Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#6937 closed enhancement (fixed)

bind9.10.3 and BIND Utilities-9.10.3

Reported by: Fernando de Oliveira Owned by: Pierre Labastie
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

ftp://ftp.isc.org/isc/bind9/9.10.3/bind-9.10.3.tar.gz

ftp://ftp.isc.org/isc/bind9/9.10.3/bind-9.10.3.tar.gz.sha512.asc

ftp://ftp.isc.org/isc/bind9/9.10.3/CHANGES

This is a security update

CVE-2015-5986
CVE-2015-5722
CVE-2015-5477
CVE-2015-4620

ftp://ftp.isc.org/isc/bind9/9.10.3/RELEASE-NOTES.bind-9.10.3.html

Release Notes for BIND Version 9.10.3

Security Fixes

  • An incorrect boundary check in the OPENPGPKEY rdatatype could
    trigger an assertion failure. This flaw is disclosed in
    CVE-2015-5986. [RT #40286]

  • A buffer accounting error could trigger an assertion failure when
    parsing certain malformed DNSSEC keys.

  • This flaw was discovered by Hanno Böck of the Fuzzing Project, and
    is disclosed in CVE-2015-5722. [RT #40212]

  • A specially crafted query could trigger an assertion failure in
    message.c.

  • This flaw was discovered by Jonathan Foote, and is disclosed in
    CVE-2015-5477. [RT #40046]

  • On servers configured to perform DNSSEC validation, an assertion
    failure could be triggered on answers from a specially configured
    server.

  • This flaw was discovered by Breno Silveira Soares, and is disclosed
    in CVE-2015-4620. [RT #39795]

New Features

  • New quotas have been added to limit the queries that are sent by
    recursive resolvers to authoritative servers experiencing
    denial-of-service attacks. When configured, these options can both
    reduce the harm done to authoritative servers and also avoid the
    resource exhaustion that can be experienced by recursives when they
    are being used as a vehicle for such an attack.

    NOTE: These options are not available by default; use configure
    --enable-fetchlimit to include them in the build.

      ◦ fetches-per-server limits the number of simultaneous queries
        that can be sent to any single authoritative server. The
        configured value is a starting point; it is automatically
        adjusted downward if the server is partially or completely
        non-responsive. The algorithm used to adjust the quota can be
        configured via the fetch-quota-params option.

      ◦ fetches-per-zone limits the number of simultaneous queries that
        can be sent for names within a single domain. (Note: Unlike
        "fetches-per-server", this value is not self-tuning.)

    Statistics counters have also been added to track the number of
    queries affected by these quotas.

  • dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
    in DNS requests.

  • dig +[no]ednsnegotiation can now be used enable / disable EDNS
    version negotiation.

  • An --enable-querytrace configure switch is now available to enable
    very verbose query tracelogging. This option can only be set at
    compile time. This option has a negative performance impact and
    should be used only for debugging.

Feature Changes

  • Large inline-signing changes should be less disruptive. Signature
    generation is now done incrementally; the number of signatures to be
    generated in each quantum is controlled by "sig-signing-signatures
    number;". [RT #37927]

  • The experimental SIT extension now uses the EDNS COOKIE option code
    point (10) and is displayed as "COOKIE: <value>". The existing
    named.conf directives; "request-sit", "sit-secret" and
    "nosit-udp-size", are still valid and will be replaced by
    "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11.
    The existing dig directive "+sit" is still valid and will be
    replaced with "+cookie" in BIND 9.11.

  • When retrying a query via TCP due to the first answer being
    truncated, dig will now correctly send the COOKIE value returned by
    the server in the prior response. [RT #39047]

  • Retrieving the local port range from net.ipv4.ip_local_port_range on
    Linux is now supported.

  • Active Directory names of the form gc._msdcs.<forest> are now
    accepted as valid hostnames when using the check-names option.
    <forest> is still restricted to letters, digits and hyphens.

  • Names containing rich text are now accepted as valid hostnames in
    PTR records in DNS-SD reverse lookup zones, as specified in RFC
    6763. [RT #37889]

Bug Fixes

  • Asynchronous zone loads were not handled correctly when the zone
    load was already in progress; this could trigger a crash in zt.c.
    [RT #37573]

  • A race during shutdown or reconfiguration could cause an assertion
    failure in mem.c. [RT #38979]

  • Some answer formatting options didn't work correctly with dig
    +short. [RT #39291]

  • Malformed records of some types, including NSAP and UNSPEC, could
    trigger assertion failures when loading text zone files. [RT #40274]
    [RT #40285]

  • Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
    being removed from the wrong rate limiter queue. [RT #40350]

  • The default rrset-order of random was inconsistently applied. [RT
    #40456]

  • BADVERS responses from broken authoritative name servers were not
    handled correctly. [RT #40427]

  • Several bugs have been fixed in the RPZ implementation:

      ◦ Policy zones that did not specifically require recursion could
        be treated as if they did; consequently, setting
        qname-wait-recurse no; was sometimes ineffective. This has been
        corrected. In most configurations, behavioral changes due to
        this fix will not be noticeable. [RT #39229]

      ◦ The server could crash if policy zones were updated (e.g. via
        rndc reload or an incoming zone transfer) while RPZ processing
        was still ongoing for an active query. [RT #39415]

      ◦ On servers with one or more policy zones configured as slaves,
        if a policy zone updated during regular operation (rather than
        at startup) using a full zone reload, such as via AXFR, a bug
        could allow the RPZ summary data to fall out of sync,
        potentially leading to an assertion failure in rpz.c when
        further incremental updates were made to the zone, such as via
        IXFR. [RT #39567]

      ◦ The server could match a shorter prefix than what was available
        in CLIENT-IP policy triggers, and so, an unexpected action could
        be taken. This has been corrected. [RT #39481]

      ◦ The server could crash if a reload of an RPZ zone was initiated
        while another reload of the same zone was already in progress.
        [RT #39649]

      ◦ Query names could match against the wrong policy zone if
        wildcard records were present. [RT #40357]

Attachments (2)

test-bind.log.bz2 (21.1 KB ) - added by Pierre Labastie 9 years ago.
Bind 9.10.3 test results without Net::DNS
bind-9.10.3-make-k-check-2015.09.26-17h02m40s.log.xz (21.7 KB ) - added by Fernando de Oliveira 9 years ago.
Bind 9.10.3 test results with Net::DNS

Download all attachments as: .zip

Change History (19)

comment:1 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 9 years ago

Owner: changed from Fernando de Oliveira to blfs-book@…
Status: assignednew

Cannot do anything, cannot understand anything that is going on.

comment:3 by Pierre Labastie, 9 years ago

Owner: changed from blfs-book@… to Pierre Labastie
Status: newassigned

taking this ticket since I am doing the server chapter tagging. Fernando, please tell me if you want me to give back to you.

comment:4 by Fernando de Oliveira, 9 years ago

No, thanks.

comment:2 is not applied any more, things were sorted out.

What was preventing me from doing was: I will build 7.8-rc1 and do there.

But it is even better having second couple of eyes on it.

Thanks for doing it.

comment:5 by Pierre Labastie, 9 years ago

OK. Doing it currently.

Have a small issue with the patch. They have removed some spaces in the source and replaced with tabs. patch -l works, though. I do not know whether it is acceptable for the book.

comment:6 by Fernando de Oliveira, 9 years ago

What if you apply the patch and diff again, to make a new one?

in reply to:  6 comment:7 by Pierre Labastie, 9 years ago

Replying to fo:

What if you apply the patch and diff again, to make a new one?

Good point, that's the easiest way to go, thanks.

comment:8 by Pierre Labastie, 9 years ago

There is a very good explanation of the new feature --enable-fetchlimit at https://kb.isc.org/article/AA-01304. From that, I think it is not suitable for the instructions, but it may be mentioned in the command explanations. Roughly, it is useful on servers which receive a large number of queries, which is unlikely for BLFS users, but who knows?

comment:9 by Fernando de Oliveira, 9 years ago

That might be interesting for some.

But I'm writing this for another reason.

First, apologies to intrude. Took the day to reply many things I had not, when was worried with startin X, and one I was worried for days was that Net::DNS versus Bind stuff.

I am installing this version in my 7.7, also for security reasons. Not analyzing for update.

Tis was also motivated by a reply I did to Ken that the tests need Net::DNS. I wanted to be sure about it.

I think this is somewhat important, because Net-DNS is only used in the book for bind tests.

If it is not a useful test for ND, it means we can archive Net-DNS.

Have found many references in the source code:

$ cd bind-9.10.3
$ grep -ril 'net::dns'
bin/tests/system/resolver/ans3/ans.pl
bin/tests/system/resolver/ans2/ans.pl
bin/tests/system/resolver/prereq.sh
bin/tests/system/statistics/prereq.sh
bin/tests/system/statistics/ans4/ans.pl
bin/tests/system/dnssec/tests.sh
bin/tests/system/dnssec/dnssec_update_test.pl
bin/tests/system/dnssec/prereq.sh
bin/tests/system/ixfr/prereq.sh
bin/tests/system/xfer/prereq.sh
bin/tests/system/stress/update.pl
bin/tests/system/stress/prereq.sh
bin/tests/system/upforwd/prereq.sh
bin/tests/system/upforwd/ans4/ans.pl
bin/tests/system/nsupdate/tests.sh
bin/tests/system/nsupdate/prereq.sh
bin/tests/system/nsupdate/update_test.pl
bin/tests/system/reclimit/ans2/ans.pl
bin/tests/system/reclimit/prereq.sh
bin/tests/system/reclimit/ans7/ans.pl
bin/tests/system/reclimit/ans4/ans.pl
bin/tests/system/fetchlimit/prereq.sh
bin/tests/system/fetchlimit/ans4/ans.pl
bin/tests/system/ditch.pl
bin/tests/system/ans.pl
CHANGES

Then, searched a little more in the internet (hard to find useful hits), and finally got one relevant hit with "BIND make check fails net::dns":

https://lists.isc.org/pipermail/bind-users/2015-July/095286.html

make test fails without Net::DNS::Nameserver
Jeremy C. Reed jreed at isc.org
Tue Jul 14 23:56:39 UTC 2015

On Tue, 14 Jul 2015, Maria Iano wrote:

> I don't see this mentioned anywhere else, although I'm suprised by
> that so maybe I'm missing something. When I build bind-9.10.2-P2 I
> find that "make test" fails for reclimit with "Couldn't start server
> ans2" if I don't have Net::DNS::Nameserver installed. After I install
> it the testing is successful.

We recently added a bin/tests/system/reclimit/prereq.sh script to check
for it.

CHANGES entry:

    4113.       [test]          Check for Net::DNS is some system test
                        prerequisites. [RT #39369]

The conclusion seems to be:

1. The tests are a useful test for Net::DNS.

2. We need to include external Net::DNS::Nameserver, with comment for
not having test failures.

3. If we wished,  Net::DNS could be removed and b come external, with
the same comment.

4. Net::DNS::Nameserver could be added.

I won't interfere in your decisions. Apologies again for the intrusion.

For me what is important is the first conclusion. I was afraid I had given a wrong reply to Ken.

comment:10 by Pierre Labastie, 9 years ago

Thanks Fernando. As a matter of fact, I did not have Net::DNS nor Net::DNS::Nameserver. I get 6 "UNTESTED" results, all of which come from the absence of those libraries. Those are not really test failures. Actually, there are no "FAILED" tests. Seven other tests are "SKIPPED", because some options are missing when configuring. For example, one test needs the --enable-fetchlimit option, discussed above. All in all, I have:

I:System test result summary:
I:      65 PASS
I:       7 SKIPPED
I:       6 UNTESTED

I propose to write: "Test coverage is increased if Net::DNS and Net::DNS::Nameserver are installed. Some tests are skipped nevertheless because not all the configure options are enabled, and some tests are marked untested if you have not installed Net::DNS and Net::DNS::Nameserver." We may postpone the decision to leave or remove the perl packages to after the release.

comment:11 by Pierre Labastie, 9 years ago

Hmm, I think I have been mislead by the post above. Net::DNS::Nameserver is included in the Net::DNS package, so no need to have a separate entry.

comment:12 by Pierre Labastie, 9 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16470

comment:13 by bdubbs@…, 9 years ago

I'm in favor of leaving in the perl modules. However I use the cpan method for most modules.

cpan -i Net::DNS

does everything. It pulls in Net::DNS::Nameserver automatically.

comment:14 by Fernando de Oliveira, 9 years ago

Sorry if my post mislead you.

I do have Net::DNS installed, (not yet) book's version.

Net::DNS really installs, here:

/usr/lib/perl5/site_perl/5.20.2/Net/DNS/Nameserver.pm

However, in my update of bind-9.10.2-p4, did have error with make check:

I:System test result summary:
I:       2 FAIL
I:      68 PASS
I:       5 SKIPPED

Don't kmnow how to interpret the log. Will update Net::DNS for book's version, will report back the result, and if I have errors, will send to dev to learn how to interpret. If there is no error, will not come back to this ticket, and will send to dev the log of bind-9.10.2-p4 tests to get ask help learning how to interpret.

Again, Pierre, I didn't mean to mislead you.

by Pierre Labastie, 9 years ago

Attachment: test-bind.log.bz2 added

Bind 9.10.3 test results without Net::DNS

in reply to:  14 comment:15 by Pierre Labastie, 9 years ago

Replying to fo:

Sorry if my post mislead you.

Not your post, but the post you cited!

I do have Net::DNS installed,[...]

I:System test result summary:
I:       2 FAIL
I:      68 PASS
I:       5 SKIPPED

I see that you have 5 skipped + 2 fail, while I have 7 skipped. Maybe the two failures you have are in tests that where skipped in my case... I attached my log, in case you want to compare.

by Fernando de Oliveira, 9 years ago

Bind 9.10.3 test results with Net::DNS

comment:16 by Fernando de Oliveira, 9 years ago

Thanks, Pierre.

Making the comparison may have taught me where starts and ends a failed test in Bind.

Result with Net::DNS:

I:System test result summary:
I:       1 FAIL
I:      71 PASS
I:       6 SKIPPED

Failed test:

S:xfer:Sat Sep 26 17:28:14 BRT 2015
T:xfer:1:A
A:System test xfer
I:testing basic zone transfer functionality
I:testing TSIG signed zone transfers
I:reload servers for in preparation for ixfr-from-differences tests
I:ns1 server reload successful
I:ns2 server reload successful
I:ns3 server reload successful
I:ns6 server reload successful
I:ns7 server reload successful
I:updating master zones for ixfr-from-differences tests
I:ns1 server reload successful
I:ns2 server reload successful
I:ns6 server reload successful
I:ns7 server reload successful
I:testing zone is dumped after successful transfer
I:testing ixfr-from-differences yes;
I:testing ixfr-from-differences master; (master zone)
I:testing ixfr-from-differences master; (slave zone)
I:testing ixfr-from-differences slave; (master zone)
I:testing ixfr-from-differences slave; (slave zone)
I:check that a multi-message uncompressable zone transfers
I:testing that incorrectly signed transfers will fail...
I:initial correctly-signed transfer should succeed
I:ns4 server reload successful
I: failed: expected status was not logged
I:failed
I:unsigned transfer
Connection refused at ../send.pl line 33.
I: failed: expected status was not logged
I:bad keydata
Connection refused at ../send.pl line 33.
I: failed: expected status was not logged
I:partially-signed transfer
Connection refused at ../send.pl line 33.
I: failed: expected status was not logged
I:unknown key
Connection refused at ../send.pl line 33.
I: failed: expected status was not logged
I:incorrect key
Connection refused at ../send.pl line 33.
I: failed: expected status was not logged
I:exit status: 1
I:ans5 died before a SIGTERM was sent
R:FAIL
E:xfer:Sat Sep 26 17:28:49 BRT 2015

Tests skipped in Pierre's, but not in Fernando's tests:

I:This test requires the Net::DNS library.
I:Prerequisites for ixfr missing, skipping test.
I:This test requires the Net::DNS::Nameserver library.
I:Prerequisites for reclimit missing, skipping test.
I:This test requires the Net::DNS library.
I:Prerequisites for resolver missing, skipping test.
I:This test requires the Net::DNS library.
I:Prerequisites for statistics missing, skipping test.
I:XML tests require XML::Simple; skipping
I:skipping all tests
A:System test tsiggss
I:gssapi and krb5 not supported - skipping tsiggss test
I:Prerequisites for tsiggss missing, skipping test.
I:This test requires the Net::DNS library.
I:Prerequisites for upforwd missing, skipping test.
I:This test requires the Net::DNS library.
I:Prerequisites for xfer missing, skipping test.

I didn't know that XML::Simple was used by the tests.

Notice: the last skipped test in Pierre's log is the same one failed in Fernando's log.

Is it better not installing Net::DNS?

I will remove it tout de suite.

Merci encore, Pierre!!!

Last edited 9 years ago by Fernando de Oliveira (previous) (diff)

comment:17 by Fernando de Oliveira, 9 years ago

I didn't know that XML::Simple was used by the tests.

Note: See TracTickets for help on using tickets.