_NAME_INITEMPTY; + static dns_tsig_keyring_t *gssring = NULL; + static dns_tsigkey_t *tsigkey = NULL; + static dst_key_t *sig0key = NULL; +@@ -2415,6 +2415,8 @@ update_completed(isc_task_t *task, isc_event_t *event) { + if (usegsstsig) { + dns_name_free(&tmpzonename, gmctx); + dns_name_free(&restart_master, gmctx); ++ dns_name_init(&tmpzonename, 0); ++ dns_name_init(&restart_master, 0); + } + isc_event_free(&event); + done_update(); +@@ -2830,6 +2832,8 @@ failed_gssrequest() { + + dns_name_free(&tmpzonename, gmctx); + dns_name_free(&restart_master, gmctx); ++ dns_name_init(&tmpzonename, NULL); ++ dns_name_init(&restart_master, NULL); + + done_update(); + } +@@ -3238,6 +3242,12 @@ cleanup(void) { + isc_mem_free(gmctx, realm); + realm = NULL; + } ++ if (dns_name_dynamic(&tmpzonename)) { ++ dns_name_free(&tmpzonename, gmctx); ++ } ++ if (dns_name_dynamic(&restart_master)) { ++ dns_name_free(&restart_master, gmctx); ++ } + #endif + + if (sig0key != NULL) +diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h +index be74667ccb..93ddacd80b 100644 +--- a/lib/dns/include/dns/name.h ++++ b/lib/dns/include/dns/name.h +@@ -181,6 +181,11 @@ LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname; + {NULL, NULL} \ + } + ++#define DNS_NAME_INITEMPTY { \ ++ DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \ ++ { (void *)-1, (void *)-1 }, { NULL, NULL } \ ++} ++ + /*% + * Standard size of a wire format name + */ +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-rh1744081.patch b/SOURCES/bind-9.11-rh1744081.patch new file mode 100644 index 0000000..c58911d --- /dev/null +++ b/SOURCES/bind-9.11-rh1744081.patch @@ -0,0 +1,33 @@ +From f6b9f4dfa61038a353f3974ec7683231fa23ed21 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 11 Mar 2020 17:36:51 +0100 +Subject: [PATCH] Allow conflicting files in zones, warn only + +Change hard error to just annoying warning. Broken configuration is +still error, but it was possible before. Make it possible again. +Would be fixed by using in-view clause properly. +--- + lib/bind9/check.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 545e3c6..b02a894 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -2650,11 +2650,11 @@ fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable, + if (writeable) { + file = cfg_obj_file(symvalue.as_cpointer); + line = cfg_obj_line(symvalue.as_cpointer); +- cfg_obj_log(obj, logctx, ISC_LOG_ERROR, ++ cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "writeable file '%s': already in use: " + "%s:%u", cfg_obj_asstring(obj), + file, line); +- return (ISC_R_EXISTS); ++ return (ISC_R_SUCCESS); // Pretend it is ok + } + result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 2, + &symvalue); +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-rh1756201.patch b/SOURCES/bind-9.11-rh1756201.patch new file mode 100644 index 0000000..b4d011d --- /dev/null +++ b/SOURCES/bind-9.11-rh1756201.patch @@ -0,0 +1,246 @@ +From bd79638f1c2c8f765e316c30b15dfb3e5d31e1e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= +Date: Thu, 3 Jan 2019 14:58:05 +0100 +Subject: [PATCH] If possible don't use forwarders when priming the resolver. + +If we try to fetch a record from cache and need to look into +hints database we assume that the resolver is not primed and +start dns_resolver_prime(). Priming query is supposed to return +NSes for "." in ANSWER section and glue records for them in +ADDITIONAL section, so that we can fill that info in 'regular' +cache and not use hints db anymore. +However, if we're using a forwarder the priming query goes through +it, and if it's configured to return minimal answers we won't get +the addresses of root servers in ADDITIONAL section. Since the +only records for root servers we have are in hints database we'll +try to prime the resolver with every single query. + +This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using +forwarders if possible (that is if we have forward-first policy). +Using this flag on priming fetch fixes the problem as we get the +proper glue. With forward-only policy the problem is non-existent, +as we'll never ask for root server addresses because we'll never +have a need to query them. + +Also added a test to confirm priming queries are not forwarded. + +(cherry picked from commit b49310ac06ac87733dc2867828e61370a84b2a9a) +(cherry picked from commit f8963ad70e222edad0c1e64f855f7fb41fb13c3c) +(cherry picked from commit aa9866c390a21d6984aa75cdb84d7bc77e114c2f) +--- + bin/tests/system/forward/ns4/named.conf.in | 3 ++ + bin/tests/system/forward/ns7/named.conf.in | 28 +++++++++++++++++ + bin/tests/system/forward/ns7/root.db | 28 +++++++++++++++++ + bin/tests/system/forward/setup.sh | 1 + + bin/tests/system/forward/tests.sh | 12 ++++++++ + lib/dns/include/dns/resolver.h | 36 ++++++++++++---------- + lib/dns/resolver.c | 17 ++++++++-- + 7 files changed, 106 insertions(+), 19 deletions(-) + create mode 100644 bin/tests/system/forward/ns7/named.conf.in + create mode 100644 bin/tests/system/forward/ns7/root.db + +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index 480530b0f2..643e1271b5 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -17,6 +17,9 @@ options { + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; ++ recursion yes; ++ dnssec-validation yes; ++ minimal-responses yes; + }; + + zone "." { +diff --git a/bin/tests/system/forward/ns7/named.conf.in b/bin/tests/system/forward/ns7/named.conf.in +new file mode 100644 +index 0000000000..d9f5e8a9db +--- /dev/null ++++ b/bin/tests/system/forward/ns7/named.conf.in +@@ -0,0 +1,28 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.7; ++ notify-source 10.53.0.7; ++ transfer-source 10.53.0.7; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.7; }; ++ listen-on-v6 { none; }; ++ forwarders { 10.53.0.4; }; ++ forward first; ++ dnssec-validation yes; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; +diff --git a/bin/tests/system/forward/ns7/root.db b/bin/tests/system/forward/ns7/root.db +new file mode 100644 +index 0000000000..7346810ba6 +--- /dev/null ++++ b/bin/tests/system/forward/ns7/root.db +@@ -0,0 +1,28 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ++. IN SOA gson.nominum.com. a.root.servers.nil. ( ++ 2000042100 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 ++ ++example1 NS ns.example1 ++ns.example1 A 10.53.0.1 ++ ++example2 NS ns.example2 ++ns.example2 A 10.53.0.1 ++ ++example3 NS ns.example3 ++ns.example3 A 10.53.0.1 +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index c63aeb10d2..d64579e590 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -18,3 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf + copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf ++copy_setports ns7/named.conf.in ns7/named.conf +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index f23cde1751..8c6496037d 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -131,5 +131,17 @@ $CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++echo_i "checking that priming queries are not forwarded" ++ret=0 ++$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1 ++sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l` ++[ $sent -eq 1 ] || ret=1 ++sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l` ++[ $sent -eq 0 ] || ret=1 ++sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l` ++[ $sent -eq 1 ] || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h +index f2f8714d16..e1a10295f3 100644 +--- a/lib/dns/include/dns/resolver.h ++++ b/lib/dns/include/dns/resolver.h +@@ -88,23 +88,25 @@ typedef enum { + /* + * Options that modify how a 'fetch' is done. + */ +-#define DNS_FETCHOPT_TCP 0x0001 /*%< Use TCP. */ +-#define DNS_FETCHOPT_UNSHARED 0x0002 /*%< See below. */ +-#define DNS_FETCHOPT_RECURSIVE 0x0004 /*%< Set RD? */ +-#define DNS_FETCHOPT_NOEDNS0 0x0008 /*%< Do not use EDNS. */ +-#define DNS_FETCHOPT_FORWARDONLY 0x0010 /*%< Only use forwarders. */ +-#define DNS_FETCHOPT_NOVALIDATE 0x0020 /*%< Disable validation. */ +-#define DNS_FETCHOPT_EDNS512 0x0040 /*%< Advertise a 512 byte +- UDP buffer. */ +-#define DNS_FETCHOPT_WANTNSID 0x0080 /*%< Request NSID */ +-#define DNS_FETCHOPT_PREFETCH 0x0100 /*%< Do prefetch */ +-#define DNS_FETCHOPT_NOCDFLAG 0x0200 /*%< Don't set CD flag. */ +-#define DNS_FETCHOPT_NONTA 0x0400 /*%< Ignore NTA table. */ +-/* RESERVED ECS 0x0000 */ +-/* RESERVED ECS 0x1000 */ +-/* RESERVED ECS 0x2000 */ +-/* RESERVED TCPCLIENT 0x4000 */ +-#define DNS_FETCHOPT_NOCACHED 0x8000 /*%< Force cache update. */ ++#define DNS_FETCHOPT_TCP 0x00001 /*%< Use TCP. */ ++#define DNS_FETCHOPT_UNSHARED 0x00002 /*%< See below. */ ++#define DNS_FETCHOPT_RECURSIVE 0x00004 /*%< Set RD? */ ++#define DNS_FETCHOPT_NOEDNS0 0x00008 /*%< Do not use EDNS. */ ++#define DNS_FETCHOPT_FORWARDONLY 0x00010 /*%< Only use forwarders. */ ++#define DNS_FETCHOPT_NOVALIDATE 0x00020 /*%< Disable validation. */ ++#define DNS_FETCHOPT_EDNS512 0x00040 /*%< Advertise a 512 byte ++ 0 UDP buffer. */ ++#define DNS_FETCHOPT_WANTNSID 0x00080 /*%< Request NSID */ ++#define DNS_FETCHOPT_PREFETCH 0x00100 /*%< Do prefetch */ ++#define DNS_FETCHOPT_NOCDFLAG 0x00200 /*%< Don't set CD flag. */ ++#define DNS_FETCHOPT_NONTA 0x00400 /*%< Ignore NTA table. */ ++/* RESERVED ECS 0x00000 */ ++/* RESERVED ECS 0x01000 */ ++/* RESERVED ECS 0x02000 */ ++/* RESERVED TCPCLIENT 0x04000 */ ++#define DNS_FETCHOPT_NOCACHED 0x08000 /*%< Force cache update. */ ++#define DNS_FETCHOPT_NOFORWARD 0x80000 /*%< Do not use forwarders ++ if possible. */ + + /* Reserved in use by adb.c 0x00400000 */ + #define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000 +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 301ad52fe2..f701a09be9 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -3261,6 +3261,18 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + INSIST(ISC_LIST_EMPTY(fctx->forwaddrs)); + INSIST(ISC_LIST_EMPTY(fctx->altaddrs)); + ++ /* ++ * If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy ++ * allows us to not forward - skip forwarders and go straight ++ * to NSes. This is currently used to make sure that priming query ++ * gets root servers' IP addresses in ADDITIONAL section. ++ */ ++ if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 && ++ (fctx->fwdpolicy != dns_fwdpolicy_only)) ++ { ++ goto normal_nses; ++ } ++ + /* + * If this fctx has forwarders, use them; otherwise use any + * selective forwarders specified in the view; otherwise use the +@@ -3346,7 +3358,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + /* + * Normal nameservers. + */ +- ++ normal_nses: + stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT; + if (fctx->restarts == 1) { + /* +@@ -9194,7 +9206,8 @@ dns_resolver_prime(dns_resolver_t *res) { + LOCK(&res->primelock); + result = dns_resolver_createfetch(res, dns_rootname, + dns_rdatatype_ns, +- NULL, NULL, NULL, 0, ++ NULL, NULL, NULL, ++ DNS_FETCHOPT_NOFORWARD, + res->buckets[0].task, + prime_done, + res, rdataset, NULL, +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-rh1832812.patch b/SOURCES/bind-9.11-rh1832812.patch new file mode 100644 index 0000000..f20ddce --- /dev/null +++ b/SOURCES/bind-9.11-rh1832812.patch @@ -0,0 +1,129 @@ +diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db +new file mode 100644 +index 0000000000000000000000000000000000000000..b47208c1640eaf40d9c23bfb4598000fd068b814 +--- /dev/null ++++ b/bin/tests/system/forward/ns4/malicious.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 ++ ++target IN CNAME subdomain.rebind. +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index 643e1271b53ae85e91a169413259afe84dfe1fee..fee76b41e5d46d5bfdb9fc10bd6e914436417a2b 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -55,3 +55,8 @@ zone "grafted" { + forward only; + forwarders { 10.53.0.2; }; + }; ++ ++zone "malicious." { ++ type master; ++ file "malicious.db"; ++}; +diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in +index 0e65985d52634654cf3ebb757cd1f0296e5d9cb6..6742222d4d088807ce1765c1073ef8ba16768d9c 100644 +--- a/bin/tests/system/forward/ns5/named.conf.in ++++ b/bin/tests/system/forward/ns5/named.conf.in +@@ -19,9 +19,16 @@ options { + listen-on-v6 { none; }; + forward only; + forwarders { 10.53.0.4; }; ++ deny-answer-aliases { "rebind"; }; ++ dnssec-validation yes; + }; + + zone "." { + type hint; + file "root.db"; + }; ++ ++zone "rebind" { ++ type master; ++ file "rebind.db"; ++}; +diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db +new file mode 100644 +index 0000000000000000000000000000000000000000..3e71327a4856ab9a164db475423327de0184dd81 +--- /dev/null ++++ b/bin/tests/system/forward/ns5/rebind.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA rebind. admin.rebind. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.5 ++ ++subdomain IN A 10.53.0.1 +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index 8c64960..1da4136 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -143,5 +143,18 @@ sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++n=$((n+1)) ++echo_i "checking that rebinding protection works in forward only mode ($n)" ++ret=0 ++# 10.53.0.5 will forward target.malicious. query to 10.53.0.4 ++# which in turn will return a CNAME for subdomain.rebind. ++# to honor the option deny-answer-aliases { "rebind"; }; ++# ns5 should return a SERVFAIL to avoid potential rebinding attacks ++dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 ++grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a8cbb10..39d33e0 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6413,8 +6413,10 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + /* + * If the target name is a subdomain of the search domain, allow it. + */ +- if (dns_name_issubdomain(tname, &fctx->domain)) ++ if ((fctx->fwdpolicy == dns_fwdpolicy_none) && ++ dns_name_issubdomain(tname, &fctx->domain)) { + return (ISC_TRUE); ++ } + + /* + * Otherwise, apply filters. diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 9f6f81f..7aad09a 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.6 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -163,11 +163,15 @@ Patch176: bind-9.11-rh1753259.patch Patch177: bind-9.11-rh1743572-2.patch Patch178: bind-9.11-rh1781576.patch Patch179: bind-9.11-disab-timer-test.patch -Patch180: bind-9.11.13-CVE-2020-8616.patch -Patch181: bind-9.11.13-CVE-2020-8617.patch +Patch180: bind-9.11-rh1744081.patch +Patch181: bind-9.11-rh1300636.patch +Patch182: bind-9.11-rh1756201.patch +Patch183: bind-9.11.13-CVE-2020-8616.patch +Patch184: bind-9.11.13-CVE-2020-8617.patch Patch185: bind-9.11-CVE-2020-8616-test.patch Patch186: bind-9.11-CVE-2020-8617-test.patch -Patch187: bind-9.11-edns512-tcp-loops.patch +Patch187: bind-9.11-rh1832812.patch +Patch188: bind-9.11-edns512-tcp-loops.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -524,11 +528,15 @@ are used for building ISC DHCP. %patch176 -p1 -b .rh1753259 %patch177 -p1 -b .rh1743572 %patch178 -p1 -b .rh1781576 -%patch180 -p1 -b .CVE-2020-8616 -%patch181 -p1 -b .CVE-2020-8617 +%patch180 -p1 -b .rh1744081 +%patch181 -p1 -b .rh1300636 +%patch182 -p1 -b .rh1756201 +%patch183 -p1 -b .CVE-2020-8616 +%patch184 -p1 -b .CVE-2020-8617 %patch185 -p1 -b .CVE-2020-8616-test %patch186 -p1 -b .CVE-2020-8616-test -%patch187 -p1 -b .edns512-loops +%patch187 -p1 -b .rh1832812 +%patch188 -p1 -b .edns512-loops # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1510,24 +1518,37 @@ rm -rf ${RPM_BUILD_ROOT} %changelog -* Wed May 27 2020 Petr Menšík - 32:9.11.4-16.P2.6 +* Fri May 29 2020 Artem Egorenkov - 32:9.11.4-26.P2 - Fix EDNS512 loops on broken servers -* Fri May 22 2020 Petr Menšík - 32:9.11.4-16.P2.5 +* Tue May 26 2020 Artem Egorenkov - 32:9.11.4-25.P2 +- rebinding protection for forwarding DNS server upstream patch (#1832812) + +* Fri May 22 2020 Petr Menšík - 32:9.11.4-24.P2 - Add CVE tests to codebase -* Tue May 19 2020 Petr Menšík - 32:9.11.4-16.P2.4 +* Mon May 18 2020 Petr Menšík - 32:9.11.4-23.P2 - Limit number of queries triggered by a request (CVE-2020-8616) - Fix invalid tsig request (CVE-2020-8617) -* Wed Mar 04 2020 Miroslav Lichvar - 32:9.11.4-16.P2.3 -- Disable atomic operations on ppc64, ppc64le, aarch64, ppc (#1779589) +* Wed Mar 18 2020 Petr Menšík - 32:9.11.4-22.P2 +- Solve often priming queries on some forwarder (#1756201) -* Sat Feb 22 2020 Tomas Korbar - 32:9.11.4-16.P2.2 -- Disable unit test timer_test on ppc64le because of its instability +* Mon Mar 16 2020 Petr Menšík - 32:9.11.4-21.P2 +- Disable atomic operations also on ppc (#1779589) + +* Fri Mar 13 2020 Petr Menšík - 32:9.11.4-20.P2 +- Do not crash when nsupdate with GSS terminated early (#1300636) -* Fri Feb 21 2020 Tomas Korbar - 32:9.11.4-16.P2.1 -- Prevent deadlock on reload (#1805685) +* Wed Mar 11 2020 Petr Menšík - 32:9.11.4-19.P2 +- Allow conflicting zone files with a warning (#1744081) + +* Wed Mar 04 2020 Miroslav Lichvar - 32:9.11.4-18.P2 +- Disable atomic operations on ppc64, ppc64le, aarch64 (#1779589) + +* Fri Feb 21 2020 Tomas Korbar - 32:9.11.4-17.P2 +- Prevent deadlock on reload (#1781576) +- Disable unit test timer_test on ppc64le because of its instability * Thu Dec 12 2019 Petr Menšík - 32:9.11.4-16.P2 - Finish dig query when name is too long (#1743572)