diff options
| author | he <he@pkgsrc.org> | 2016-07-16 19:49:07 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2016-07-16 19:49:07 +0000 |
| commit | 7e7ca83e816898868210eb19d05b1ffeb558cffe (patch) | |
| tree | dfcf4c5972fd29bda4ffa8554641763a0b9d6eb8 /security/opendnssec | |
| parent | 313a1d1f2a7260207c8a5de1021e4cc3b61e85bd (diff) | |
| download | pkgsrc-7e7ca83e816898868210eb19d05b1ffeb558cffe.tar.gz | |
Add a couple of patches I have been using with opendnssec in our
installation:
* Log the zone before triggering the "part->soamin" assert.
We've seen this fire with older versions, but it's a while
since I saw it happen. This is to provide more debugging info
should it fire.
* If an .ixfr journal file is detected as "corrupted", rename it
to <zone>.ixfr-bad instead of unlinking it, which would leave
no trace of OpenDNSSEC's own wrongdoing.
* If the signer is exposed, avoid a potential DoS vector with a
crafted message.
Bump PKGREVISION.
Diffstat (limited to 'security/opendnssec')
| -rw-r--r-- | security/opendnssec/Makefile | 3 | ||||
| -rw-r--r-- | security/opendnssec/distinfo | 5 | ||||
| -rw-r--r-- | security/opendnssec/patches/patch-signer_src_signer_ixfr.c | 17 | ||||
| -rw-r--r-- | security/opendnssec/patches/patch-signer_src_signer_zone.c | 30 | ||||
| -rw-r--r-- | security/opendnssec/patches/patch-signer_src_wire_query.c | 18 |
5 files changed, 71 insertions, 2 deletions
diff --git a/security/opendnssec/Makefile b/security/opendnssec/Makefile index 8c7a0fbd268..cf5a8c48ab5 100644 --- a/security/opendnssec/Makefile +++ b/security/opendnssec/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.57 2016/06/08 08:35:10 he Exp $ +# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $ # DISTNAME= opendnssec-1.4.10 +PKGREVISION= 1 CATEGORIES= security net MASTER_SITES= http://www.opendnssec.org/files/source/ diff --git a/security/opendnssec/distinfo b/security/opendnssec/distinfo index 58cd5ce805d..49da17a7f8a 100644 --- a/security/opendnssec/distinfo +++ b/security/opendnssec/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.33 2016/06/08 08:35:10 he Exp $ +$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $ SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213 RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130 @@ -7,3 +7,6 @@ Size (opendnssec-1.4.10.tar.gz) = 1036069 bytes SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991 SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1 +SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7 +SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318 +SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070 diff --git a/security/opendnssec/patches/patch-signer_src_signer_ixfr.c b/security/opendnssec/patches/patch-signer_src_signer_ixfr.c new file mode 100644 index 00000000000..09da29945e3 --- /dev/null +++ b/security/opendnssec/patches/patch-signer_src_signer_ixfr.c @@ -0,0 +1,17 @@ +$NetBSD: patch-signer_src_signer_ixfr.c,v 1.1 2016/07/16 19:49:07 he Exp $ + +The part->soamin assertion seems to trigger. +Be helpful and log the zone name before the assert. + +--- signer/src/signer/ixfr.c.orig 2016-01-21 14:31:54.000000000 +0000 ++++ signer/src/signer/ixfr.c +@@ -227,6 +227,9 @@ part_print(FILE* fd, ixfr_type* ixfr, si + } + ods_log_assert(part->min); + ods_log_assert(part->plus); ++ if (!part->soamin) { ++ ods_log_error("[%s] zone %s no part->soamin", ixfr_str, zone->name); ++ } + ods_log_assert(part->soamin); + ods_log_assert(part->soaplus); + if (util_rr_print(fd, part->soamin) != ODS_STATUS_OK) { diff --git a/security/opendnssec/patches/patch-signer_src_signer_zone.c b/security/opendnssec/patches/patch-signer_src_signer_zone.c new file mode 100644 index 00000000000..dea806123a3 --- /dev/null +++ b/security/opendnssec/patches/patch-signer_src_signer_zone.c @@ -0,0 +1,30 @@ +$NetBSD: patch-signer_src_signer_zone.c,v 1.1 2016/07/16 19:49:07 he Exp $ + +For debugging, save any corrupted ixfr journal files as <zone>.ixfr-bad. + +--- signer/src/signer/zone.c.orig 2016-05-02 10:40:02.000000000 +0000 ++++ signer/src/signer/zone.c +@@ -1028,12 +1028,22 @@ zone_recover2(zone_type* zone) + fd = ods_fopen(filename, NULL, "r"); + } + if (fd) { ++ char *badfn = NULL; ++ + status = backup_read_ixfr(fd, zone); + if (status != ODS_STATUS_OK) { + ods_log_warning("[%s] corrupted journal file zone %s, " + "skipping (%s)", zone_str, zone->name, + ods_status2str(status)); +- (void)unlink(filename); ++ badfn = ods_build_path(zone->name, ".ixfr-bad", 0, 1); ++ if (badfn) { ++ (void)rename(filename, badfn); ++ ods_log_warning("[%s] corrupted journal for zone %s " ++ "saved as %s", zone_str, zone->name, badfn); ++ free(badfn); ++ } else { ++ (void)unlink(filename); ++ } + ixfr_cleanup(zone->ixfr); + zone->ixfr = ixfr_create((void*)zone); + } diff --git a/security/opendnssec/patches/patch-signer_src_wire_query.c b/security/opendnssec/patches/patch-signer_src_wire_query.c new file mode 100644 index 00000000000..328e45c1a0e --- /dev/null +++ b/security/opendnssec/patches/patch-signer_src_wire_query.c @@ -0,0 +1,18 @@ +$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $ + +Add a check for whether we have an RRset in the query, +to side-step DoS via crafted packet. + +--- signer/src/wire/query.c.orig 2016-05-02 10:40:02.000000000 +0000 ++++ signer/src/wire/query.c +@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin + return query_formerr(q); + } + rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0); ++ if (rr == NULL) { ++ ods_log_debug("[%s] no RRset in query, ignoring", query_str); ++ return QUERY_DISCARDED; /* no RRset in query */ ++ } + lock_basic_lock(&e->zonelist->zl_lock); + /* we can just lookup the zone, because we will only handle SOA queries, + zone transfers, updates and notifies */ |