From: Ondřej Surý <ondrej@sury.org>
Date: Fri, 24 Sep 2021 07:35:11 +0000 (+0200)
Subject: Disable lame-ttl cache
X-Git-Tag: v9.11.36~2^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=201f887065e34949fc9f72d5d41ae293cd299800;p=thirdparty%2Fbind9.git

Disable lame-ttl cache

The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
---

diff --git a/bin/named/config.c b/bin/named/config.c
index fbd2f2126c1..d24e4f8a26e 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -175,7 +175,7 @@ options {\n\
 #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
 "	geoip-use-ecs yes;\n"
 #endif
-"	lame-ttl 600;\n"
+"	lame-ttl 0;\n"
 #ifdef HAVE_LMDB
 "	lmdb-mapsize 32M;\n"
 #endif
diff --git a/bin/named/server.c b/bin/named/server.c
index 6ff95e3bcc4..9826588e6dd 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3987,8 +3987,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = ns_config_get(maps, "lame-ttl", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	lame_ttl = cfg_obj_asuint32(obj);
-	if (lame_ttl > 1800)
-		lame_ttl = 1800;
+	if (lame_ttl > 0) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "disabling lame cache despite lame-ttl > 0 as it "
+			    "may cause performance issues");
+		lame_ttl = 0;
+	}
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
 	/*
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index abf1d0f382d..29d8aa59956 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -8929,12 +8929,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>lame-ttl</command></term>
 	      <listitem>
 		<para>
-		  This sets the number of seconds to cache a
-		  lame server indication. 0 disables caching. (This is
-		  <emphasis role="bold">NOT</emphasis> recommended.)
-		  The default is <literal>600</literal> (10 minutes) and the
-		  maximum value is
-		  <literal>1800</literal> (30 minutes).
+		  This is always set to 0. More information is available
+		  in the <link xmlns:xlink="http://www.w3.org/1999/xlink"
+		  xlink:href="https://kb.isc.org/docs/cve-2021-25219">security advisory for CVE-2021-25219</link>.
 		</para>
 
 	      </listitem>