summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/bin
diff options
context:
space:
mode:
authordougb <dougb@FreeBSD.org>2008-07-12 09:38:35 +0000
committerdougb <dougb@FreeBSD.org>2008-07-12 09:38:35 +0000
commit4afe5943d6e4967f6989ddb9929901afd4ceaa0d (patch)
treee51bbcd208ed81b4eecedb53a8d30ab814336c91 /contrib/bind9/bin
parent3be39aaa2321c7819460930d0f8e796520705114 (diff)
downloadFreeBSD-src-4afe5943d6e4967f6989ddb9929901afd4ceaa0d.zip
FreeBSD-src-4afe5943d6e4967f6989ddb9929901afd4ceaa0d.tar.gz
Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including
the patch from ISC for lib/bind9/check.c and deletion of unused files in lib/bind. This version will by default randomize the UDP query source port (and sequence number of course) for every query. In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] options. The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information. Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries. This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time. All users of BIND are strongly encouraged to upgrade to the latest version, and to utilize the source port randomization feature. This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Diffstat (limited to 'contrib/bind9/bin')
-rw-r--r--contrib/bind9/bin/named/client.c10
-rw-r--r--contrib/bind9/bin/named/server.c34
2 files changed, 28 insertions, 16 deletions
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
index b0e9cdd..87dbdb8 100644
--- a/contrib/bind9/bin/named/client.c
+++ b/contrib/bind9/bin/named/client.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.c,v 1.219.18.28 2007/08/28 07:20:00 tbox Exp $ */
+/* $Id: client.c,v 1.219.18.28.10.1 2008/05/22 21:28:04 each Exp $ */
#include <config.h>
@@ -1440,14 +1440,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
}
/*
- * Hash the incoming request here as it is after
- * dns_dispatch_importrecv().
- */
- dns_dispatch_hash(&client->now, sizeof(client->now));
- dns_dispatch_hash(isc_buffer_base(buffer),
- isc_buffer_usedlength(buffer));
-
- /*
* It's a request. Parse it.
*/
result = dns_message_parse(client->message, buffer, 0);
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
index cd8bff1..8e0c66c 100644
--- a/contrib/bind9/bin/named/server.c
+++ b/contrib/bind9/bin/named/server.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.419.18.57 2007/08/28 07:20:01 tbox Exp $ */
+/* $Id: server.c,v 1.419.18.57.10.1 2008/05/22 21:28:04 each Exp $ */
/*! \file */
@@ -540,6 +540,14 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
attrs |= DNS_DISPATCHATTR_IPV6;
break;
}
+
+ if (isc_sockaddr_getport(&sa) != 0) {
+ INSIST(obj != NULL);
+ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
+ "using specific query-source port suppresses port "
+ "randomization and can be insecure.");
+ }
+
attrmask = 0;
attrmask |= DNS_DISPATCHATTR_UDP;
attrmask |= DNS_DISPATCHATTR_TCP;
@@ -549,7 +557,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
disp = NULL;
result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
ns_g_taskmgr, &sa, 4096,
- 1000, 32768, 16411, 16433,
+ 1024, 32768, 16411, 16433,
attrs, attrmask, &disp);
if (result != ISC_R_SUCCESS) {
isc_sockaddr_t any;
@@ -2369,7 +2377,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
}
static isc_result_t
-add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
+add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
+ isc_boolean_t wcardport_ok)
+{
ns_listenelt_t *lelt = NULL;
dns_acl_t *src_acl = NULL;
dns_aclelement_t aelt;
@@ -2379,7 +2389,8 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
isc_sockaddr_any6(&any_sa6);
- if (!isc_sockaddr_equal(&any_sa6, addr)) {
+ if (!isc_sockaddr_equal(&any_sa6, addr) &&
+ (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
aelt.type = dns_aclelementtype_ipprefix;
aelt.negative = ISC_FALSE;
aelt.u.ip_prefix.prefixlen = 128;
@@ -2438,7 +2449,16 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
result = dns_dispatch_getlocaladdress(dispatch6, &addr);
if (result != ISC_R_SUCCESS)
goto fail;
- result = add_listenelt(mctx, list, &addr);
+
+ /*
+ * We always add non-wildcard address regardless of whether
+ * the port is 'any' (the fourth arg is TRUE): if the port is
+ * specific, we need to add it since it may conflict with a
+ * listening interface; if it's zero, we'll dynamically open
+ * query ports, and some of them may override an existing
+ * wildcard IPv6 port.
+ */
+ result = add_listenelt(mctx, list, &addr, ISC_TRUE);
if (result != ISC_R_SUCCESS)
goto fail;
}
@@ -2468,12 +2488,12 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
continue;
addrp = dns_zone_getnotifysrc6(zone);
- result = add_listenelt(mctx, list, addrp);
+ result = add_listenelt(mctx, list, addrp, ISC_FALSE);
if (result != ISC_R_SUCCESS)
goto fail;
addrp = dns_zone_getxfrsource6(zone);
- result = add_listenelt(mctx, list, addrp);
+ result = add_listenelt(mctx, list, addrp, ISC_FALSE);
if (result != ISC_R_SUCCESS)
goto fail;
}
OpenPOWER on IntegriCloud