Re: 9.7.0a2 - deny-answer-addresses
At Tue, 25 Aug 2009 22:08:11 +0200, clemens fischer wrote: > > How about the patch copied below? With this it would fail like this: > > > > 24-Aug-2009 16:46:41.334 > > /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to > > add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists > > 24-Aug-2009 16:46:41.334 loading configuration: already exists > > 24-Aug-2009 16:46:41.334 exiting (due to fatal error) > > [1]6321 exit 1 ./named -c named.conf -g > > The text itself would have been right on my nose. I'm not sure about > the fatal error, though. If I only get to see a warning when using > "rndc reload" on a running named(8), this solution is perfect. If you mean when you incorrectly edit named.conf with a duplicate name for deny-answer-* and do rndc reload then named will just reject the new configuration file with the warning and keep running, it will behave that way (it's not different from other "fatal" configuration errors). This change will appear in 9.7.0a3. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
JINMEI Tatuya wrote: > How about the patch copied below? With this it would fail like this: > > 24-Aug-2009 16:46:41.334 > /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to > add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists > 24-Aug-2009 16:46:41.334 loading configuration: already exists > 24-Aug-2009 16:46:41.334 exiting (due to fatal error) > [1]6321 exit 1 ./named -c named.conf -g The text itself would have been right on my nose. I'm not sure about the fatal error, though. If I only get to see a warning when using "rndc reload" on a running named(8), this solution is perfect. clemens ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
At Fri, 21 Aug 2009 10:42:31 -0500 (CDT), "Jeremy C. Reed" wrote: > > deny-answer-addresses { > > 127/8; 192.168/16; 10/8; 172.16/12; > > } except-from { > > "zen.spamhaus.org"; > > "dnsbl-1.uceprotect.net"; > > "dnsbl-1.uceprotect.net"; > > This is repeated, resulting in "already exists" (via the RBT code). > > Maybe we can improve the configuration failure logging for this. How about the patch copied below? With this it would fail like this: 24-Aug-2009 16:46:41.334 /Users/jinmei/src/isc/bind9-current/bin/named/named.conf:22: failed to add dnsbl-1.uceprotect.net for deny-answer-addresses: already exists 24-Aug-2009 16:46:41.334 loading configuration: already exists 24-Aug-2009 16:46:41.334 exiting (due to fatal error) [1]6321 exit 1 ./named -c named.conf -g --- JINMEI, Tatuya Index: server.c === RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v retrieving revision 1.540 diff -u -r1.540 server.c --- server.c5 Aug 2009 17:35:33 - 1.540 +++ server.c24 Aug 2009 23:47:35 - @@ -431,7 +431,14 @@ * for baz.example.com, which is not the expected result. * We simply use (void *)1 as the dummy data. */ - CHECK(dns_rbt_addname(*rbtp, name, (void *)1)); + result = dns_rbt_addname(*rbtp, name, (void *)1); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR, + "failed to add %s for %s: %s", + str, confname, isc_result_totext(result)); + goto cleanup; + } + } return (result); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
Jeremy C. Reed wrote: > Thank you very much for testing the alpha release. My pleasure! I had a workaround resulting in dns-rebind protection in my pdnsd[1] resolver, but pdnsd doesn't support dnssec and a few other features. [1] http://www.phys.uu.nl/~rombouts/pdnsd.html >> deny-answer-addresses { >> 127/8; 192.168/16; 10/8; 172.16/12; >> } except-from { >> "zen.spamhaus.org"; >> "dnsbl-1.uceprotect.net"; >> "dnsbl-1.uceprotect.net"; > > This is repeated, resulting in "already exists" (via the RBT code). > > Maybe we can improve the configuration failure logging for this. Now do I believe that! I must have read these lines dozens of times but missed the obvious duplication! > Not supported in a type forward zone. "deny-answer-addresses" might be helpful in forwarding and maybe even server zones. clemens ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.7.0a2 - deny-answer-addresses
On Fri, 21 Aug 2009, clemens fischer wrote: > BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2' > '--with-openssl=yes' '--disable-linux-caps' > '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O' Thank you very much for testing the alpha release. > deny-answer-addresses { > 127/8; 192.168/16; 10/8; 172.16/12; > } except-from { > "zen.spamhaus.org"; > "dnsbl-1.uceprotect.net"; > "dnsbl-1.uceprotect.net"; This is repeated, resulting in "already exists" (via the RBT code). Maybe we can improve the configuration failure logging for this. > "ix.dnsbl.manitu.net"; > }; > > I get: > > received SIGHUP signal to reload zones > loading configuration from '/usr/local/etc/named.conf' > ... > reloading configuration failed: already exists > > Putting a suitably modified version of "deny-answer-addresses" into > a forwarder zone returns: Not supported in a type forward zone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.7.0a2 - deny-answer-addresses
'uname -rms' Linux 2.6.30.4-spott-gecd13d4 i686 '/l/sbin/named -V' BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2' '--with-openssl=yes' '--disable-linux-caps' '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O' I want to disallow rebinding-attacks in a caching resolver. In the top-level options I have: deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { "zen.spamhaus.org"; "dnsbl-1.uceprotect.net"; "dnsbl-1.uceprotect.net"; "ix.dnsbl.manitu.net"; }; I get: received SIGHUP signal to reload zones loading configuration from '/usr/local/etc/named.conf' ... reloading configuration failed: already exists Putting a suitably modified version of "deny-answer-addresses" into a forwarder zone returns: received SIGHUP signal to reload zones loading configuration from '/usr/local/etc/named.conf' /usr/local/etc/named.conf:83: unknown option 'deny-answer-addresses' I also tried to split "deny-answer-addresses" into several pieces, but this yields "'deny-answer-addresses' redefined ...". Countering dns-rebinding in a caching resolver always has to account for at least two practical problems: anti-spam RBLs and providers running split horizon. To handle the former, it should be possible to specify a statement, better several statements where the denied IP-ranges can be fitted with a number of exception domains. Split horizon would require to put "deny-answer-addresses" into forwarding zones. IMO the current usage szenario, if I understood the configuration correctly, is only suited to domain owners running split horizon. But maybe this is a bug? clemens ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users