Until we have a failsafe way of detecting no IPv6 internet
connectivity automatically, allow the users to set it
manually for now.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If named gets stopped, then started again, but isc-dhcpd isn't also
restarted, then we want named to at least have the existing content.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Fixes the following security issues:
- CVE-2025-8677: DNSSEC validation fails if matching but invalid
DNSKEY is found.
- CVE-2025-40778 Address various spoofing attacks.
- CVE-2025-40780 Cache-poisoning due to weak pseudo-random number
generator.
The complete list of changes from version 9.20.11 is available in the
upstream changelog at
https://ftp.isc.org/isc/bind9/9.20.15/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
What started in #20183 as a attempt to clean up noise in the logfiles,
turned out to be causing denial-of-service for dual-stack and especially
IPv6-only environments.
Breaking core network functionality cannot possibly be less important
than cosmetic issues, and those affected by log spam can avoid it via
other means (e.g. "query-source-v6 none;" in named.conf).
There's no reliable heuristic for determining whether there's IPv6
connectivity at the time bind is started which will catch any and all
corner cases, as discussed in #26327.
So, remove this logic for now. If a suitable heuristic can be devised,
it can always be added in a subsequent patch, but I have my doubts.
(Also, quote one variable to make shellcheck happy)
Closes: #26327Closes: #20468
Signed-off-by: David Härdeman <david@hardeman.nu>
bind9 builds for me on 24.10, but it doesn't build on master with or without my
patches.
The build already dies on the configure stage (without my patches applied),
because the autoconf magic manages to mix up the host gcc and the
cross-compiling gcc.
Removing PKG_FIXUP:=autoreconf from the Makefile fixes that, but compilation chokes later instead on libtool magic:
make[7]: Entering directory '/home/build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/bind-9.20.11/bin/rndc'
...
/bin/bash ../../libtool --tag=CC --mode=link arm-openwrt-linux-muslgnueabi-gcc ...
libtool: link: arm-openwrt-linux-muslgnueabi-gcc ...
.../bin/ld.bfd: warning: libns-9.20.11.so, needed by ../../lib/isccfg/.libs/libisccfg.so, not found (try using -rpath or -rpath-link)
...
collect2: error: ld returned 1 exit status
Which I did a (compile-tested only) quick and dirty fix for.
Also, BUILD_CC isn't defined anywhere in the current bind sources, so I removed
that as well.
Signed-off-by: David Härdeman <david@hardeman.nu>
This changes isc-dhcp's init script to create bind zones using the tools
bind provides for that scenario instead of crafting separate zone
configuration by hand.
At the same time, remove the use of /tmp/bind/named.conf.local and add
permissions for dynamic zone creation to bind.
Signed-off-by: David Härdeman <david@hardeman.nu>
The previous patches removed a number of conffiles that weren't necessary,
meaning we can now assume that any changes or additional files in /etc/bind
are things that the user wants to keep.
Since /var/lib/bind is the standard location for longer-lived zone data
(i.e. not zones that secondary servers have obtained via XFER), we symlink
it to /etc/bind/zones so that it survives a sysupgrade.
Temporary files (such as XFER:ed zones for secondaries) stay in
/var/cache/bind.
Signed-off-by: David Härdeman <david@hardeman.nu>
Simplify the init script, removing some unnecessary subshells and make sure
that the end result is shellcheck clean.
Signed-off-by: David Härdeman <david@hardeman.nu>
First, the file is out-of-date.
Second, and more importantly, bind9 includes a compiled-in version which is
up-to-date (see https://www.isc.org/bind-keys/).
Signed-off-by: David Härdeman <david@hardeman.nu>
Bind9 has native support for these zones via the "empty-zones yes" directive,
which is enabled by default.
(cf. bb1cda792b)
Signed-off-by: David Härdeman <david@hardeman.nu>
And make it less imperative to match the tone of the rest of the configuration
directives. Also, fix a typo.
Signed-off-by: David Härdeman <david@hardeman.nu>
First, change the "directory" to point to /var/cache/bind, which ensures that
e.g. simple file "something" statements for secondary servers will create files
there (the directory is created by the init script, so we're sure that it
exists). This behaviour matches e.g. what Debian does.
Second, remove the "auth-nxdomain" stanza which is the default in bind since
9.0 was released.
Third, change "master" to "primary" (the wording used in the bind reference
docs)
Signed-off-by: David Härdeman <david@hardeman.nu>
New notify-defer configuration option
Removed dependency on libsystemd
Fixed zone deletion issue (GL #5291)
Fixed zone refresh bug (GL #5307)
reset PKG_RELEASE to 1
Signed-off-by: Liu Yu <f78fk@live.com>
Co-authored-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This provides better instrumentation for finding where memory is
being used, and/or leaked.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
It needs to be group writable or session.key can't be written once
named drops privileges.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
CVE-2025-40775: Prevent assertion when processing TSIG algorithm. DNS messages
that included a Transaction Signature (TSIG) containing an invalid value in the
algorithm field caused named to crash with an assertion failure. This has been
fixed.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Verbatim copy from upstream's release notes:
Notes for BIND 9.20.7
- New Features
- Implement the min-transfer-rate-in configuration option.
- A new option min-transfer-rate-in has been added to the view and zone configurations. It can abort incoming zone transfers that run very slowly due to network-related issues, for example. The default value is 10240 bytes in five minutes. [GL #3914]
- Add HTTPS record query to host command line tool.
- The host command was extended to also query for the HTTPS RR type by default.
- Implement sig0key-checks-limit and sig0message-checks-limit.
- Previously, a hard-coded limitation of a maximum of two key or message verification checks was introduced when checking a message’s SIG(0) signature, to protect against possible DoS attacks. Two as a maximum was chosen so that more than a single key should only be required during key rotations, and in that case two keys are enough. It later became apparent that there are other use cases where even more keys are required; see the related GitLab issue for examples.
- This change introduces two new configuration options for the views: sig0key-checks-limit and sig0message-checks-limit. They define how many keys can be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The former provides slightly less “expensive” key parsing operations and defaults to 16. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers; the default is 2. [GL #5050]
- Bug Fixes
- Fix dual-stack-servers configuration option.
- The dual-stack-servers configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. [GL #5019]
- Fix a data race causing a permanent active client increase.
- Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the clients-per-query limit. This has been fixed. [GL #5053]
- Fix deferred validation of unsigned DS and DNSKEY records.
- When processing a query with the “checking disabled” bit set (CD=1), named stores the invalidated result in the cache, marked “pending”. When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation failures. The deferred validation is now completed in this scenario.
- Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. [GL #5066]
- Fix RPZ race condition during a reconfiguration.
- With RPZ in use, named could terminate unexpectedly because of a race condition when a reconfiguration command was received using rndc. This has been fixed. [GL #5146]
- “CNAME and other data check” not applied to all types.
- An incorrect optimization caused “CNAME and other data” errors not to be detected if certain types were at the same node as a CNAME. This has been fixed. [GL #5150]
- Relax private DNSKEY and RRSIG constraints.
- DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types, as no key material is shared and the signatures are ineffective, but these are private algorithms and they can be totally insecure. [GL #5167]
- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
- Previously, when parsing responses, named incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. [GL #5185]
- Fix TTL issue with ANY queries processed through RPZ “passthru”.
- Answers to an “ANY” query which were processed by the RPZ “passthru” policy had the response-policy’s max-policy-ttl value unexpectedly applied. This has been fixed. [GL #5187]
- dnssec-signzone needs to check for a NULL key when setting offline.
- dnssec-signzone could dereference a NULL key pointer when resigning a zone. This has been fixed. [GL #5192]
- Fix a bug in the statistics channel when querying zone transfer information.
- When querying zone transfer information from the statistics channel, there was a rare possibility that named could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. [GL #5198]
- Fix assertion failure when dumping recursing clients.
- Previously, if a new counter was added to the hash table while dumping recursing clients via the rndc recursing command, and fetches-per-zone was enabled, an assertion failure could occur. This has been fixed. [GL #5200]
- Dump the active resolver fetches from dns_resolver_dumpfetches()
- Previously, active resolver fetches were only dumped when the fetches-per-zone configuration option was enabled. Now, active resolver fetches are dumped along with the number of clients-per-query counters per resolver fetch.
Notes for BIND 9.20.6
- New Features
- Adds support for EDE code 1 and 2.
- Support was added for EDE codes 1 and 2, which might occur during DNSSEC validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. [GL #2715]
- Add an rndc command to toggle jemalloc profiling.
- The new command is rndc memprof; the memory profiling status is also reported inside rndc status. The status shows whether named can toggle memory profiling, and whether the server is built with jemalloc. [GL #4759]
- Add support for multiple extended DNS errors.
- The Extended DNS Error (EDE) mechanism may raise errors during a DNS resolution. named is now able to add up to three EDE codes in a DNS response. If there are duplicate error codes, only the first one is part of the DNS response. [GL #5085]
- Print the expiration time of stale records.
- BIND now prints the expiration time of any stale RRsets in the cache dump.
- Bug Fixes
- Recently expired records could be returned with a timestamp in future.
- Under rare circumstances, an RRSet that expired at the time of the query could be returned with a TTL in the future. This has been fixed.
- As a side effect, the expiration time of expired RRSets is no longer returned in a cache dump. [GL #5094]
- YAML string not terminated in negative response in delv.
- [GL #5098]
- Fix a bug in dnssec-signzone related to keys being offline.
- When dnssec-signzone was called on an already-signed zone and the private key file was unavailable, a signature that needed to be refreshed was dropped without being able to generate a replacement. This has been fixed. [GL #5126]
- Apply the memory limit only to ADB database items.
- Under heavy load, a resolver could exhaust the memory available for storing the information in the Address Database (ADB), effectively discarding previously stored information in the ADB. The memory used to retrieve and provide information from the ADB is no longer subject to the same memory limits that are applied to the Address Database. [GL #5127]
- Avoid unnecessary locking in the zone/cache database.
- Lock contention among many worker threads referring to the same database node at the same time is now prevented. This improves zone and cache database performance for any heavily contended database nodes. [GL #5130]
- Fix reporting of Extended DNS Error 22 (No Reachable Authority).
- This error code was previously not reported in some applicable situations. This has been fixed. [GL #5137]
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
We no longer use "epoll()", but a new library dependency "liburcu"
(user-space RCU) has been added.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Fixes CVEs:
- CVE-2023-50387: Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service condition.
- CVE-2023-50868: Preparing an NSEC3 closest encloser proof could cause
excessive CPU load, leading to a denial-of-service condition.
- CVE-2023-4408: Parsing DNS messages with many different names could cause
excessive CPU load.
- CVE-2023-5517: Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled.
- CVE-2023-5679: A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these features were
enabled.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Fixes CVEs:
CVE-2023-3341 - Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out of available
stack memory, causing named to terminate unexpectedly.
CVE-2023-4236 - A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion failure under
significant DNS-over-TLS query load.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Fixes CVEs:
- CVE-2023-2828: The overmem cleaning process has been improved, to
prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for named
to enter an infinite callback loop and crash due to stack overflow.
The complete list of changes is available in the upstream release
notes at
https://ftp.isc.org/isc/bind9/cur/9.18/doc/arm/html/notes.html#notes-for-bind-9-18-16
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Fixes CVEs:
- CVE-2022-3924: Fix serve-stale crash when recursive clients
soft quota is reached.
- CVE-2022-3736: Handle RRSIG lookups when serve-stale is
active.
- CVE-2022-3094: An UPDATE message flood could cause named to
exhaust all available memory. This flaw was addressed by adding
a new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been added to
record events when the update quota is exceeded, and the XML and
JSON statistics version numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Fixes multiple security issues:
* CVE-2022-0667 -- An assertion could occur in resume_dslookup() if the
fetch had been shut down earlier
* CVE-2022-0635 -- Lookups involving a DNAME could trigger an INSIST when
"synth-from-dnssec" was enabled
* CVE-2022-0396 -- A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the CLOSE_WAIT
state blocking indefinitely when out-of-order processing was
disabled.
* CVE-2021-25220 -- The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside the
configured bailiwick
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Unless we're using "mktemp -u ..." (not recommended), it will
create the temp file as part of its safety checking. Thus you
should only create the name (file) if you're going to use it,
and always remove it if you have created it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
ddns-confgen is a useful tool for generating partial zones for
transfer/update in dynamic DNS (ddns) scenarios.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
DoH is enabled by default, but disabling it removes the need to link
against libnghttp2, which may be desirable more constrained
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
