5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec")
as active by default. It is limited to NSEC only
and by default ignores NSEC records with next name
- in form \000.domain.
-
- Added 'server <prefix> { broken-nsec yes; };' to
- identify servers from which NSEC records in negative
- responses will not be cached. These records will
- then not be available for synth-from-dnssec to use.
- [GL #1265]
+ in form \000.domain. [GL #1265]
5773. [func] Change the message when accepting TCP connection has
failed to say "Accepting TCP connection failed" and
query-source address *;\n\
query-source-v6 address *;\n\
recursion true;\n\
- reject-000-label yes;\n\
request-expire true;\n\
request-ixfr true;\n\
require-server-cookie no;\n\
recursing-file quoted_string;
recursion boolean;
recursive-clients integer;
- reject-000-label boolean;// deprecated
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
server netprefix {
bogus boolean;
- broken-nsec boolean;// deprecated
edns boolean;
edns-udp-size integer;
edns-version integer;
window integer;
};
recursion boolean;
- reject-000-label boolean;// deprecated
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
serial-update-method ( date | increment | unixtime );
server netprefix {
bogus boolean;
- broken-nsec boolean;// deprecated
edns boolean;
edns-udp-size integer;
edns-version integer;
CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
}
- obj = NULL;
- (void)cfg_map_get(cpeer, "broken-nsec", &obj);
- if (obj != NULL) {
- CHECK(dns_peer_setbrokennsec(peer, cfg_obj_asboolean(obj)));
- }
-
obj = NULL;
(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
if (obj != NULL) {
INSIST(result == ISC_R_SUCCESS);
view->acceptexpired = cfg_obj_asboolean(obj);
- obj = NULL;
- result = named_config_get(maps, "reject-000-label", &obj);
- INSIST(result == ISC_R_SUCCESS);
- view->reject_000_label = cfg_obj_asboolean(obj);
-
obj = NULL;
/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
(void)named_config_get(optionmaps, "dnssec-validation", &obj);
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-server 10.0.0/24 {
- broken-nsec yes;
-};
server 0.0.0.0 {
bogus no;
- broken-nsec no;
edns no;
edns-udp-size 512;
edns-version 0;
server :: {
bogus no;
- broken-nsec no;
edns no;
edns-udp-size 512;
edns-version 0;
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS2
-
-options {
- query-source address 10.53.0.7;
- notify-source 10.53.0.7;
- transfer-source 10.53.0.7;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.7; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-validation yes;
-};
-
-server 10.53.0.1 {
- broken-nsec yes;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-statistics-channels {
- inet 10.53.0.7 port @EXTRAPORT1@ allow { any; };
-};
-
-zone "." {
- type hint;
- file "root.hints";
-};
-
-include "../ns1/trusted.conf";
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. NS ns1
-ns1 A 10.53.0.1
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS2
-
-options {
- query-source address 10.53.0.8;
- notify-source 10.53.0.8;
- transfer-source 10.53.0.8;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.8; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-validation yes;
- reject-000-label no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-statistics-channels {
- inet 10.53.0.8 port @EXTRAPORT1@ allow { any; };
-};
-
-zone "." {
- type hint;
- file "root.hints";
-};
-
-include "../ns1/trusted.conf";
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-. NS ns1
-ns1 A 10.53.0.1
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
-copy_setports ns8/named.conf.in ns8/named.conf
(
cd ns1
status=0
n=1
synth_default=yes
-reject_default=yes
rm -f dig.out.*
return 0
}
-for ns in 2 4 5 6 7 8
+for ns in 2 4 5 6
do
case $ns in
2) ad=yes; description="<default>";;
4) ad=yes; description="no";;
5) ad=yes; description="yes";;
6) ad=no; description="yes; dnssec-validation no";;
- 7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";;
- 8) ad=yes; description="yes; reject-000-label no;";;
*) exit 1;;
esac
echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
#
sleep 1
-for ns in 2 4 5 6 7 8
+for ns in 2 4 5 6
do
case $ns in
- 2) ad=yes synth=${synth_default} reject=${reject_default} description="<default>";;
- 4) ad=yes synth=no reject=${reject_default} description="no";;
- 5) ad=yes synth=yes reject=${reject_default} description="yes";;
- 6) ad=no synth=no reject=${reject_default} description="yes; dnssec-validation no";;
- 7) ad=yes synth=no reject=${reject_default} description="yes; server 10.53.0.1 { broken-nsec yes; };";;
- 8) ad=yes synth=yes reject=no description="yes; reject-000-label no;";;
+ 2) ad=yes synth=${synth_default} description="<default>";;
+ 4) ad=yes synth=no description="no";;
+ 5) ad=yes synth=yes description="yes";;
+ 6) ad=no synth=no description="yes; dnssec-validation no";;
*) exit 1;;
esac
echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
- echo_i "check back lie NODATA response (synth-from-dnssec ${description};) ($n)"
+ echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
- if [ ${synth} = yes -a ${reject} = no ]
- then
- check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1
- nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1
- else
- check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
- nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
- fi
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
digcomp black.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
test $count = 2 || ret=1
zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
- if [ ${ad} = no -o $ns = 7 ]
+ if [ ${ad} = yes ]
then
- test $zero = 2 || ret=1
- else
test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
do
case $synthesized in
NXDOMAIN) count=1;;
- no-data) if [ ${reject} = yes ]; then count=4; else count=5; fi;;
+ no-data) count=4;;
wildcard) count=2;;
esac
echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
test $count = 1 || ret=1
zero=$(echo "$counter" | grep ">0<" | wc -l)
- if [ ${ad} = no -o $ns = 7 ]
+ if [ ${ad} = yes ]
then
- test $zero = 1 || ret=1
- else
test $zero = 0 || ret=1
+ else
+ test $zero = 1 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
do
case $synthesized in
SynthNXDOMAIN) count=1;;
- SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;;
+ SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac
count=$(grep '"CacheNSECNodes":' $json | wc -l)
test $count = 2 || ret=1
zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
- if [ ${ad} = no -o $ns = 7 ]
+ if [ ${ad} = yes ]
then
- test $zero = 2 || ret=1
- else
test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
do
case $synthesized in
SynthNXDOMAIN) count=1;;
- SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;;
+ SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac
default is ``no``. Setting this option to ``yes`` leaves ``named``
vulnerable to replay attacks.
-.. _reject_000_label:
-
-``reject-000-label``
- This controls whether NSEC records whose Next Owner Name field starts
- with a ``\000`` label are cached for use by the ``synth-from-dnssec``
- feature. The default is ``yes``, which means these records are not
- used for negative response synthesis. This is a temporary measure to
- improve interoperability with authoritative servers that generate
- incorrect NSEC records. The default value of this option may change
- in a future release, or it may be removed altogether.
-
``querylog``
Query logging provides a complete log of all incoming queries and all query
errors. This provides more insight into the server's activity, but with a
have been proved to be correct using DNSSEC.
The default is ``yes``.
- The ``reject-000-label`` :ref:`option <reject_000_label>` and the
- ``broken-nsec`` :ref:`server configuration clause
- <server_broken_nsec>` can be used to prevent broken NSEC records from
- causing incorrect negative responses to be synthesized when
- ``synth-from-dnssec`` is set to ``yes``.
-
.. note:: DNSSEC validation must be enabled for this option to be effective.
This initial implementation only covers synthesis of answers from
NSEC records; synthesis from NSEC3 is planned for the future. This
as bogus prevents further queries to it. The default value of
``bogus`` is ``no``.
-.. _server_broken_nsec:
-
-The ``broken-nsec`` clause determines whether the NSEC records found in
-negative responses sent by the remote server are ignored for the purpose
-of synthesizing negative responses or not. The default is ``no``.
-Setting this to ``yes`` can be used to prevent broken NSEC records from
-causing incorrect negative responses to be synthesized when
-``synth-from-dnssec`` is set to ``yes``. This option may be removed in a
-future release.
-
The ``provide-ixfr`` clause determines whether the local server, acting
as primary, responds with an incremental zone transfer when the given
remote server, a secondary, requests it. If set to ``yes``, incremental
recursing\-file quoted_string;
recursion boolean;
recursive\-clients integer;
- reject\-000\-label boolean;// deprecated
request\-expire boolean;
request\-ixfr boolean;
request\-nsid boolean;
.ft C
server netprefix {
bogus boolean;
- broken\-nsec boolean;// deprecated
edns boolean;
edns\-udp\-size integer;
edns\-version integer;
window integer;
};
recursion boolean;
- reject\-000\-label boolean;// deprecated
request\-expire boolean;
request\-ixfr boolean;
request\-nsid boolean;
serial\-update\-method ( date | increment | unixtime );
server netprefix {
bogus boolean;
- broken\-nsec boolean;// deprecated
edns boolean;
edns\-udp\-size integer;
edns\-version integer;
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
- reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
server <netprefix> {
bogus <boolean>;
- broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
window <integer>;
};
recursion <boolean>;
- reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
serial-update-method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
- broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
- reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
server <netprefix> {
bogus <boolean>;
- broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
window <integer>;
};
recursion <boolean>;
- reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
serial-update-method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
- broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
- reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
server <netprefix> {
bogus <boolean>;
- broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
isc_result_t (*set)(dns_peer_t *peer, bool newval);
} bools[] = {
{ "bogus", dns_peer_setbogus },
- { "broken-nsec", dns_peer_setbrokennsec },
{ "edns", dns_peer_setsupportedns },
{ "provide-ixfr", dns_peer_setprovideixfr },
{ "request-expire", dns_peer_setrequestexpire },
void
dns_peer_detach(dns_peer_t **list);
-isc_result_t
-dns_peer_setbrokennsec(dns_peer_t *peer, bool newval);
-
-isc_result_t
-dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval);
-
isc_result_t
dns_peer_setbogus(dns_peer_t *peer, bool newval);
bool synthfromdnssec;
bool trust_anchor_telemetry;
bool root_key_sentinel;
- bool reject_000_label;
dns_transfer_format_t transfer_format;
dns_acl_t *cacheacl;
dns_acl_t *cacheonacl;
bool force_tcp;
bool tcp_keepalive;
bool check_axfr_id;
- bool broken_nsec;
dns_name_t *key;
isc_sockaddr_t *transfer_source;
isc_dscp_t transfer_dscp;
#define FORCE_TCP_BIT 15
#define SERVER_PADDING_BIT 16
#define REQUEST_TCP_KEEPALIVE_BIT 17
-#define BROKEN_NSEC 18
static void
peerlist_delete(dns_peerlist_t **list);
}
}
-isc_result_t
-dns_peer_setbrokennsec(dns_peer_t *peer, bool newval) {
- bool existed;
-
- REQUIRE(DNS_PEER_VALID(peer));
-
- existed = DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags);
-
- peer->broken_nsec = newval;
- DNS_BIT_SET(BROKEN_NSEC, &peer->bitflags);
-
- return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval) {
- REQUIRE(DNS_PEER_VALID(peer));
- REQUIRE(retval != NULL);
-
- if (DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags)) {
- *retval = peer->broken_nsec;
- return (ISC_R_SUCCESS);
- } else {
- return (ISC_R_NOTFOUND);
- }
-}
-
isc_result_t
dns_peer_settransfers(dns_peer_t *peer, uint32_t newval) {
bool existed;
dns_valarg_t *valarg;
dns_validatorevent_t *vevent;
fetchctx_t *fctx = NULL;
- bool broken_nsec = false;
bool chaining;
bool negative;
bool sentresponse;
dns_fixedname_t fwild;
dns_name_t *wild = NULL;
dns_message_t *message = NULL;
- dns_peer_t *peer = NULL;
- isc_netaddr_t ipaddr;
UNUSED(task); /* for now */
answer_response:
- isc_netaddr_fromsockaddr(&ipaddr, &addrinfo->sockaddr);
- (void)dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
- if (peer != NULL) {
- (void)dns_peer_getbrokennsec(peer, &broken_nsec);
- }
/*
* Cache any SOA/NS/NSEC records that happened to be validated.
*/
continue;
}
- /*
- * If this peer has been marked as emitting broken
- * NSEC records do not cache it.
- */
- if (rdataset->type == dns_rdatatype_nsec && broken_nsec)
- {
- continue;
- }
-
/*
* Don't cache NSEC if missing NSEC or RRSIG types.
*/
* Look for \000 label in next name.
*/
if (rdataset->type == dns_rdatatype_nsec &&
- fctx->res->view->reject_000_label &&
- has_000_label(rdataset))
- {
+ has_000_label(rdataset)) {
continue;
}
view->synthfromdnssec = true;
view->trust_anchor_telemetry = true;
view->root_key_sentinel = true;
- view->reject_000_label = true;
view->new_zone_dir = NULL;
view->new_zone_file = NULL;
view->new_zone_db = NULL;
{ "queryport-pool-updateinterval", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "rate-limit", &cfg_type_rrl, 0 },
{ "recursion", &cfg_type_boolean, 0 },
- { "reject-000-label", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "request-nsid", &cfg_type_boolean, 0 },
{ "request-sit", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "require-server-cookie", &cfg_type_boolean, 0 },
*/
static cfg_clausedef_t server_clauses[] = {
{ "bogus", &cfg_type_boolean, 0 },
- { "broken-nsec", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "edns", &cfg_type_boolean, 0 },
{ "edns-udp-size", &cfg_type_uint32, 0 },
{ "edns-version", &cfg_type_uint32, 0 },
projects / thirdparty / bind9.git / commitdiff
