Report information
The Basics
Id:
45690
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
BugTracker
Version Fixed:
9.12.0, 9.11.3, 9.10.7, 9.9.12
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Fri, 04 Aug 2017 09:43:52 -0400
Updated:Fri, 25 Aug 2017 16:34:40 -0400
Closed:Fri, 25 Aug 2017 16:34:30 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Fri, 04 Aug 2017 09:43:52 -0400 Tony Finch <dot@dotat.at> - Ticket created
To: bind9-bugs@isc.org
From: "Tony Finch" <dot@dotat.at>
Subject: [PATCH] minimal-any for DNSKEY/CDNSKEY, and minimal-responses for CDNSKEY/CDS
Date: Fri, 4 Aug 2017 14:43:46 +0100
CC: "Tony Finch" <dot@dotat.at>

It's possible for minimal-any to accidentally return large responses, if it happens to choose the DNSKEY or CDNSKEY RRset. In those cases the RRset should be at the zone apex, so we can skip it and there will be another RRset to put in the response. Similarly, minimal-responses are turned on for DNSKEY and DS queries, so do the same for CDNSKEY and CDS. --- bin/named/query.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/bin/named/query.c b/bin/named/query.c index 9d7eff6..a31bedb 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -6139,6 +6139,16 @@ query_respond_any(query_ctx_t *qctx) { "minimal-any skip signature"); dns_rdataset_disassociate(qctx->rdataset); } else if (qctx->client->view->minimal_any && + !TCP(qctx->client) && + qctx->qtype == dns_rdatatype_any && + (qctx->rdataset->type == dns_rdatatype_dnskey || + qctx->rdataset->type == dns_rdatatype_cdnskey || + qctx->rdataset->covers == dns_rdatatype_dnskey || + qctx->rdataset->covers == dns_rdatatype_cdnskey)) { + CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " + "minimal-any skip (C)DNSKEY"); + dns_rdataset_disassociate(qctx->rdataset); + } else if (qctx->client->view->minimal_any && !TCP(qctx->client) && onetype != 0 && qctx->rdataset->type != onetype && qctx->rdataset->covers != onetype) @@ -9513,9 +9523,10 @@ ns_query_start(ns_client_t *client) { } /* - * Turn on minimal response for DNSKEY and DS queries. + * Turn on minimal response for (C)DNSKEY and (C)DS queries. */ - if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds) + if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds || + qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); -- 2.10.1.445.g3cdd5d1
Fri, 04 Aug 2017 12:03:08 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Wed, 09 Aug 2017 06:55:31 -0400 Mukund Sivaraman <muks@isc.org> - Severity S2 Normal added
Wed, 09 Aug 2017 06:55:31 -0400 Mukund Sivaraman <muks@isc.org> - Priority P2 Normal added
Wed, 16 Aug 2017 16:04:31 -0400 Vicky Risk <vicky@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
  Fri, 25 Aug 2017 13:36:47 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Hi Tony, On Fri Aug 04 13:43:52 2017, dot@dotat.at wrote: > It's possible for minimal-any to accidentally return large responses, if > it happens to choose the DNSKEY or CDNSKEY RRset. In those cases the > RRset should be at the zone apex, so we can skip it and there will be > another RRset to put in the response. It's not guaranteed that a DNSKEY is at a zone apex; someone could configure a zone weirdly. Also, other types than DNSKEY can hold a lot of data, so this isn't a general solution to the problem. It might be useful to add a dns_rdataset_size() function and prefer the smallest rdataset at a name. Or just have a threshold size, above which you check to see if there's another rdataset when putting together a minimal-any response. But I'm not comfortable with the "skip DNSKEY" method. > Similarly, minimal-responses are turned on for DNSKEY and DS queries, so > do the same for CDNSKEY and CDS. I'm fine with this change and will commit it.
Fri, 25 Aug 2017 13:36:48 -0400 The RT System itself - Status changed from 'new' to 'open'
  Fri, 25 Aug 2017 16:34:29 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

4678. [cleanup] Turn on minimal responses for CDNSKEY and CDS in addition to DNSKEY and DS. Thanks to Tony Finch. [RT #45690] 9.12.0, 9.11.3, 9.10.7, 9.9.12
Fri, 25 Aug 2017 16:34:30 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Fri, 25 Aug 2017 16:34:40 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0, 9.11.3, 9.10.7, 9.9.12 added