Date: Wed, 6 Jan 2010 21:45:31 +0000 (UTC) From: "Simon L. Nielsen" <simon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r201679 - releng/6.3 releng/6.3/contrib/bind9/bin/named releng/6.3/contrib/bind9/lib/dns releng/6.3/contrib/bind9/lib/dns/include/dns releng/6.3/contrib/ntp/ntpd releng/6.3/sys/conf rel... Message-ID: <201001062145.o06LjVCB048836@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: simon Date: Wed Jan 6 21:45:30 2010 New Revision: 201679 URL: http://svn.freebsd.org/changeset/base/201679 Log: Fix BIND named(8) cache poisoning with DNSSEC validation. [SA-10:01] Fix ntpd mode 7 denial of service. [SA-10:02] Fix ZFS ZIL playback with insecure permissions. [SA-10:03] Various FreeBSD 8.0-RELEASE improvements. [EN-10:01] Security: FreeBSD-SA-10:01.bind Security: FreeBSD-SA-10:02.ntpd Security: FreeBSD-SA-10:03.zfs Errata: FreeBSD-EN-10:01.freebsd Approved by: so (simon) Modified: releng/6.3/UPDATING releng/6.3/contrib/bind9/bin/named/query.c releng/6.3/contrib/bind9/lib/dns/include/dns/types.h releng/6.3/contrib/bind9/lib/dns/masterdump.c releng/6.3/contrib/bind9/lib/dns/rbtdb.c releng/6.3/contrib/bind9/lib/dns/resolver.c releng/6.3/contrib/bind9/lib/dns/validator.c releng/6.3/contrib/ntp/ntpd/ntp_request.c releng/6.3/sys/conf/newvers.sh releng/6.4/UPDATING releng/6.4/contrib/bind9/bin/named/query.c releng/6.4/contrib/bind9/lib/dns/include/dns/types.h releng/6.4/contrib/bind9/lib/dns/masterdump.c releng/6.4/contrib/bind9/lib/dns/rbtdb.c releng/6.4/contrib/bind9/lib/dns/resolver.c releng/6.4/contrib/bind9/lib/dns/validator.c releng/6.4/contrib/ntp/ntpd/ntp_request.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bind9/bin/named/query.c releng/7.1/contrib/bind9/lib/dns/include/dns/types.h releng/7.1/contrib/bind9/lib/dns/masterdump.c releng/7.1/contrib/bind9/lib/dns/rbtdb.c releng/7.1/contrib/bind9/lib/dns/resolver.c releng/7.1/contrib/bind9/lib/dns/validator.c releng/7.1/contrib/ntp/ntpd/ntp_request.c releng/7.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/7.1/sys/conf/newvers.sh releng/7.2/UPDATING releng/7.2/contrib/bind9/bin/named/query.c releng/7.2/contrib/bind9/lib/dns/include/dns/types.h releng/7.2/contrib/bind9/lib/dns/masterdump.c releng/7.2/contrib/bind9/lib/dns/rbtdb.c releng/7.2/contrib/bind9/lib/dns/resolver.c releng/7.2/contrib/bind9/lib/dns/validator.c releng/7.2/contrib/ntp/ntpd/ntp_request.c releng/7.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/7.2/sys/conf/newvers.sh releng/8.0/UPDATING releng/8.0/contrib/bind9/bin/named/query.c releng/8.0/contrib/bind9/lib/dns/include/dns/types.h releng/8.0/contrib/bind9/lib/dns/masterdump.c releng/8.0/contrib/bind9/lib/dns/rbtdb.c releng/8.0/contrib/bind9/lib/dns/resolver.c releng/8.0/contrib/bind9/lib/dns/validator.c releng/8.0/contrib/ntp/ntpd/ntp_request.c releng/8.0/sys/cddl/compat/opensolaris/sys/vnode.h releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/sys/vnode.h releng/8.0/sys/conf/newvers.sh releng/8.0/sys/kern/vfs_lookup.c releng/8.0/sys/netinet/ip_mroute.c releng/8.0/sys/netinet/raw_ip.c releng/8.0/sys/netinet/sctp_input.c releng/8.0/sys/netinet6/raw_ip6.c releng/8.0/sys/rpc/clnt_vc.c Changes in other areas also in this revision: Modified: stable/6/contrib/bind9/bin/named/query.c stable/6/contrib/bind9/lib/dns/include/dns/types.h stable/6/contrib/bind9/lib/dns/masterdump.c stable/6/contrib/bind9/lib/dns/rbtdb.c stable/6/contrib/bind9/lib/dns/resolver.c stable/6/contrib/bind9/lib/dns/validator.c stable/6/contrib/ntp/ntpd/ntp_request.c stable/7/contrib/ntp/ntpd/ntp_request.c stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c stable/8/contrib/ntp/ntpd/ntp_request.c Modified: releng/6.3/UPDATING ============================================================================== --- releng/6.3/UPDATING Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/UPDATING Wed Jan 6 21:45:30 2010 (r201679) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100106: p15 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd + Fix BIND named(8) cache poisoning with DNSSEC validation. + [SA-10:01] + + Fix ntpd mode 7 denial of service. [SA-10:02] + 20091203: p14 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:17.freebsd-update Disable SSL renegotiation in order to protect against a serious protocol flaw. [09:15] Modified: releng/6.3/contrib/bind9/bin/named/query.c ============================================================================== --- releng/6.3/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010 (r201679) @@ -92,6 +92,8 @@ #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U +#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) + static void query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); @@ -1698,14 +1700,14 @@ query_addbestns(ns_client_t *client) { zsigrdataset = NULL; } - if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 && - (rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))) + if ((DNS_TRUST_PENDING(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && + !PENDINGOK(client->query.dboptions)) goto cleanup; - if (WANTDNSSEC(client) && SECURE(client) && - (rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue))) + if ((DNS_TRUST_GLUE(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && + SECURE(client) && WANTDNSSEC(client)) goto cleanup; query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, @@ -2364,6 +2366,8 @@ query_find(ns_client_t *client, dns_fetc unsigned int options; isc_boolean_t empty_wild; dns_rdataset_t *noqname; + dns_rdataset_t tmprdataset; + unsigned int dboptions; CTRACE("query_find"); @@ -2563,9 +2567,47 @@ query_find(ns_client_t *client, dns_fetc /* * Now look for an answer in the database. */ + dboptions = client->query.dboptions; + if (sigrdataset == NULL && client->view->enablednssec) { + /* + * If the client doesn't want DNSSEC we still want to + * look for any data pending validation to save a remote + * lookup if possible. + */ + dns_rdataset_init(&tmprdataset); + sigrdataset = &tmprdataset; + dboptions |= DNS_DBFIND_PENDINGOK; + } + refind: result = dns_db_find(db, client->query.qname, version, type, - client->query.dboptions, client->now, - &node, fname, rdataset, sigrdataset); + dboptions, client->now, &node, fname, + rdataset, sigrdataset); + /* + * If we have found pending data try to validate it. + * If the data does not validate as secure and we can't + * use the unvalidated data requery the database with + * pending disabled to prevent infinite looping. + */ + if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust)) + goto validation_done; + if (rdataset->trust != dns_trust_pending_answer || + !PENDINGOK(client->query.dboptions)) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + if (sigrdataset == &tmprdataset) + sigrdataset = NULL; + dns_db_detachnode(db, &node); + dboptions &= ~DNS_DBFIND_PENDINGOK; + goto refind; + } + validation_done: + if (sigrdataset == &tmprdataset) { + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + sigrdataset = NULL; + } resume: CTRACE("query_find: resume"); Modified: releng/6.3/contrib/bind9/lib/dns/include/dns/types.h ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:45:30 2010 (r201679) @@ -226,40 +226,51 @@ enum { dns_trust_none = 0, #define dns_trust_none ((dns_trust_t)dns_trust_none) - /* Subject to DNSSEC validation but has not yet been validated */ - dns_trust_pending = 1, -#define dns_trust_pending ((dns_trust_t)dns_trust_pending) + /*% + * Subject to DNSSEC validation but has not yet been validated + * dns_trust_pending_additional (from the additional section). + */ + dns_trust_pending_additional = 1, +#define dns_trust_pending_additional \ + ((dns_trust_t)dns_trust_pending_additional) - /* Received in the additional section of a response. */ - dns_trust_additional = 2, + dns_trust_pending_answer = 2, +#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer) + + /*% Received in the additional section of a response. */ + dns_trust_additional = 3, #define dns_trust_additional ((dns_trust_t)dns_trust_additional) - /* Received in a referral response. */ - dns_trust_glue = 3, + /* Received in a referral response. */ + dns_trust_glue = 4, #define dns_trust_glue ((dns_trust_t)dns_trust_glue) - /* Answser from a non-authoritative server */ - dns_trust_answer = 4, + /* Answer from a non-authoritative server */ + dns_trust_answer = 5, #define dns_trust_answer ((dns_trust_t)dns_trust_answer) /* Received in the authority section as part of an authoritative response */ - dns_trust_authauthority = 5, + dns_trust_authauthority = 6, #define dns_trust_authauthority ((dns_trust_t)dns_trust_authauthority) - /* Answser from an authoritative server */ - dns_trust_authanswer = 6, + /* Answer from an authoritative server */ + dns_trust_authanswer = 7, #define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer) - /* Successfully DNSSEC validated */ - dns_trust_secure = 7, + /* Successfully DNSSEC validated */ + dns_trust_secure = 8, #define dns_trust_secure ((dns_trust_t)dns_trust_secure) /* This server is authoritative */ - dns_trust_ultimate = 8 + dns_trust_ultimate = 9 #define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate) }; +#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \ + (x) == dns_trust_pending_additional) +#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) + /* * Name checking severites. */ Modified: releng/6.3/contrib/bind9/lib/dns/masterdump.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30 2010 (r201679) @@ -763,7 +763,8 @@ dump_order_compare(const void *a, const static const char *trustnames[] = { "none", - "pending", + "pending-additional", + "pending-answer", "additional", "glue", "answer", Modified: releng/6.3/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010 (r201679) @@ -2652,7 +2652,7 @@ cache_zonecut_callback(dns_rbtnode_t *no } if (dname_header != NULL && - (dname_header->trust != dns_trust_pending || + (!DNS_TRUST_PENDING(dname_header->trust) || (search->options & DNS_DBFIND_PENDINGOK) != 0)) { /* * We increment the reference count on node to ensure that @@ -3113,7 +3113,7 @@ cache_find(dns_db_t *db, dns_name_t *nam if (found == NULL || (found->trust == dns_trust_glue && ((options & DNS_DBFIND_GLUEOK) == 0)) || - (found->trust == dns_trust_pending && + (DNS_TRUST_PENDING(found->trust) && ((options & DNS_DBFIND_PENDINGOK) == 0))) { /* * If there is an NS rdataset at this node, then this is the Modified: releng/6.3/contrib/bind9/lib/dns/resolver.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010 (r201679) @@ -3603,6 +3603,7 @@ cache_name(fetchctx_t *fctx, dns_name_t * for it, unless it is glue. */ if (secure_domain && rdataset->trust != dns_trust_glue) { + dns_trust_t trust; /* * RRSIGs are validated as part of validating the * type they cover. @@ -3639,12 +3640,34 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Reject out of bailiwick additional records + * without RRSIGs as they can't possibly validate + * as "secure" and as we will never never want to + * store these as "answers" after validation. + */ + if (rdataset->trust == dns_trust_additional && + sigrdataset == NULL && EXTERNAL(rdataset)) + continue; + + /* + * XXXMPA: If we store as "answer" after validating + * then we need to do bailiwick processing and + * also need to track whether RRsets are in or + * out of bailiwick. This will require a another + * pending trust level. + * * Cache this rdataset/sigrdataset pair as - * pending data. + * pending data. Track whether it was additional + * or not. */ - rdataset->trust = dns_trust_pending; + if (rdataset->trust == dns_trust_additional) + trust = dns_trust_pending_additional; + else + trust = dns_trust_pending_answer; + + rdataset->trust = trust; if (sigrdataset != NULL) - sigrdataset->trust = dns_trust_pending; + sigrdataset->trust = trust; if (!need_validation) addedrdataset = ardataset; else @@ -3964,7 +3987,7 @@ ncache_message(fetchctx_t *fctx, dns_adb for (trdataset = ISC_LIST_HEAD(tname->list); trdataset != NULL; trdataset = ISC_LIST_NEXT(trdataset, link)) - trdataset->trust = dns_trust_pending; + trdataset->trust = dns_trust_pending_answer; result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); } Modified: releng/6.3/contrib/bind9/lib/dns/validator.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:45:30 2010 (r201679) @@ -235,7 +235,7 @@ auth_nonpending(dns_message_t *message) rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->trust == dns_trust_pending) + if (DNS_TRUST_PENDING(rdataset->trust)) rdataset->trust = dns_trust_authauthority; } } @@ -1146,7 +1146,7 @@ get_key(dns_validator_t *val, dns_rdata_ * We have an rrset for the given keyname. */ val->keyset = &val->frdataset; - if (val->frdataset.trust == dns_trust_pending && + if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { /* @@ -1161,7 +1161,7 @@ get_key(dns_validator_t *val, dns_rdata_ if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (val->frdataset.trust == dns_trust_pending) { + } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * Having a pending key with no signature means that * something is broken. @@ -1723,7 +1723,7 @@ validatezonekey(dns_validator_t *val) { * We have DS records. */ val->dsset = &val->frdataset; - if (val->frdataset.trust == dns_trust_pending && + if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { result = create_validator(val, @@ -1736,7 +1736,7 @@ validatezonekey(dns_validator_t *val) { if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (val->frdataset.trust == dns_trust_pending) { + } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * There should never be an unsigned DS. */ Modified: releng/6.3/contrib/ntp/ntpd/ntp_request.c ============================================================================== --- releng/6.3/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:45:30 2010 (r201679) @@ -404,6 +404,7 @@ process_private( int mod_okay ) { + static u_long quiet_until; struct req_pkt *inpkt; struct req_pkt_tail *tailinpkt; struct sockaddr_storage *srcadr; @@ -439,8 +440,14 @@ process_private( || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0) || (++ec, rbufp->recv_length < REQ_LEN_HDR) ) { - msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr)); - req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + NLOG(NLOG_SYSEVENT) + if (current_time >= quiet_until) { + msyslog(LOG_ERR, + "process_private: drop test %d" + " failed, pkt from %s", + ec, stoa(srcadr)); + quiet_until = current_time + 60; + } return; } Modified: releng/6.3/sys/conf/newvers.sh ============================================================================== --- releng/6.3/sys/conf/newvers.sh Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.3/sys/conf/newvers.sh Wed Jan 6 21:45:30 2010 (r201679) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.3" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/6.4/UPDATING ============================================================================== --- releng/6.4/UPDATING Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/UPDATING Wed Jan 6 21:45:30 2010 (r201679) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100106: p9 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd + Fix BIND named(8) cache poisoning with DNSSEC validation. + [SA-10:01] + + Fix ntpd mode 7 denial of service. [SA-10:02] + 20091203: p8 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:17.freebsd-update Disable SSL renegotiation in order to protect against a serious protocol flaw. [09:15] Modified: releng/6.4/contrib/bind9/bin/named/query.c ============================================================================== --- releng/6.4/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010 (r201679) @@ -92,6 +92,8 @@ #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U +#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) + static void query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); @@ -1698,14 +1700,14 @@ query_addbestns(ns_client_t *client) { zsigrdataset = NULL; } - if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 && - (rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))) + if ((DNS_TRUST_PENDING(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && + !PENDINGOK(client->query.dboptions)) goto cleanup; - if (WANTDNSSEC(client) && SECURE(client) && - (rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue))) + if ((DNS_TRUST_GLUE(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && + SECURE(client) && WANTDNSSEC(client)) goto cleanup; query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, @@ -2367,6 +2369,8 @@ query_find(ns_client_t *client, dns_fetc unsigned int options; isc_boolean_t empty_wild; dns_rdataset_t *noqname; + dns_rdataset_t tmprdataset; + unsigned int dboptions; CTRACE("query_find"); @@ -2566,9 +2570,47 @@ query_find(ns_client_t *client, dns_fetc /* * Now look for an answer in the database. */ + dboptions = client->query.dboptions; + if (sigrdataset == NULL && client->view->enablednssec) { + /* + * If the client doesn't want DNSSEC we still want to + * look for any data pending validation to save a remote + * lookup if possible. + */ + dns_rdataset_init(&tmprdataset); + sigrdataset = &tmprdataset; + dboptions |= DNS_DBFIND_PENDINGOK; + } + refind: result = dns_db_find(db, client->query.qname, version, type, - client->query.dboptions, client->now, - &node, fname, rdataset, sigrdataset); + dboptions, client->now, &node, fname, + rdataset, sigrdataset); + /* + * If we have found pending data try to validate it. + * If the data does not validate as secure and we can't + * use the unvalidated data requery the database with + * pending disabled to prevent infinite looping. + */ + if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust)) + goto validation_done; + if (rdataset->trust != dns_trust_pending_answer || + !PENDINGOK(client->query.dboptions)) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + if (sigrdataset == &tmprdataset) + sigrdataset = NULL; + dns_db_detachnode(db, &node); + dboptions &= ~DNS_DBFIND_PENDINGOK; + goto refind; + } + validation_done: + if (sigrdataset == &tmprdataset) { + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + sigrdataset = NULL; + } resume: CTRACE("query_find: resume"); Modified: releng/6.4/contrib/bind9/lib/dns/include/dns/types.h ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:45:30 2010 (r201679) @@ -226,40 +226,51 @@ enum { dns_trust_none = 0, #define dns_trust_none ((dns_trust_t)dns_trust_none) - /* Subject to DNSSEC validation but has not yet been validated */ - dns_trust_pending = 1, -#define dns_trust_pending ((dns_trust_t)dns_trust_pending) + /*% + * Subject to DNSSEC validation but has not yet been validated + * dns_trust_pending_additional (from the additional section). + */ + dns_trust_pending_additional = 1, +#define dns_trust_pending_additional \ + ((dns_trust_t)dns_trust_pending_additional) - /* Received in the additional section of a response. */ - dns_trust_additional = 2, + dns_trust_pending_answer = 2, +#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer) + + /*% Received in the additional section of a response. */ + dns_trust_additional = 3, #define dns_trust_additional ((dns_trust_t)dns_trust_additional) - /* Received in a referral response. */ - dns_trust_glue = 3, + /* Received in a referral response. */ + dns_trust_glue = 4, #define dns_trust_glue ((dns_trust_t)dns_trust_glue) - /* Answser from a non-authoritative server */ - dns_trust_answer = 4, + /* Answer from a non-authoritative server */ + dns_trust_answer = 5, #define dns_trust_answer ((dns_trust_t)dns_trust_answer) /* Received in the authority section as part of an authoritative response */ - dns_trust_authauthority = 5, + dns_trust_authauthority = 6, #define dns_trust_authauthority ((dns_trust_t)dns_trust_authauthority) - /* Answser from an authoritative server */ - dns_trust_authanswer = 6, + /* Answer from an authoritative server */ + dns_trust_authanswer = 7, #define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer) - /* Successfully DNSSEC validated */ - dns_trust_secure = 7, + /* Successfully DNSSEC validated */ + dns_trust_secure = 8, #define dns_trust_secure ((dns_trust_t)dns_trust_secure) /* This server is authoritative */ - dns_trust_ultimate = 8 + dns_trust_ultimate = 9 #define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate) }; +#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \ + (x) == dns_trust_pending_additional) +#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) + /* * Name checking severites. */ Modified: releng/6.4/contrib/bind9/lib/dns/masterdump.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30 2010 (r201679) @@ -763,7 +763,8 @@ dump_order_compare(const void *a, const static const char *trustnames[] = { "none", - "pending", + "pending-additional", + "pending-answer", "additional", "glue", "answer", Modified: releng/6.4/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010 (r201679) @@ -2667,7 +2667,7 @@ cache_zonecut_callback(dns_rbtnode_t *no } if (dname_header != NULL && - (dname_header->trust != dns_trust_pending || + (!DNS_TRUST_PENDING(dname_header->trust) || (search->options & DNS_DBFIND_PENDINGOK) != 0)) { /* * We increment the reference count on node to ensure that @@ -3129,7 +3129,7 @@ cache_find(dns_db_t *db, dns_name_t *nam if (found == NULL || (found->trust == dns_trust_glue && ((options & DNS_DBFIND_GLUEOK) == 0)) || - (found->trust == dns_trust_pending && + (DNS_TRUST_PENDING(found->trust) && ((options & DNS_DBFIND_PENDINGOK) == 0))) { /* * If there is an NS rdataset at this node, then this is the Modified: releng/6.4/contrib/bind9/lib/dns/resolver.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010 (r201679) @@ -3657,6 +3657,7 @@ cache_name(fetchctx_t *fctx, dns_name_t * for it, unless it is glue. */ if (secure_domain && rdataset->trust != dns_trust_glue) { + dns_trust_t trust; /* * RRSIGs are validated as part of validating the * type they cover. @@ -3693,12 +3694,34 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Reject out of bailiwick additional records + * without RRSIGs as they can't possibly validate + * as "secure" and as we will never never want to + * store these as "answers" after validation. + */ + if (rdataset->trust == dns_trust_additional && + sigrdataset == NULL && EXTERNAL(rdataset)) + continue; + + /* + * XXXMPA: If we store as "answer" after validating + * then we need to do bailiwick processing and + * also need to track whether RRsets are in or + * out of bailiwick. This will require a another + * pending trust level. + * * Cache this rdataset/sigrdataset pair as - * pending data. + * pending data. Track whether it was additional + * or not. */ - rdataset->trust = dns_trust_pending; + if (rdataset->trust == dns_trust_additional) + trust = dns_trust_pending_additional; + else + trust = dns_trust_pending_answer; + + rdataset->trust = trust; if (sigrdataset != NULL) - sigrdataset->trust = dns_trust_pending; + sigrdataset->trust = trust; if (!need_validation) addedrdataset = ardataset; else @@ -4044,7 +4067,7 @@ ncache_message(fetchctx_t *fctx, dns_adb for (trdataset = ISC_LIST_HEAD(tname->list); trdataset != NULL; trdataset = ISC_LIST_NEXT(trdataset, link)) - trdataset->trust = dns_trust_pending; + trdataset->trust = dns_trust_pending_answer; result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); } Modified: releng/6.4/contrib/bind9/lib/dns/validator.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:45:30 2010 (r201679) @@ -238,7 +238,7 @@ auth_nonpending(dns_message_t *message) rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->trust == dns_trust_pending) + if (DNS_TRUST_PENDING(rdataset->trust)) rdataset->trust = dns_trust_authauthority; } } @@ -1175,7 +1175,7 @@ get_key(dns_validator_t *val, dns_rdata_ * We have an rrset for the given keyname. */ val->keyset = &val->frdataset; - if (val->frdataset.trust == dns_trust_pending && + if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { /* @@ -1190,7 +1190,7 @@ get_key(dns_validator_t *val, dns_rdata_ if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (val->frdataset.trust == dns_trust_pending) { + } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * Having a pending key with no signature means that * something is broken. @@ -1758,7 +1758,7 @@ validatezonekey(dns_validator_t *val) { * We have DS records. */ val->dsset = &val->frdataset; - if (val->frdataset.trust == dns_trust_pending && + if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { result = create_validator(val, @@ -1771,7 +1771,7 @@ validatezonekey(dns_validator_t *val) { if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (val->frdataset.trust == dns_trust_pending) { + } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * There should never be an unsigned DS. */ @@ -2564,7 +2564,7 @@ proveunsecure(dns_validator_t *val, isc_ * There is no DS. If this is a delegation, * we maybe done. */ - if (val->frdataset.trust == dns_trust_pending) { + if (DNS_TRUST_PENDING(val->frdataset.trust)) { result = create_fetch(val, tname, dns_rdatatype_ds, dsfetched2, Modified: releng/6.4/contrib/ntp/ntpd/ntp_request.c ============================================================================== --- releng/6.4/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:45:30 2010 (r201679) @@ -409,6 +409,7 @@ process_private( int mod_okay ) { + static u_long quiet_until; struct req_pkt *inpkt; struct req_pkt_tail *tailinpkt; struct sockaddr_storage *srcadr; @@ -444,8 +445,14 @@ process_private( || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0) || (++ec, rbufp->recv_length < REQ_LEN_HDR) ) { - msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr)); - req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + NLOG(NLOG_SYSEVENT) + if (current_time >= quiet_until) { + msyslog(LOG_ERR, + "process_private: drop test %d" + " failed, pkt from %s", + ec, stoa(srcadr)); + quiet_until = current_time + 60; + } return; } Modified: releng/6.4/sys/conf/newvers.sh ============================================================================== --- releng/6.4/sys/conf/newvers.sh Wed Jan 6 21:36:33 2010 (r201678) +++ releng/6.4/sys/conf/newvers.sh Wed Jan 6 21:45:30 2010 (r201679) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/UPDATING Wed Jan 6 21:45:30 2010 (r201679) @@ -8,6 +8,15 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100106: p10 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd, + FreeBSD-SA-10:03.zfs + Fix BIND named(8) cache poisoning with DNSSEC validation. + [SA-10:01] + + Fix ntpd mode 7 denial of service. [SA-10:02] + + Fix ZFS ZIL playback with insecure permissions. [SA-10:03] + 20091203: p9 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:16.rtld, FreeBSD-SA-09:17.freebsd-update Disable SSL renegotiation in order to protect against a serious Modified: releng/7.1/contrib/bind9/bin/named/query.c ============================================================================== --- releng/7.1/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010 (r201679) @@ -109,6 +109,8 @@ #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U +#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) + typedef struct client_additionalctx { ns_client_t *client; dns_rdataset_t *rdataset; @@ -1721,8 +1723,8 @@ query_addadditional2(void *arg, dns_name */ if (result == ISC_R_SUCCESS && additionaltype == dns_rdatasetadditional_fromcache && - (rdataset->trust == dns_trust_pending || - rdataset->trust == dns_trust_glue) && + (DNS_TRUST_PENDING(rdataset->trust) || + DNS_TRUST_GLUE(rdataset->trust)) && !validate(client, db, fname, rdataset, sigrdataset)) { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) @@ -1761,8 +1763,8 @@ query_addadditional2(void *arg, dns_name */ if (result == ISC_R_SUCCESS && additionaltype == dns_rdatasetadditional_fromcache && - (rdataset->trust == dns_trust_pending || - rdataset->trust == dns_trust_glue) && + (DNS_TRUST_PENDING(rdataset->trust) || + DNS_TRUST_GLUE(rdataset->trust)) && !validate(client, db, fname, rdataset, sigrdataset)) { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) @@ -2547,14 +2549,14 @@ query_addbestns(ns_client_t *client) { /* * Attempt to validate RRsets that are pending or that are glue. */ - if ((rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)) + if ((DNS_TRUST_PENDING(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && !validate(client, db, fname, rdataset, sigrdataset) && - (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0) + !PENDINGOK(client->query.dboptions)) goto cleanup; - if ((rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) && + if ((DNS_TRUST_GLUE(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && !validate(client, db, fname, rdataset, sigrdataset) && SECURE(client) && WANTDNSSEC(client)) goto cleanup; @@ -3335,6 +3337,8 @@ query_find(ns_client_t *client, dns_fetc unsigned int options; isc_boolean_t empty_wild; dns_rdataset_t *noqname; + dns_rdataset_t tmprdataset; + unsigned int dboptions; CTRACE("query_find"); @@ -3544,9 +3548,49 @@ query_find(ns_client_t *client, dns_fetc /* * Now look for an answer in the database. */ + dboptions = client->query.dboptions; + if (sigrdataset == NULL && client->view->enablednssec) { + /* + * If the client doesn't want DNSSEC we still want to + * look for any data pending validation to save a remote + * lookup if possible. + */ + dns_rdataset_init(&tmprdataset); + sigrdataset = &tmprdataset; + dboptions |= DNS_DBFIND_PENDINGOK; + } + refind: result = dns_db_find(db, client->query.qname, version, type, - client->query.dboptions, client->now, - &node, fname, rdataset, sigrdataset); + dboptions, client->now, &node, fname, + rdataset, sigrdataset); + /* + * If we have found pending data try to validate it. + * If the data does not validate as secure and we can't + * use the unvalidated data requery the database with + * pending disabled to prevent infinite looping. + */ + if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust)) + goto validation_done; + if (validate(client, db, fname, rdataset, sigrdataset)) + goto validation_done; + if (rdataset->trust != dns_trust_pending_answer || + !PENDINGOK(client->query.dboptions)) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + if (sigrdataset == &tmprdataset) + sigrdataset = NULL; + dns_db_detachnode(db, &node); + dboptions &= ~DNS_DBFIND_PENDINGOK; + goto refind; + } + validation_done: + if (sigrdataset == &tmprdataset) { + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); + sigrdataset = NULL; + } resume: CTRACE("query_find: resume"); Modified: releng/7.1/contrib/bind9/lib/dns/include/dns/types.h ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6 21:45:30 2010 (r201679) @@ -241,40 +241,52 @@ enum { dns_trust_none = 0, #define dns_trust_none ((dns_trust_t)dns_trust_none) - /*% Subject to DNSSEC validation but has not yet been validated */ - dns_trust_pending = 1, -#define dns_trust_pending ((dns_trust_t)dns_trust_pending) - + /*% + * Subject to DNSSEC validation but has not yet been validated + * dns_trust_pending_additional (from the additional section). + */ + dns_trust_pending_additional = 1, +#define dns_trust_pending_additional \ + ((dns_trust_t)dns_trust_pending_additional) + + dns_trust_pending_answer = 2, +#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer) + /*% Received in the additional section of a response. */ - dns_trust_additional = 2, + dns_trust_additional = 3, #define dns_trust_additional ((dns_trust_t)dns_trust_additional) - - /* Received in a referral response. */ - dns_trust_glue = 3, + + /* Received in a referral response. */ + dns_trust_glue = 4, #define dns_trust_glue ((dns_trust_t)dns_trust_glue) - - /* Answser from a non-authoritative server */ - dns_trust_answer = 4, + + /* Answer from a non-authoritative server */ + dns_trust_answer = 5, #define dns_trust_answer ((dns_trust_t)dns_trust_answer) - + /* Received in the authority section as part of an authoritative response */ - dns_trust_authauthority = 5, + dns_trust_authauthority = 6, #define dns_trust_authauthority ((dns_trust_t)dns_trust_authauthority) - /* Answser from an authoritative server */ - dns_trust_authanswer = 6, + /* Answer from an authoritative server */ + dns_trust_authanswer = 7, #define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer) - - /* Successfully DNSSEC validated */ - dns_trust_secure = 7, + + /* Successfully DNSSEC validated */ + dns_trust_secure = 8, #define dns_trust_secure ((dns_trust_t)dns_trust_secure) /* This server is authoritative */ - dns_trust_ultimate = 8 + dns_trust_ultimate = 9 #define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate) }; +#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \ + (x) == dns_trust_pending_additional) +#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) + + /*% * Name checking severites. */ Modified: releng/7.1/contrib/bind9/lib/dns/masterdump.c ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30 2010 (r201679) @@ -774,7 +774,8 @@ dump_order_compare(const void *a, const static const char *trustnames[] = { "none", - "pending", + "pending-additional", + "pending-answer", "additional", "glue", "answer", Modified: releng/7.1/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010 (r201679) @@ -3070,7 +3070,7 @@ cache_zonecut_callback(dns_rbtnode_t *no } if (dname_header != NULL && - (dname_header->trust != dns_trust_pending || + (!DNS_TRUST_PENDING(dname_header->trust) || (search->options & DNS_DBFIND_PENDINGOK) != 0)) { /* * We increment the reference count on node to ensure that @@ -3584,7 +3584,7 @@ cache_find(dns_db_t *db, dns_name_t *nam if (found == NULL || (found->trust == dns_trust_glue && ((options & DNS_DBFIND_GLUEOK) == 0)) || - (found->trust == dns_trust_pending && + (DNS_TRUST_PENDING(found->trust) && ((options & DNS_DBFIND_PENDINGOK) == 0))) { /* * If there is an NS rdataset at this node, then this is the Modified: releng/7.1/contrib/bind9/lib/dns/resolver.c ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010 (r201678) +++ releng/7.1/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010 (r201679) @@ -3847,6 +3847,7 @@ cache_name(fetchctx_t *fctx, dns_name_t * for it, unless it is glue. */ if (secure_domain && rdataset->trust != dns_trust_glue) { + dns_trust_t trust; /* * RRSIGs are validated as part of validating the * type they cover. @@ -3883,12 +3884,34 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Reject out of bailiwick additional records + * without RRSIGs as they can't possibly validate + * as "secure" and as we will never never want to + * store these as "answers" after validation. + */ + if (rdataset->trust == dns_trust_additional && + sigrdataset == NULL && EXTERNAL(rdataset)) + continue; + + /* + * XXXMPA: If we store as "answer" after validating + * then we need to do bailiwick processing and + * also need to track whether RRsets are in or + * out of bailiwick. This will require a another + * pending trust level. + * * Cache this rdataset/sigrdataset pair as - * pending data. + * pending data. Track whether it was additional + * or not. */ - rdataset->trust = dns_trust_pending; + if (rdataset->trust == dns_trust_additional) + trust = dns_trust_pending_additional; + else + trust = dns_trust_pending_answer; + + rdataset->trust = trust; if (sigrdataset != NULL) - sigrdataset->trust = dns_trust_pending; + sigrdataset->trust = trust; if (!need_validation) addedrdataset = ardataset; else @@ -4236,7 +4259,7 @@ ncache_message(fetchctx_t *fctx, dns_adb for (trdataset = ISC_LIST_HEAD(tname->list); trdataset != NULL; trdataset = ISC_LIST_NEXT(trdataset, link)) - trdataset->trust = dns_trust_pending; + trdataset->trust = dns_trust_pending_answer; result = dns_message_nextname(fctx->rmessage, *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001062145.o06LjVCB048836>