From eefdbb341f19fe17d91bd5ded73357c1f33e395b Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Fri, 22 Nov 2024 15:30:51 +0100 Subject: [PATCH] - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. --- doc/Changelog | 5 +++++ doc/example.conf.in | 10 +++++----- doc/unbound.conf.5.in | 19 +++++++++++-------- util/config_file.c | 2 +- 4 files changed, 22 insertions(+), 14 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 53074a9a9..65533799b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +22 November 2024: Yorgos + - Fix #1175: serve-expired does not adhere to secure-by-default + principle. The default value of serve-expired-client-timeout + is set to 1800 as suggested by RFC8767. + 20 November 2024: Yorgos - Fix comparison to help static analyzer. diff --git a/doc/example.conf.in b/doc/example.conf.in index 55fea6a42..e0ee39ad4 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -731,7 +731,8 @@ server: # disable-edns-do: no # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. + # the response. By default it first tries to refresh an expired answer. + # Can be configured with serve-expired-client-timeout. # serve-expired: no # # Limit serving of expired responses to configured seconds after @@ -749,10 +750,9 @@ server: # # Time in milliseconds before replying to the client with expired data. # This essentially enables the serve-stale behavior as specified in - # RFC 8767 that first tries to resolve before - # immediately responding with expired data. 0 disables this behavior. - # A recommended value is 1800. - # serve-expired-client-timeout: 0 + # RFC 8767 that first tries to resolve before immediately responding + # with expired data. 0 disables this behavior. + # serve-expired-client-timeout: 1800 # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 159afc673..cf6f14915 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1402,9 +1402,10 @@ Default is no. .TP .B serve\-expired: \fI If enabled, Unbound attempts to serve old responses from cache with a -TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the -actual resolution to finish. The actual resolution answer ends up in the cache -later on. Default is "no". +TTL of \fBserve\-expired\-reply\-ttl\fR in the response. +By default the expired answer will be used after a resolution attempt errored +out or is taking more than serve\-expired\-client\-timeout to resolve. +Default is "no". .TP .B serve\-expired\-ttl: \fI Limit serving of expired responses to configured seconds after expiration. 0 @@ -1424,12 +1425,14 @@ TTL value to use when replying with expired data. If use 30 as the value (RFC 8767). The default is 30. .TP .B serve\-expired\-client\-timeout: \fI -Time in milliseconds before replying to the client with expired data. This -essentially enables the serve-stale behavior as specified in +Time in milliseconds before replying to the client with expired data. +This essentially enables the serve-stale behavior as specified in RFC 8767 that first tries to resolve before immediately -responding with expired data. A recommended value per -RFC 8767 is 1800. Setting this to 0 will disable this -behavior. Default is 0. +responding with expired data. +Setting this to 0 will disable this behavior and instead serve the expired +record immediately from the cache before attempting to refresh it via +resolution. +Default is 1800. .TP .B serve\-original\-ttl: \fI If enabled, Unbound will always return the original TTL as received from diff --git a/util/config_file.c b/util/config_file.c index 247d7c9f4..c1c55c529 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -283,7 +283,7 @@ config_create(void) cfg->serve_expired_ttl = 0; cfg->serve_expired_ttl_reset = 0; cfg->serve_expired_reply_ttl = 30; - cfg->serve_expired_client_timeout = 0; + cfg->serve_expired_client_timeout = 1800; cfg->ede_serve_expired = 0; cfg->serve_original_ttl = 0; cfg->zonemd_permissive_mode = 0; -- 2.47.3