diff options
author | dougb <dougb@FreeBSD.org> | 2008-07-12 09:38:35 +0000 |
---|---|---|
committer | dougb <dougb@FreeBSD.org> | 2008-07-12 09:38:35 +0000 |
commit | 4afe5943d6e4967f6989ddb9929901afd4ceaa0d (patch) | |
tree | e51bbcd208ed81b4eecedb53a8d30ab814336c91 /contrib/bind9/bin | |
parent | 3be39aaa2321c7819460930d0f8e796520705114 (diff) | |
download | FreeBSD-src-4afe5943d6e4967f6989ddb9929901afd4ceaa0d.zip FreeBSD-src-4afe5943d6e4967f6989ddb9929901afd4ceaa0d.tar.gz |
Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.
This version will by default randomize the UDP query source port
(and sequence number of course) for every query.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Diffstat (limited to 'contrib/bind9/bin')
-rw-r--r-- | contrib/bind9/bin/named/client.c | 10 | ||||
-rw-r--r-- | contrib/bind9/bin/named/server.c | 34 |
2 files changed, 28 insertions, 16 deletions
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index b0e9cdd..87dbdb8 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.219.18.28 2007/08/28 07:20:00 tbox Exp $ */ +/* $Id: client.c,v 1.219.18.28.10.1 2008/05/22 21:28:04 each Exp $ */ #include <config.h> @@ -1440,14 +1440,6 @@ client_request(isc_task_t *task, isc_event_t *event) { } /* - * Hash the incoming request here as it is after - * dns_dispatch_importrecv(). - */ - dns_dispatch_hash(&client->now, sizeof(client->now)); - dns_dispatch_hash(isc_buffer_base(buffer), - isc_buffer_usedlength(buffer)); - - /* * It's a request. Parse it. */ result = dns_message_parse(client->message, buffer, 0); diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index cd8bff1..8e0c66c 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.419.18.57 2007/08/28 07:20:01 tbox Exp $ */ +/* $Id: server.c,v 1.419.18.57.10.1 2008/05/22 21:28:04 each Exp $ */ /*! \file */ @@ -540,6 +540,14 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, attrs |= DNS_DISPATCHATTR_IPV6; break; } + + if (isc_sockaddr_getport(&sa) != 0) { + INSIST(obj != NULL); + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO, + "using specific query-source port suppresses port " + "randomization and can be insecure."); + } + attrmask = 0; attrmask |= DNS_DISPATCHATTR_UDP; attrmask |= DNS_DISPATCHATTR_TCP; @@ -549,7 +557,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps, disp = NULL; result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, ns_g_taskmgr, &sa, 4096, - 1000, 32768, 16411, 16433, + 1024, 32768, 16411, 16433, attrs, attrmask, &disp); if (result != ISC_R_SUCCESS) { isc_sockaddr_t any; @@ -2369,7 +2377,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { } static isc_result_t -add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) { +add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, + isc_boolean_t wcardport_ok) +{ ns_listenelt_t *lelt = NULL; dns_acl_t *src_acl = NULL; dns_aclelement_t aelt; @@ -2379,7 +2389,8 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) { REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); isc_sockaddr_any6(&any_sa6); - if (!isc_sockaddr_equal(&any_sa6, addr)) { + if (!isc_sockaddr_equal(&any_sa6, addr) && + (wcardport_ok || isc_sockaddr_getport(addr) != 0)) { aelt.type = dns_aclelementtype_ipprefix; aelt.negative = ISC_FALSE; aelt.u.ip_prefix.prefixlen = 128; @@ -2438,7 +2449,16 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { result = dns_dispatch_getlocaladdress(dispatch6, &addr); if (result != ISC_R_SUCCESS) goto fail; - result = add_listenelt(mctx, list, &addr); + + /* + * We always add non-wildcard address regardless of whether + * the port is 'any' (the fourth arg is TRUE): if the port is + * specific, we need to add it since it may conflict with a + * listening interface; if it's zero, we'll dynamically open + * query ports, and some of them may override an existing + * wildcard IPv6 port. + */ + result = add_listenelt(mctx, list, &addr, ISC_TRUE); if (result != ISC_R_SUCCESS) goto fail; } @@ -2468,12 +2488,12 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { continue; addrp = dns_zone_getnotifysrc6(zone); - result = add_listenelt(mctx, list, addrp); + result = add_listenelt(mctx, list, addrp, ISC_FALSE); if (result != ISC_R_SUCCESS) goto fail; addrp = dns_zone_getxfrsource6(zone); - result = add_listenelt(mctx, list, addrp); + result = add_listenelt(mctx, list, addrp, ISC_FALSE); if (result != ISC_R_SUCCESS) goto fail; } |