Re: 9.7.0a2 - deny-answer-addresses
At Tue, 25 Aug 2009 22:08:11 +0200, clemens fischer wrote: > > How about the patch copied below? With this it would fail like this: > > > > 24-Aug-2009 16:46:41.334 > > /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to > > add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists > > 24-Aug-2009 16:46:41.334 loading configuration: already exists > > 24-Aug-2009 16:46:41.334 exiting (due to fatal error) > > [1]6321 exit 1 ./named -c named.conf -g > > The text itself would have been right on my nose. I'm not sure about > the fatal error, though. If I only get to see a warning when using > "rndc reload" on a running named(8), this solution is perfect. If you mean when you incorrectly edit named.conf with a duplicate name for deny-answer-* and do rndc reload then named will just reject the new configuration file with the warning and keep running, it will behave that way (it's not different from other "fatal" configuration errors). This change will appear in 9.7.0a3. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
JINMEI Tatuya wrote: > How about the patch copied below? With this it would fail like this: > > 24-Aug-2009 16:46:41.334 > /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to > add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists > 24-Aug-2009 16:46:41.334 loading configuration: already exists > 24-Aug-2009 16:46:41.334 exiting (due to fatal error) > [1]6321 exit 1 ./named -c named.conf -g The text itself would have been right on my nose. I'm not sure about the fatal error, though. If I only get to see a warning when using "rndc reload" on a running named(8), this solution is perfect. clemens ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
At Fri, 21 Aug 2009 10:42:31 -0500 (CDT),
"Jeremy C. Reed" wrote:
> > deny-answer-addresses {
> > 127/8; 192.168/16; 10/8; 172.16/12;
> > } except-from {
> > "zen.spamhaus.org";
> > "dnsbl-1.uceprotect.net";
> > "dnsbl-1.uceprotect.net";
>
> This is repeated, resulting in "already exists" (via the RBT code).
>
> Maybe we can improve the configuration failure logging for this.
How about the patch copied below? With this it would fail like this:
24-Aug-2009 16:46:41.334
/Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add
dnsbl-1.uceprotect.net for deny-answer-addresses: already exists
24-Aug-2009 16:46:41.334 loading configuration: already exists
24-Aug-2009 16:46:41.334 exiting (due to fatal error)
[1]6321 exit 1 ./named -c named.conf -g
---
JINMEI, Tatuya
Index: server.c
===
RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v
retrieving revision 1.540
diff -u -r1.540 server.c
--- server.c5 Aug 2009 17:35:33 - 1.540
+++ server.c24 Aug 2009 23:47:35 -
@@ -431,7 +431,14 @@
* for baz.example.com, which is not the expected result.
* We simply use (void *)1 as the dummy data.
*/
- CHECK(dns_rbt_addname(*rbtp, name, (void *)1));
+ result = dns_rbt_addname(*rbtp, name, (void *)1);
+ if (result != ISC_R_SUCCESS) {
+ cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
+ "failed to add %s for %s: %s",
+ str, confname, isc_result_totext(result));
+ goto cleanup;
+ }
+
}
return (result);
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
Jeremy C. Reed wrote:
> Thank you very much for testing the alpha release.
My pleasure! I had a workaround resulting in dns-rebind protection in
my pdnsd[1] resolver, but pdnsd doesn't support dnssec and a few other
features.
[1] http://www.phys.uu.nl/~rombouts/pdnsd.html
>> deny-answer-addresses {
>> 127/8; 192.168/16; 10/8; 172.16/12;
>> } except-from {
>> "zen.spamhaus.org";
>> "dnsbl-1.uceprotect.net";
>> "dnsbl-1.uceprotect.net";
>
> This is repeated, resulting in "already exists" (via the RBT code).
>
> Maybe we can improve the configuration failure logging for this.
Now do I believe that! I must have read these lines dozens of times but
missed the obvious duplication!
> Not supported in a type forward zone.
"deny-answer-addresses" might be helpful in forwarding and maybe even
server zones.
clemens
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
On Fri, 21 Aug 2009, clemens fischer wrote:
> BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
> '--with-openssl=yes' '--disable-linux-caps'
> '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'
Thank you very much for testing the alpha release.
> deny-answer-addresses {
> 127/8; 192.168/16; 10/8; 172.16/12;
> } except-from {
> "zen.spamhaus.org";
> "dnsbl-1.uceprotect.net";
> "dnsbl-1.uceprotect.net";
This is repeated, resulting in "already exists" (via the RBT code).
Maybe we can improve the configuration failure logging for this.
> "ix.dnsbl.manitu.net";
> };
>
> I get:
>
> received SIGHUP signal to reload zones
> loading configuration from '/usr/local/etc/named.conf'
> ...
> reloading configuration failed: already exists
>
> Putting a suitably modified version of "deny-answer-addresses" into
> a forwarder zone returns:
Not supported in a type forward zone.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
9.7.0a2 - deny-answer-addresses
'uname -rms'
Linux 2.6.30.4-spott-gecd13d4 i686
'/l/sbin/named -V'
BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
'--with-openssl=yes' '--disable-linux-caps'
'--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'
I want to disallow rebinding-attacks in a caching resolver. In the
top-level options I have:
deny-answer-addresses {
127/8; 192.168/16; 10/8; 172.16/12;
} except-from {
"zen.spamhaus.org";
"dnsbl-1.uceprotect.net";
"dnsbl-1.uceprotect.net";
"ix.dnsbl.manitu.net";
};
I get:
received SIGHUP signal to reload zones
loading configuration from '/usr/local/etc/named.conf'
...
reloading configuration failed: already exists
Putting a suitably modified version of "deny-answer-addresses" into
a forwarder zone returns:
received SIGHUP signal to reload zones
loading configuration from '/usr/local/etc/named.conf'
/usr/local/etc/named.conf:83: unknown option 'deny-answer-addresses'
I also tried to split "deny-answer-addresses" into several pieces, but
this yields "'deny-answer-addresses' redefined ...".
Countering dns-rebinding in a caching resolver always has to account for
at least two practical problems: anti-spam RBLs and providers running
split horizon. To handle the former, it should be possible to specify
a statement, better several statements where the denied IP-ranges can be
fitted with a number of exception domains. Split horizon would require
to put "deny-answer-addresses" into forwarding zones.
IMO the current usage szenario, if I understood the configuration
correctly, is only suited to domain owners running split horizon.
But maybe this is a bug?
clemens
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
