From: Wouter Wijngaards Date: Tue, 28 Aug 2007 11:53:27 +0000 (+0000) Subject: permissive mode feature. X-Git-Tag: release-0.5~85 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60470b186ed964c87dff99516b3cef887a52eaba;p=thirdparty%2Funbound.git permissive mode feature. git-svn-id: file:///svn/unbound/trunk@556 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 32409cb22..c4955dc35 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,8 @@ rrsets are encountered, there are then validated. - enforce that signing is done by a parent domain (or same domain). - adjust TTL downwards if rrset TTL bigger than signature allows. + - permissive mode feature, sets AD bit for secure, but bogus does + not give servfail (bogus is changed into indeterminate). 27 August 2007: Wouter - do not garble the edns if a cache answer fails. diff --git a/doc/example.conf b/doc/example.conf index f81118d2e..37ec62cd2 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -177,6 +177,13 @@ server: # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. # val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # val-permissive-mode: no # Stub zones. # Create entries like below, to make all queries for 'example.com' and diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5 index ab17058d2..728e2899d 100644 --- a/doc/unbound.conf.5 +++ b/doc/unbound.conf.5 @@ -215,6 +215,13 @@ messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected. Default is yes. Use this setting to protect the users that rely on this validator for authentication from protentially bad data in the additional section. +.It \fBval-permissive-mode:\fR +Instruct the validator to mark bogus messages as indeterminate. The security +checks are performed, but if the result is bogus (failed security), the +reply is not withheld from the client with SERVFAIL as usual. The client +receives the bogus data. For messages that are found to be secure the AD bit +is set in replies. Also logging is performed as for full validation. +The default value is "no". .El .Ss Stub Zone Options diff --git a/util/config_file.c b/util/config_file.c index 07d13300f..42df33d05 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -89,7 +89,6 @@ config_create() cfg->infra_cache_slabs = 4; cfg->infra_cache_numhosts = 10000; cfg->infra_cache_numlame = 1000; - cfg->val_clean_additional = 1; if(!(cfg->username = strdup(""))) goto error_exit; if(!(cfg->chrootdir = strdup(""))) goto error_exit; if(!(cfg->directory = strdup("/etc/unbound"))) goto error_exit; @@ -116,6 +115,8 @@ config_create() cfg->trust_anchor_file_list = NULL; cfg->trust_anchor_list = NULL; cfg->val_date_override = 0; + cfg->val_clean_additional = 1; + cfg->val_permissive_mode = 0; if(!(cfg->module_conf = strdup("iterator"))) goto error_exit; return cfg; error_exit: diff --git a/util/config_file.h b/util/config_file.h index d5cdea70f..bedc74689 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -150,6 +150,8 @@ struct config_file { int bogus_ttl; /** should validator clean additional section for secure msgs */ int val_clean_additional; + /** should validator allow bogus messages to go through */ + int val_permissive_mode; /** daemonize, i.e. fork into the background. */ int do_daemonize; diff --git a/util/configlexer.lex b/util/configlexer.lex index 8c3e5438a..c77800855 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -147,6 +147,7 @@ trust-anchor{COLON} { YDOUT; return VAR_TRUST_ANCHOR;} val-override-date{COLON} { YDOUT; return VAR_VAL_OVERRIDE_DATE;} val-bogus-ttl{COLON} { YDOUT; return VAR_BOGUS_TTL;} val-clean-additional{COLON} { YDOUT; return VAR_VAL_CLEAN_ADDITIONAL;} +val-permissive-mode{COLON} { YDOUT; return VAR_VAL_PERMISSIVE_MODE;} {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++;} /* Quoted strings. Strip leading and ending quotes */ diff --git a/util/configparser.y b/util/configparser.y index d17bb229b..525e6c546 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -81,7 +81,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_DO_NOT_QUERY_ADDRESS VAR_HIDE_IDENTITY VAR_HIDE_VERSION %token VAR_IDENTITY VAR_VERSION VAR_HARDEN_GLUE VAR_MODULE_CONF %token VAR_TRUST_ANCHOR_FILE VAR_TRUST_ANCHOR VAR_VAL_OVERRIDE_DATE -%token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL +%token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL VAR_VAL_PERMISSIVE_MODE %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -116,7 +116,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_hide_version | server_identity | server_version | server_harden_glue | server_module_conf | server_trust_anchor_file | server_trust_anchor | server_val_override_date | server_bogus_ttl | - server_val_clean_additional + server_val_clean_additional | server_val_permissive_mode ; stubstart: VAR_STUB_ZONE { @@ -525,7 +525,16 @@ server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING free($2); } ; - +server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING + { + OUTYY(("P(server_val_permissive_mode:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->val_permissive_mode = + (strcmp($2, "yes")==0); + free($2); + } + ; stub_name: VAR_NAME STRING { OUTYY(("P(name:%s)\n", $2)); diff --git a/validator/validator.c b/validator/validator.c index 6277b23f6..89eec213c 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -60,6 +60,7 @@ val_apply_cfg(struct val_env* val_env, struct config_file* cfg) { val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; val_env->clean_additional = cfg->val_clean_additional; + val_env->permissive_mode = cfg->val_permissive_mode; if(!val_env->anchors) val_env->anchors = anchors_create(); if(!val_env->anchors) { @@ -85,13 +86,14 @@ static int val_init(struct module_env* env, int id) { struct val_env* val_env = (struct val_env*)calloc(1, - sizeof(struct val_env)); + sizeof(struct val_env)); if(!val_env) { log_err("malloc failure"); return 0; } env->modinfo[id] = (void*)val_env; env->need_to_validate = 1; + val_env->permissive_mode = 0; if(!val_apply_cfg(val_env, env->cfg)) { log_err("validator: could not apply configuration settings."); return 0; @@ -1253,6 +1255,9 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, * endless bogus revalidation */ if(vq->orig_msg->rep->security == sec_status_bogus) { vq->orig_msg->rep->ttl = time(0) + ve->bogus_ttl; + /* If we are in permissive mode, bogus gets indeterminate */ + if(ve->permissive_mode) + vq->orig_msg->rep->security = sec_status_indeterminate; } /* store results in cache */ diff --git a/validator/validator.h b/validator/validator.h index 2861621b4..1fd08d4aa 100644 --- a/validator/validator.h +++ b/validator/validator.h @@ -79,6 +79,14 @@ struct val_env { * secure messages. */ int clean_additional; + + /** + * If set, the validator will not make messages bogus, instead + * indeterminate is issued, so that no clients receive SERVFAIL. + * This allows an operator to run validation 'shadow' without + * hurting responses to clients. + */ + int permissive_mode; }; /**