diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch | 990 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.9.5.bb | 1 |
2 files changed, 991 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch new file mode 100644 index 0000000000..62142d2313 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch | |||
@@ -0,0 +1,990 @@ | |||
1 | From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001 | ||
2 | From: Evan Hunt <each@isc.org> | ||
3 | Date: Mon, 17 Nov 2014 23:49:07 -0800 | ||
4 | Subject: [PATCH] [v9_9] limit recursion depth and iterative queries | ||
5 | |||
6 | 4006. [security] A flaw in delegation handling could be exploited | ||
7 | to put named into an infinite loop. This has | ||
8 | been addressed by placing limits on the number | ||
9 | of levels of recursion named will allow (default 7), | ||
10 | and the number of iterative queries that it will | ||
11 | send (default 50) before terminating a recursive | ||
12 | query (CVE-2014-8500). | ||
13 | |||
14 | The recursion depth limit is configured via the | ||
15 | "max-recursion-depth" option. [RT #35780] | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
20 | --- | ||
21 | bin/named/config.c | 3 +- | ||
22 | bin/named/include/named/query.h | 2 - | ||
23 | bin/named/query.c | 7 ++- | ||
24 | bin/named/server.c | 5 ++ | ||
25 | bin/tests/system/many/clean.sh | 7 +++ | ||
26 | bin/tests/system/many/ns1/named.conf | 33 +++++++++++++ | ||
27 | bin/tests/system/many/ns2/named.conf | 30 ++++++++++++ | ||
28 | bin/tests/system/many/ns3/named.conf | 32 +++++++++++++ | ||
29 | bin/tests/system/many/ns4/named.conf | 30 ++++++++++++ | ||
30 | bin/tests/system/many/ns5/hints.db | 2 + | ||
31 | bin/tests/system/many/ns5/named.conf | 29 ++++++++++++ | ||
32 | bin/tests/system/many/setup.sh | 75 ++++++++++++++++++++++++++++++ | ||
33 | bin/tests/system/many/tests.sh | 48 +++++++++++++++++++ | ||
34 | doc/arm/Bv9ARM-book.xml | 12 +++++ | ||
35 | lib/dns/adb.c | 58 ++++++++++++++++------- | ||
36 | lib/dns/include/dns/adb.h | 8 ++++ | ||
37 | lib/dns/include/dns/resolver.h | 25 ++++++++++ | ||
38 | lib/dns/resolver.c | 90 ++++++++++++++++++++++++++++++------ | ||
39 | lib/isccfg/namedconf.c | 1 + | ||
40 | 20 files changed, 471 insertions(+), 37 deletions(-) | ||
41 | create mode 100644 bin/tests/system/many/clean.sh | ||
42 | create mode 100644 bin/tests/system/many/ns1/named.conf | ||
43 | create mode 100644 bin/tests/system/many/ns2/named.conf | ||
44 | create mode 100644 bin/tests/system/many/ns3/named.conf | ||
45 | create mode 100644 bin/tests/system/many/ns4/named.conf | ||
46 | create mode 100644 bin/tests/system/many/ns5/hints.db | ||
47 | create mode 100644 bin/tests/system/many/ns5/named.conf | ||
48 | create mode 100644 bin/tests/system/many/setup.sh | ||
49 | create mode 100644 bin/tests/system/many/tests.sh | ||
50 | |||
51 | diff --git a/bin/named/config.c b/bin/named/config.c | ||
52 | index 2782720..5ee8c4e 100644 | ||
53 | --- a/bin/named/config.c | ||
54 | +++ b/bin/named/config.c | ||
55 | @@ -15,8 +15,6 @@ | ||
56 | * PERFORMANCE OF THIS SOFTWARE. | ||
57 | */ | ||
58 | |||
59 | -/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */ | ||
60 | - | ||
61 | /*! \file */ | ||
62 | |||
63 | #include <config.h> | ||
64 | @@ -160,6 +158,7 @@ options {\n\ | ||
65 | dnssec-accept-expired no;\n\ | ||
66 | clients-per-query 10;\n\ | ||
67 | max-clients-per-query 100;\n\ | ||
68 | + max-recursion-depth 7;\n\ | ||
69 | zero-no-soa-ttl-cache no;\n\ | ||
70 | nsec3-test-zone no;\n\ | ||
71 | allow-new-zones no;\n\ | ||
72 | diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h | ||
73 | index 3beabb8..b5e3900 100644 | ||
74 | --- a/bin/named/include/named/query.h | ||
75 | +++ b/bin/named/include/named/query.h | ||
76 | @@ -15,8 +15,6 @@ | ||
77 | * PERFORMANCE OF THIS SOFTWARE. | ||
78 | */ | ||
79 | |||
80 | -/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */ | ||
81 | - | ||
82 | #ifndef NAMED_QUERY_H | ||
83 | #define NAMED_QUERY_H 1 | ||
84 | |||
85 | diff --git a/bin/named/query.c b/bin/named/query.c | ||
86 | index 982f76d..47bfc6a 100644 | ||
87 | --- a/bin/named/query.c | ||
88 | +++ b/bin/named/query.c | ||
89 | @@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, | ||
90 | peeraddr = &client->peeraddr; | ||
91 | else | ||
92 | peeraddr = NULL; | ||
93 | - result = dns_resolver_createfetch2(client->view->resolver, | ||
94 | + result = dns_resolver_createfetch3(client->view->resolver, | ||
95 | qname, qtype, qdomain, nameservers, | ||
96 | NULL, peeraddr, client->message->id, | ||
97 | - client->query.fetchoptions, | ||
98 | - client->task, | ||
99 | - query_resume, client, | ||
100 | + client->query.fetchoptions, 0, | ||
101 | + client->task, query_resume, client, | ||
102 | rdataset, sigrdataset, | ||
103 | &client->query.fetch); | ||
104 | |||
105 | diff --git a/bin/named/server.c b/bin/named/server.c | ||
106 | index ac015a4..0559977 100644 | ||
107 | --- a/bin/named/server.c | ||
108 | +++ b/bin/named/server.c | ||
109 | @@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, | ||
110 | cfg_obj_asuint32(obj), | ||
111 | max_clients_per_query); | ||
112 | |||
113 | + obj = NULL; | ||
114 | + result = ns_config_get(maps, "max-recursion-depth", &obj); | ||
115 | + INSIST(result == ISC_R_SUCCESS); | ||
116 | + dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); | ||
117 | + | ||
118 | #ifdef ALLOW_FILTER_AAAA_ON_V4 | ||
119 | obj = NULL; | ||
120 | result = ns_config_get(maps, "filter-aaaa-on-v4", &obj); | ||
121 | diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh | ||
122 | new file mode 100644 | ||
123 | index 0000000..119b1f5 | ||
124 | --- /dev/null | ||
125 | +++ b/bin/tests/system/many/clean.sh | ||
126 | @@ -0,0 +1,7 @@ | ||
127 | +rm -f ns1/[1-9]*example.tld?.db | ||
128 | +rm -f ns2/[1-9]*example.tld?.db | ||
129 | +rm -f ns1/zones.conf | ||
130 | +rm -f ns2/zones.conf | ||
131 | +rm -f */root.db | ||
132 | +rm -f ns3/tld1.db | ||
133 | +rm -f ns4/tld2.db | ||
134 | diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf | ||
135 | new file mode 100644 | ||
136 | index 0000000..abc9dca | ||
137 | --- /dev/null | ||
138 | +++ b/bin/tests/system/many/ns1/named.conf | ||
139 | @@ -0,0 +1,33 @@ | ||
140 | +/* | ||
141 | + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
142 | + * | ||
143 | + * Permission to use, copy, modify, and/or distribute this software for any | ||
144 | + * purpose with or without fee is hereby granted, provided that the above | ||
145 | + * copyright notice and this permission notice appear in all copies. | ||
146 | + * | ||
147 | + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
148 | + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
149 | + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
150 | + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
151 | + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
152 | + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
153 | + * PERFORMANCE OF THIS SOFTWARE. | ||
154 | + */ | ||
155 | + | ||
156 | +controls { /* empty */ }; | ||
157 | + | ||
158 | +options { | ||
159 | + query-source address 10.53.0.1; | ||
160 | + notify-source 10.53.0.1; | ||
161 | + transfer-source 10.53.0.1; | ||
162 | + port 5300; | ||
163 | + pid-file "named.pid"; | ||
164 | + listen-on { 10.53.0.1; }; | ||
165 | + listen-on-v6 { none; }; | ||
166 | + recursion no; | ||
167 | +}; | ||
168 | + | ||
169 | +include "zones.conf"; | ||
170 | + | ||
171 | +// zone "tld1" { type master; file "tld1.db"; }; | ||
172 | +// zone "tld2" { type master; file "tld2.db"; }; | ||
173 | diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf | ||
174 | new file mode 100644 | ||
175 | index 0000000..16266e2 | ||
176 | --- /dev/null | ||
177 | +++ b/bin/tests/system/many/ns2/named.conf | ||
178 | @@ -0,0 +1,30 @@ | ||
179 | +/* | ||
180 | + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
181 | + * | ||
182 | + * Permission to use, copy, modify, and/or distribute this software for any | ||
183 | + * purpose with or without fee is hereby granted, provided that the above | ||
184 | + * copyright notice and this permission notice appear in all copies. | ||
185 | + * | ||
186 | + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
187 | + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
188 | + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
189 | + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
190 | + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
191 | + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
192 | + * PERFORMANCE OF THIS SOFTWARE. | ||
193 | + */ | ||
194 | + | ||
195 | +controls { /* empty */ }; | ||
196 | + | ||
197 | +options { | ||
198 | + query-source address 10.53.0.2; | ||
199 | + notify-source 10.53.0.2; | ||
200 | + transfer-source 10.53.0.2; | ||
201 | + port 5300; | ||
202 | + pid-file "named.pid"; | ||
203 | + listen-on { 10.53.0.2; }; | ||
204 | + listen-on-v6 { none; }; | ||
205 | + recursion no; | ||
206 | +}; | ||
207 | + | ||
208 | +include "zones.conf"; | ||
209 | diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf | ||
210 | new file mode 100644 | ||
211 | index 0000000..b950afe | ||
212 | --- /dev/null | ||
213 | +++ b/bin/tests/system/many/ns3/named.conf | ||
214 | @@ -0,0 +1,32 @@ | ||
215 | +/* | ||
216 | + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
217 | + * | ||
218 | + * Permission to use, copy, modify, and/or distribute this software for any | ||
219 | + * purpose with or without fee is hereby granted, provided that the above | ||
220 | + * copyright notice and this permission notice appear in all copies. | ||
221 | + * | ||
222 | + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
223 | + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
224 | + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
225 | + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
226 | + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
227 | + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
228 | + * PERFORMANCE OF THIS SOFTWARE. | ||
229 | + */ | ||
230 | + | ||
231 | +controls { /* empty */ }; | ||
232 | + | ||
233 | +options { | ||
234 | + query-source address 10.53.0.3; | ||
235 | + notify-source 10.53.0.3; | ||
236 | + transfer-source 10.53.0.3; | ||
237 | + port 5300; | ||
238 | + pid-file "named.pid"; | ||
239 | + listen-on { 10.53.0.3; }; | ||
240 | + listen-on-v6 { none; }; | ||
241 | + recursion no; | ||
242 | +}; | ||
243 | + | ||
244 | +zone "." { type master; file "root.db"; }; | ||
245 | + | ||
246 | +zone "tld1" { type master; file "tld1.db"; }; | ||
247 | diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf | ||
248 | new file mode 100644 | ||
249 | index 0000000..ca9aa6a | ||
250 | --- /dev/null | ||
251 | +++ b/bin/tests/system/many/ns4/named.conf | ||
252 | @@ -0,0 +1,30 @@ | ||
253 | +/* | ||
254 | + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
255 | + * | ||
256 | + * Permission to use, copy, modify, and/or distribute this software for any | ||
257 | + * purpose with or without fee is hereby granted, provided that the above | ||
258 | + * copyright notice and this permission notice appear in all copies. | ||
259 | + * | ||
260 | + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
261 | + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
262 | + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
263 | + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
264 | + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
265 | + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
266 | + * PERFORMANCE OF THIS SOFTWARE. | ||
267 | + */ | ||
268 | + | ||
269 | +controls { /* empty */ }; | ||
270 | + | ||
271 | +options { | ||
272 | + query-source address 10.53.0.4; | ||
273 | + notify-source 10.53.0.4; | ||
274 | + transfer-source 10.53.0.4; | ||
275 | + port 5300; | ||
276 | + pid-file "named.pid"; | ||
277 | + listen-on { 10.53.0.4; }; | ||
278 | + listen-on-v6 { none; }; | ||
279 | + recursion no; | ||
280 | +}; | ||
281 | + | ||
282 | +zone "tld2" { type master; file "tld2.db"; }; | ||
283 | diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db | ||
284 | new file mode 100644 | ||
285 | index 0000000..c05809b | ||
286 | --- /dev/null | ||
287 | +++ b/bin/tests/system/many/ns5/hints.db | ||
288 | @@ -0,0 +1,2 @@ | ||
289 | +. 60 in ns ns.nil. | ||
290 | +ns.nil. 60 in A 10.53.0.3 | ||
291 | diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf | ||
292 | new file mode 100644 | ||
293 | index 0000000..fce7d59 | ||
294 | --- /dev/null | ||
295 | +++ b/bin/tests/system/many/ns5/named.conf | ||
296 | @@ -0,0 +1,29 @@ | ||
297 | +/* | ||
298 | + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
299 | + * | ||
300 | + * Permission to use, copy, modify, and/or distribute this software for any | ||
301 | + * purpose with or without fee is hereby granted, provided that the above | ||
302 | + * copyright notice and this permission notice appear in all copies. | ||
303 | + * | ||
304 | + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
305 | + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
306 | + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
307 | + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
308 | + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
309 | + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
310 | + * PERFORMANCE OF THIS SOFTWARE. | ||
311 | + */ | ||
312 | + | ||
313 | +controls { /* empty */ }; | ||
314 | + | ||
315 | +options { | ||
316 | + query-source address 10.53.0.5; | ||
317 | + notify-source 10.53.0.5; | ||
318 | + transfer-source 10.53.0.5; | ||
319 | + port 5300; | ||
320 | + pid-file "named.pid"; | ||
321 | + listen-on { 10.53.0.5; }; | ||
322 | + listen-on-v6 { none; }; | ||
323 | +}; | ||
324 | + | ||
325 | +zone "." { type hint; file "hints.db"; }; | ||
326 | diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh | ||
327 | new file mode 100644 | ||
328 | index 0000000..80695b5 | ||
329 | --- /dev/null | ||
330 | +++ b/bin/tests/system/many/setup.sh | ||
331 | @@ -0,0 +1,75 @@ | ||
332 | +i=1 | ||
333 | + | ||
334 | +cat > ns3/root.db << EOF | ||
335 | +. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0 | ||
336 | +. 60 in ns ns.nil. | ||
337 | +ns.nil. 60 in a 10.53.0.3 | ||
338 | +tld1. 60 in ns ns.tld1. | ||
339 | +ns.tld1. 60 in a 10.53.0.3 | ||
340 | +tld2. 60 in ns ns.tld2. | ||
341 | +ns.tld2. 60 in a 10.53.0.4 | ||
342 | +EOF | ||
343 | + | ||
344 | +cat > ns3/tld1.db << EOF | ||
345 | +tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0 | ||
346 | +tld1. 60 in ns ns.tld1. | ||
347 | +ns.tld1. 60 in a 10.53.0.1 | ||
348 | +EOF | ||
349 | + | ||
350 | +cat > ns4/tld2.db << EOF | ||
351 | +tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0 | ||
352 | +tld2. 60 in ns ns.tld2. | ||
353 | +ns.tld2. 60 in a 10.53.0.1 | ||
354 | +EOF | ||
355 | + | ||
356 | +: > ns1/zones.conf | ||
357 | +: > ns2/zones.conf | ||
358 | + | ||
359 | +while [ $i -lt 1000 ] | ||
360 | +do | ||
361 | +j=`expr $i + 1` | ||
362 | +s=`expr $j % 2 + 1` | ||
363 | +n=`expr $i % 2 + 1` | ||
364 | +t=`expr $s + 2` | ||
365 | + | ||
366 | +# i=1 j=2 s=1 n=2 | ||
367 | +# i=2 j=3 s=1 n=2 | ||
368 | +# i=3 j=4 s=1 n=2 | ||
369 | + | ||
370 | +cat > ns1/${i}example.tld${s}.db << EOF | ||
371 | +${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0 | ||
372 | +${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}. | ||
373 | +ns.${i}example.tld${s}. 60 in a 10.53.0.1 | ||
374 | +EOF | ||
375 | + | ||
376 | +cat >> ns1/zones.conf << EOF | ||
377 | +zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; }; | ||
378 | +EOF | ||
379 | + | ||
380 | +cat >> ns${t}/tld${s}.db << EOF | ||
381 | +${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}. | ||
382 | +EOF | ||
383 | + | ||
384 | +i=$j | ||
385 | + | ||
386 | +done | ||
387 | + | ||
388 | +j=`expr $i + 1` | ||
389 | +s=`expr $j % 2 + 1` | ||
390 | +n=`expr $s % 2 + 1` | ||
391 | +t=`expr $s + 2` | ||
392 | + | ||
393 | +cat > ns1/${i}example.tld${s}.db << EOF | ||
394 | +${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0 | ||
395 | +${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}. | ||
396 | +ns.${i}example.tld${s}. 60 in a 10.53.0.1 | ||
397 | +EOF | ||
398 | + | ||
399 | +cat >> ns1/zones.conf << EOF | ||
400 | +zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; }; | ||
401 | +EOF | ||
402 | + | ||
403 | +cat >> ns${t}/tld${s}.db << EOF | ||
404 | +${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}. | ||
405 | +ns.${i}example.tld${s}. 60 in a 10.53.0.1 | ||
406 | +EOF | ||
407 | diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh | ||
408 | new file mode 100644 | ||
409 | index 0000000..37964e2 | ||
410 | --- /dev/null | ||
411 | +++ b/bin/tests/system/many/tests.sh | ||
412 | @@ -0,0 +1,48 @@ | ||
413 | +#!/bin/sh | ||
414 | +# | ||
415 | +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") | ||
416 | +# | ||
417 | +# Permission to use, copy, modify, and/or distribute this software for any | ||
418 | +# purpose with or without fee is hereby granted, provided that the above | ||
419 | +# copyright notice and this permission notice appear in all copies. | ||
420 | +# | ||
421 | +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH | ||
422 | +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | ||
423 | +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, | ||
424 | +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM | ||
425 | +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE | ||
426 | +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR | ||
427 | +# PERFORMANCE OF THIS SOFTWARE. | ||
428 | + | ||
429 | +SYSTEMTESTTOP=.. | ||
430 | +. $SYSTEMTESTTOP/conf.sh | ||
431 | + | ||
432 | +status=0 | ||
433 | +n=0 | ||
434 | + | ||
435 | +n=`expr $n + 1` | ||
436 | +echo "I: attempt lookup 1example.tld2 soa ($n)" | ||
437 | +ret=0 | ||
438 | +$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n | ||
439 | +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 | ||
440 | +if [ $ret != 0 ]; then echo "I:failed"; fi | ||
441 | +status=`expr $status + $ret` | ||
442 | + | ||
443 | +n=`expr $n + 1` | ||
444 | +echo "I: attempt lookup 992example.tld2 soa ($n)" | ||
445 | +ret=0 | ||
446 | +$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 > dig.out.test$n | ||
447 | +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 | ||
448 | +if [ $ret != 0 ]; then echo "I:failed"; fi | ||
449 | +status=`expr $status + $ret` | ||
450 | + | ||
451 | +n=`expr $n + 1` | ||
452 | +echo "I: attempt lookup 993example.tld1 soa ($n)" | ||
453 | +ret=0 | ||
454 | +$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n | ||
455 | +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 | ||
456 | +if [ $ret != 0 ]; then echo "I:failed"; fi | ||
457 | +status=`expr $status + $ret` | ||
458 | + | ||
459 | +echo "I:exit status: $status" | ||
460 | +exit $status | ||
461 | diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml | ||
462 | index 9f7bd38..fff4249 100644 | ||
463 | --- a/doc/arm/Bv9ARM-book.xml | ||
464 | +++ b/doc/arm/Bv9ARM-book.xml | ||
465 | @@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] | ||
466 | <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional> | ||
467 | <optional> clients-per-query <replaceable>number</replaceable> ; </optional> | ||
468 | <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional> | ||
469 | + <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional> | ||
470 | <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional> | ||
471 | <optional> empty-server <replaceable>name</replaceable> ; </optional> | ||
472 | <optional> empty-contact <replaceable>name</replaceable> ; </optional> | ||
473 | @@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; | ||
474 | </listitem> | ||
475 | </varlistentry> | ||
476 | |||
477 | + <varlistentry id="max-recursion-depth"> | ||
478 | + <term><command>max-recursion-depth</command></term> | ||
479 | + <listitem> | ||
480 | + <para> | ||
481 | + Sets the maximum number of levels of recursion | ||
482 | + permitted at any one time while resolving a name. | ||
483 | + The default is 7. | ||
484 | + </para> | ||
485 | + </listitem> | ||
486 | + </varlistentry> | ||
487 | + | ||
488 | <varlistentry> | ||
489 | <term><command>notify-delay</command></term> | ||
490 | <listitem> | ||
491 | diff --git a/lib/dns/adb.c b/lib/dns/adb.c | ||
492 | index 2ccb51e..fe9b3f7 100644 | ||
493 | --- a/lib/dns/adb.c | ||
494 | +++ b/lib/dns/adb.c | ||
495 | @@ -199,6 +199,7 @@ struct dns_adbfetch { | ||
496 | unsigned int magic; | ||
497 | dns_fetch_t *fetch; | ||
498 | dns_rdataset_t rdataset; | ||
499 | + unsigned int depth; | ||
500 | }; | ||
501 | |||
502 | /*% | ||
503 | @@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *); | ||
504 | static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *); | ||
505 | static void clean_target(dns_adb_t *, dns_name_t *); | ||
506 | static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, | ||
507 | - unsigned int); | ||
508 | + isc_uint32_t, unsigned int); | ||
509 | static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t); | ||
510 | static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **, | ||
511 | isc_stdtime_t); | ||
512 | @@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *); | ||
513 | static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, | ||
514 | dns_rdatatype_t); | ||
515 | static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t, | ||
516 | - dns_rdatatype_t); | ||
517 | + unsigned int, dns_rdatatype_t); | ||
518 | static inline void check_exit(dns_adb_t *); | ||
519 | static void destroy(dns_adb_t *); | ||
520 | static isc_boolean_t shutdown_names(dns_adb_t *); | ||
521 | @@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) { | ||
522 | * Clean up the name's various lists. These two are destructive | ||
523 | * in that they will always empty the list. | ||
524 | */ | ||
525 | - clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK); | ||
526 | + clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK); | ||
527 | result4 = clean_namehooks(adb, &name->v4); | ||
528 | result6 = clean_namehooks(adb, &name->v6); | ||
529 | clean_target(adb, &name->target); | ||
530 | @@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) { | ||
531 | */ | ||
532 | static void | ||
533 | clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype, | ||
534 | - unsigned int addrs) | ||
535 | + isc_uint32_t qtotal, unsigned int addrs) | ||
536 | { | ||
537 | isc_event_t *ev; | ||
538 | isc_task_t *task; | ||
539 | @@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype, | ||
540 | ev->ev_sender = find; | ||
541 | find->result_v4 = find_err_map[name->fetch_err]; | ||
542 | find->result_v6 = find_err_map[name->fetch6_err]; | ||
543 | + find->qtotal += qtotal; | ||
544 | ev->ev_type = evtype; | ||
545 | ev->ev_destroy = event_free; | ||
546 | ev->ev_destroy_arg = find; | ||
547 | @@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) { | ||
548 | h->flags = 0; | ||
549 | h->result_v4 = ISC_R_UNEXPECTED; | ||
550 | h->result_v6 = ISC_R_UNEXPECTED; | ||
551 | + h->qtotal = 0; | ||
552 | ISC_LINK_INIT(h, publink); | ||
553 | ISC_LINK_INIT(h, plink); | ||
554 | ISC_LIST_INIT(h->list); | ||
555 | @@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
556 | isc_stdtime_t now, dns_name_t *target, | ||
557 | in_port_t port, dns_adbfind_t **findp) | ||
558 | { | ||
559 | + return (dns_adb_createfind2(adb, task, action, arg, name, | ||
560 | + qname, qtype, options, now, | ||
561 | + target, port, 0, findp)); | ||
562 | +} | ||
563 | + | ||
564 | +isc_result_t | ||
565 | +dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
566 | + void *arg, dns_name_t *name, dns_name_t *qname, | ||
567 | + dns_rdatatype_t qtype, unsigned int options, | ||
568 | + isc_stdtime_t now, dns_name_t *target, | ||
569 | + in_port_t port, unsigned int depth, | ||
570 | + dns_adbfind_t **findp) | ||
571 | +{ | ||
572 | dns_adbfind_t *find; | ||
573 | dns_adbname_t *adbname; | ||
574 | int bucket; | ||
575 | @@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
576 | * Start V4. | ||
577 | */ | ||
578 | if (WANT_INET(wanted_fetches) && | ||
579 | - fetch_name(adbname, start_at_zone, | ||
580 | + fetch_name(adbname, start_at_zone, depth, | ||
581 | dns_rdatatype_a) == ISC_R_SUCCESS) { | ||
582 | DP(DEF_LEVEL, | ||
583 | "dns_adb_createfind: started A fetch for name %p", | ||
584 | @@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
585 | * Start V6. | ||
586 | */ | ||
587 | if (WANT_INET6(wanted_fetches) && | ||
588 | - fetch_name(adbname, start_at_zone, | ||
589 | + fetch_name(adbname, start_at_zone, depth, | ||
590 | dns_rdatatype_aaaa) == ISC_R_SUCCESS) { | ||
591 | DP(DEF_LEVEL, | ||
592 | "dns_adb_createfind: " | ||
593 | @@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { | ||
594 | isc_result_t result; | ||
595 | unsigned int address_type; | ||
596 | isc_boolean_t want_check_exit = ISC_FALSE; | ||
597 | + isc_uint32_t qtotal = 0; | ||
598 | |||
599 | UNUSED(task); | ||
600 | |||
601 | @@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { | ||
602 | adb = name->adb; | ||
603 | INSIST(DNS_ADB_VALID(adb)); | ||
604 | |||
605 | + qtotal = dev->qtotal; | ||
606 | + | ||
607 | bucket = name->lock_bucket; | ||
608 | LOCK(&adb->namelocks[bucket]); | ||
609 | |||
610 | @@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { | ||
611 | DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", | ||
612 | buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA", | ||
613 | dns_result_totext(dev->result)); | ||
614 | + /* | ||
615 | + * Don't record a failure unless this is the initial | ||
616 | + * fetch of a chain. | ||
617 | + */ | ||
618 | + if (fetch->depth > 1) | ||
619 | + goto out; | ||
620 | /* XXXMLG Don't pound on bad servers. */ | ||
621 | if (address_type == DNS_ADBFIND_INET) { | ||
622 | name->expire_v4 = ISC_MIN(name->expire_v4, now + 300); | ||
623 | @@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { | ||
624 | free_adbfetch(adb, &fetch); | ||
625 | isc_event_free(&ev); | ||
626 | |||
627 | - clean_finds_at_name(name, ev_status, address_type); | ||
628 | + clean_finds_at_name(name, ev_status, qtotal, address_type); | ||
629 | |||
630 | UNLOCK(&adb->namelocks[bucket]); | ||
631 | } | ||
632 | |||
633 | static isc_result_t | ||
634 | -fetch_name(dns_adbname_t *adbname, | ||
635 | - isc_boolean_t start_at_zone, | ||
636 | - dns_rdatatype_t type) | ||
637 | +fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone, | ||
638 | + unsigned int depth, dns_rdatatype_t type) | ||
639 | { | ||
640 | isc_result_t result; | ||
641 | dns_adbfetch_t *fetch = NULL; | ||
642 | @@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname, | ||
643 | result = ISC_R_NOMEMORY; | ||
644 | goto cleanup; | ||
645 | } | ||
646 | - | ||
647 | - result = dns_resolver_createfetch(adb->view->resolver, &adbname->name, | ||
648 | - type, name, nameservers, NULL, | ||
649 | - options, adb->task, fetch_callback, | ||
650 | - adbname, &fetch->rdataset, NULL, | ||
651 | - &fetch->fetch); | ||
652 | + fetch->depth = depth; | ||
653 | + | ||
654 | + result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name, | ||
655 | + type, name, nameservers, NULL, | ||
656 | + NULL, 0, options, depth, adb->task, | ||
657 | + fetch_callback, adbname, | ||
658 | + &fetch->rdataset, NULL, | ||
659 | + &fetch->fetch); | ||
660 | if (result != ISC_R_SUCCESS) | ||
661 | goto cleanup; | ||
662 | |||
663 | diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h | ||
664 | index 35350ff..7501f01 100644 | ||
665 | --- a/lib/dns/include/dns/adb.h | ||
666 | +++ b/lib/dns/include/dns/adb.h | ||
667 | @@ -118,6 +118,8 @@ struct dns_adbfind { | ||
668 | isc_result_t result_v6; /*%< RO: v6 result */ | ||
669 | ISC_LINK(dns_adbfind_t) publink; /*%< RW: client use */ | ||
670 | |||
671 | + isc_uint32_t qtotal; | ||
672 | + | ||
673 | /* Private */ | ||
674 | isc_mutex_t lock; /* locks all below */ | ||
675 | in_port_t port; | ||
676 | @@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
677 | dns_rdatatype_t qtype, unsigned int options, | ||
678 | isc_stdtime_t now, dns_name_t *target, | ||
679 | in_port_t port, dns_adbfind_t **find); | ||
680 | +isc_result_t | ||
681 | +dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
682 | + void *arg, dns_name_t *name, dns_name_t *qname, | ||
683 | + dns_rdatatype_t qtype, unsigned int options, | ||
684 | + isc_stdtime_t now, dns_name_t *target, in_port_t port, | ||
685 | + unsigned int depth, dns_adbfind_t **find); | ||
686 | /*%< | ||
687 | * Main interface for clients. The adb will look up the name given in | ||
688 | * "name" and will build up a list of found addresses, and perhaps start | ||
689 | diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h | ||
690 | index 4e20eb6..c256049 100644 | ||
691 | --- a/lib/dns/include/dns/resolver.h | ||
692 | +++ b/lib/dns/include/dns/resolver.h | ||
693 | @@ -82,6 +82,7 @@ typedef struct dns_fetchevent { | ||
694 | isc_sockaddr_t * client; | ||
695 | dns_messageid_t id; | ||
696 | isc_result_t vresult; | ||
697 | + isc_uint32_t qtotal; | ||
698 | } dns_fetchevent_t; | ||
699 | |||
700 | /* | ||
701 | @@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, | ||
702 | dns_rdataset_t *rdataset, | ||
703 | dns_rdataset_t *sigrdataset, | ||
704 | dns_fetch_t **fetchp); | ||
705 | +isc_result_t | ||
706 | +dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, | ||
707 | + dns_rdatatype_t type, | ||
708 | + dns_name_t *domain, dns_rdataset_t *nameservers, | ||
709 | + dns_forwarders_t *forwarders, | ||
710 | + isc_sockaddr_t *client, isc_uint16_t id, | ||
711 | + unsigned int options, unsigned int depth, | ||
712 | + isc_task_t *task, | ||
713 | + isc_taskaction_t action, void *arg, | ||
714 | + dns_rdataset_t *rdataset, | ||
715 | + dns_rdataset_t *sigrdataset, | ||
716 | + dns_fetch_t **fetchp); | ||
717 | /*%< | ||
718 | * Recurse to answer a question. | ||
719 | * | ||
720 | @@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); | ||
721 | * \li resolver to be valid. | ||
722 | */ | ||
723 | |||
724 | +void | ||
725 | +dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); | ||
726 | +unsigned int | ||
727 | +dns_resolver_getmaxdepth(dns_resolver_t *resolver); | ||
728 | +/*% | ||
729 | + * Get and set how many NS indirections will be followed when looking for | ||
730 | + * nameserver addresses. | ||
731 | + * | ||
732 | + * Requires: | ||
733 | + * \li resolver to be valid. | ||
734 | + */ | ||
735 | + | ||
736 | ISC_LANG_ENDDECLS | ||
737 | |||
738 | #endif /* DNS_RESOLVER_H */ | ||
739 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
740 | index e517dad..6a635b2 100644 | ||
741 | --- a/lib/dns/resolver.c | ||
742 | +++ b/lib/dns/resolver.c | ||
743 | @@ -131,6 +131,16 @@ | ||
744 | #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */ | ||
745 | #endif | ||
746 | |||
747 | +/* The default maximum number of recursions to follow before giving up. */ | ||
748 | +#ifndef DEFAULT_RECURSION_DEPTH | ||
749 | +#define DEFAULT_RECURSION_DEPTH 7 | ||
750 | +#endif | ||
751 | + | ||
752 | +/* The default maximum number of iterative queries to allow before giving up. */ | ||
753 | +#ifndef DEFAULT_MAX_QUERIES | ||
754 | +#define DEFAULT_MAX_QUERIES 50 | ||
755 | +#endif | ||
756 | + | ||
757 | /*% | ||
758 | * Maximum EDNS0 input packet size. | ||
759 | */ | ||
760 | @@ -297,6 +307,7 @@ struct fetchctx { | ||
761 | isc_uint64_t duration; | ||
762 | isc_boolean_t logged; | ||
763 | unsigned int querysent; | ||
764 | + unsigned int totalqueries; | ||
765 | unsigned int referrals; | ||
766 | unsigned int lamecount; | ||
767 | unsigned int neterr; | ||
768 | @@ -307,6 +318,7 @@ struct fetchctx { | ||
769 | isc_boolean_t timeout; | ||
770 | dns_adbaddrinfo_t *addrinfo; | ||
771 | isc_sockaddr_t *client; | ||
772 | + unsigned int depth; | ||
773 | }; | ||
774 | |||
775 | #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') | ||
776 | @@ -419,6 +431,7 @@ struct dns_resolver { | ||
777 | isc_timer_t * spillattimer; | ||
778 | isc_boolean_t zero_no_soa_ttl; | ||
779 | unsigned int query_timeout; | ||
780 | + unsigned int maxdepth; | ||
781 | |||
782 | /* Locked by lock. */ | ||
783 | unsigned int references; | ||
784 | @@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) { | ||
785 | event->result == DNS_R_NCACHENXRRSET); | ||
786 | } | ||
787 | |||
788 | + event->qtotal = fctx->totalqueries; | ||
789 | isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); | ||
790 | count++; | ||
791 | } | ||
792 | @@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, | ||
793 | if (result != ISC_R_SUCCESS) | ||
794 | goto cleanup_dispatch; | ||
795 | } | ||
796 | + | ||
797 | fctx->querysent++; | ||
798 | + fctx->totalqueries++; | ||
799 | |||
800 | ISC_LIST_APPEND(fctx->queries, query, link); | ||
801 | query->fctx->nqueries++; | ||
802 | @@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { | ||
803 | */ | ||
804 | INSIST(!SHUTTINGDOWN(fctx)); | ||
805 | fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; | ||
806 | - if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) | ||
807 | + if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) { | ||
808 | want_try = ISC_TRUE; | ||
809 | - else { | ||
810 | + fctx->totalqueries += find->qtotal; | ||
811 | + } else { | ||
812 | fctx->findfail++; | ||
813 | if (fctx->pending == 0) { | ||
814 | /* | ||
815 | @@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, | ||
816 | * See what we know about this address. | ||
817 | */ | ||
818 | find = NULL; | ||
819 | - result = dns_adb_createfind(fctx->adb, | ||
820 | - res->buckets[fctx->bucketnum].task, | ||
821 | - fctx_finddone, fctx, name, | ||
822 | - &fctx->name, fctx->type, | ||
823 | - options, now, NULL, | ||
824 | - res->view->dstport, &find); | ||
825 | + result = dns_adb_createfind2(fctx->adb, | ||
826 | + res->buckets[fctx->bucketnum].task, | ||
827 | + fctx_finddone, fctx, name, | ||
828 | + &fctx->name, fctx->type, | ||
829 | + options, now, NULL, | ||
830 | + res->view->dstport, | ||
831 | + fctx->depth + 1, &find); | ||
832 | if (result != ISC_R_SUCCESS) { | ||
833 | if (result == DNS_R_ALIAS) { | ||
834 | /* | ||
835 | @@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { | ||
836 | |||
837 | res = fctx->res; | ||
838 | |||
839 | + if (fctx->depth > res->maxdepth) { | ||
840 | + FCTXTRACE("too much NS indirection"); | ||
841 | + return (DNS_R_SERVFAIL); | ||
842 | + } | ||
843 | + | ||
844 | /* | ||
845 | * Forwarders. | ||
846 | */ | ||
847 | @@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { | ||
848 | |||
849 | REQUIRE(!ADDRWAIT(fctx)); | ||
850 | |||
851 | + if (fctx->totalqueries > DEFAULT_MAX_QUERIES) | ||
852 | + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); | ||
853 | + | ||
854 | addrinfo = fctx_nextaddress(fctx); | ||
855 | if (addrinfo == NULL) { | ||
856 | /* | ||
857 | @@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) { | ||
858 | * Normal fctx startup. | ||
859 | */ | ||
860 | fctx->state = fetchstate_active; | ||
861 | + fctx->totalqueries = 0; | ||
862 | /* | ||
863 | * Reset the control event for later use in shutting down | ||
864 | * the fctx. | ||
865 | @@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client, | ||
866 | event->fetch = fetch; | ||
867 | event->client = client; | ||
868 | event->id = id; | ||
869 | + event->qtotal = 0; | ||
870 | dns_fixedname_init(&event->foundname); | ||
871 | |||
872 | /* | ||
873 | @@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) { | ||
874 | static isc_result_t | ||
875 | fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, | ||
876 | dns_name_t *domain, dns_rdataset_t *nameservers, | ||
877 | - unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) | ||
878 | + unsigned int options, unsigned int bucketnum, unsigned int depth, | ||
879 | + fetchctx_t **fctxp) | ||
880 | { | ||
881 | fetchctx_t *fctx; | ||
882 | isc_result_t result; | ||
883 | @@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, | ||
884 | fctx->state = fetchstate_init; | ||
885 | fctx->want_shutdown = ISC_FALSE; | ||
886 | fctx->cloned = ISC_FALSE; | ||
887 | + fctx->depth = depth; | ||
888 | ISC_LIST_INIT(fctx->queries); | ||
889 | ISC_LIST_INIT(fctx->finds); | ||
890 | ISC_LIST_INIT(fctx->altfinds); | ||
891 | @@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, | ||
892 | fctx->pending = 0; | ||
893 | fctx->restarts = 0; | ||
894 | fctx->querysent = 0; | ||
895 | + fctx->totalqueries = 0; | ||
896 | fctx->referrals = 0; | ||
897 | TIME_NOW(&fctx->start); | ||
898 | fctx->timeouts = 0; | ||
899 | @@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view, | ||
900 | res->spillattimer = NULL; | ||
901 | res->zero_no_soa_ttl = ISC_FALSE; | ||
902 | res->query_timeout = DEFAULT_QUERY_TIMEOUT; | ||
903 | + res->maxdepth = DEFAULT_RECURSION_DEPTH; | ||
904 | res->nbuckets = ntasks; | ||
905 | res->activebuckets = ntasks; | ||
906 | res->buckets = isc_mem_get(view->mctx, | ||
907 | @@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name, | ||
908 | dns_rdataset_t *sigrdataset, | ||
909 | dns_fetch_t **fetchp) | ||
910 | { | ||
911 | - return (dns_resolver_createfetch2(res, name, type, domain, | ||
912 | + return (dns_resolver_createfetch3(res, name, type, domain, | ||
913 | nameservers, forwarders, NULL, 0, | ||
914 | - options, task, action, arg, | ||
915 | + options, 0, task, action, arg, | ||
916 | rdataset, sigrdataset, fetchp)); | ||
917 | } | ||
918 | |||
919 | @@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, | ||
920 | dns_rdataset_t *sigrdataset, | ||
921 | dns_fetch_t **fetchp) | ||
922 | { | ||
923 | + return (dns_resolver_createfetch3(res, name, type, domain, | ||
924 | + nameservers, forwarders, client, id, | ||
925 | + options, 0, task, action, arg, | ||
926 | + rdataset, sigrdataset, fetchp)); | ||
927 | +} | ||
928 | + | ||
929 | +isc_result_t | ||
930 | +dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, | ||
931 | + dns_rdatatype_t type, | ||
932 | + dns_name_t *domain, dns_rdataset_t *nameservers, | ||
933 | + dns_forwarders_t *forwarders, | ||
934 | + isc_sockaddr_t *client, dns_messageid_t id, | ||
935 | + unsigned int options, unsigned int depth, | ||
936 | + isc_task_t *task, | ||
937 | + isc_taskaction_t action, void *arg, | ||
938 | + dns_rdataset_t *rdataset, | ||
939 | + dns_rdataset_t *sigrdataset, | ||
940 | + dns_fetch_t **fetchp) | ||
941 | +{ | ||
942 | dns_fetch_t *fetch; | ||
943 | fetchctx_t *fctx = NULL; | ||
944 | isc_result_t result = ISC_R_SUCCESS; | ||
945 | @@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, | ||
946 | |||
947 | if (fctx == NULL) { | ||
948 | result = fctx_create(res, name, type, domain, nameservers, | ||
949 | - options, bucketnum, &fctx); | ||
950 | + options, bucketnum, depth, &fctx); | ||
951 | if (result != ISC_R_SUCCESS) | ||
952 | goto unlock; | ||
953 | new_fctx = ISC_TRUE; | ||
954 | - } | ||
955 | + } else if (fctx->depth > depth) | ||
956 | + fctx->depth = depth; | ||
957 | |||
958 | result = fctx_join(fctx, task, client, id, action, arg, | ||
959 | rdataset, sigrdataset, fetch); | ||
960 | @@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { | ||
961 | |||
962 | resolver->query_timeout = seconds; | ||
963 | } | ||
964 | + | ||
965 | +void | ||
966 | +dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) { | ||
967 | + REQUIRE(VALID_RESOLVER(resolver)); | ||
968 | + resolver->maxdepth = maxdepth; | ||
969 | +} | ||
970 | + | ||
971 | +unsigned int | ||
972 | +dns_resolver_getmaxdepth(dns_resolver_t *resolver) { | ||
973 | + REQUIRE(VALID_RESOLVER(resolver)); | ||
974 | + return (resolver->maxdepth); | ||
975 | +} | ||
976 | diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c | ||
977 | index bfd4bab..5f8b037 100644 | ||
978 | --- a/lib/isccfg/namedconf.c | ||
979 | +++ b/lib/isccfg/namedconf.c | ||
980 | @@ -1393,6 +1393,7 @@ view_clauses[] = { | ||
981 | { "max-cache-ttl", &cfg_type_uint32, 0 }, | ||
982 | { "max-clients-per-query", &cfg_type_uint32, 0 }, | ||
983 | { "max-ncache-ttl", &cfg_type_uint32, 0 }, | ||
984 | + { "max-recursion-depth", &cfg_type_uint32, 0 }, | ||
985 | { "max-udp-size", &cfg_type_uint32, 0 }, | ||
986 | { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, | ||
987 | { "minimal-responses", &cfg_type_boolean, 0 }, | ||
988 | -- | ||
989 | 1.9.1 | ||
990 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb index 635d27732b..8e04f8a040 100644 --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb +++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb | |||
@@ -17,6 +17,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
17 | file://named.service \ | 17 | file://named.service \ |
18 | file://bind9 \ | 18 | file://bind9 \ |
19 | file://init.d-add-support-for-read-only-rootfs.patch \ | 19 | file://init.d-add-support-for-read-only-rootfs.patch \ |
20 | file://bind9_9_5-CVE-2014-8500.patch \ | ||
20 | " | 21 | " |
21 | 22 | ||
22 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" | 23 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" |