A DNSSEC validation error was introduced in the fix for CVE-2017-15107
Backport the upstream fix to the fix (a simple typo)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
CVE-2017-15107
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
is fine.
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation
enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts
files, 5) reload resolvers/servers files.
Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug
(to indicate time is valid for dnssec) 2) odhcpd (to indicate a
new/removed host - typically DHCPv6 leases) 3) procd on interface state
changes 4) procd on system config state changes, 5) service reload.
If dnssec time validation is enabled before the system clock has been
set to a sensible time, name resolution will fail. Because name
resolution fails, ntpd is unable to resolve time server names to
addresses, so is unable to set time. Classic chicken/egg.
Since commits 23bba9cb33 (service reload) &
4f02285d8b (system config) make it more
likely a SIGHUP will be sent for events other than 'ntpd has set time'
it is more likely that an errant 'name resolution is failing for
everything' situation will be encountered.
Fortunately the upstream dnsmasq people agree and have moved 'check
dnssec timestamp enable' from SIGHUP handler to SIGINT.
Backport the upstream patch to use SIGINT.
ntpd hotplug script updated to use SIGINT.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Don't return arcount=1 if EDNS0 RR won't fit in the packet.
Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Remove LEDE partial fix for CVE-2017-13704.
Backport official fix from upstream.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.
answer_request() is called with an invalid edns packet size provided by
the client. Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"
The client that exposed the problem provided a payload udp size of 0.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
--bogus-priv now applies to IPv6 prefixes as specified in RFC6303 - this
is significantly friendlier to upstream servers.
CNAME fix in auth mode - A domain can only have a CNAME if it has no
other records
Drop 2 patches now included upstream.
Compile & run tested Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
New test release (since test1) includes 2 LEDE patches that are
upstream and may be dropped, along with many spelling fixes.
Add forthcoming 2017 root zone trust anchor to trust-anchors.conf.
Backport 2 patches that just missed test3:
Reduce logspam of those domains handled locally 'local addresses only'
Implement RFC-6842 (Client-ids in DHCP replies)
Compile & run tested Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.
Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.
A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included. This mean dnsmasq tries all
configured servers before giving up.
A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c
I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2
Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain. This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.
This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'
Run time tested with & without NO_ID on Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Update to dnsmasq2.76. Refresh patches. Add new patch to fix musl
'poll.h' location warning.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
This patch backports the option --tftp-no-fail to dnsmasq and prevents the
service from aborting if the specified TFTP root directory is not available;
this might be the case if TFTP files are located on external media that might
occasionally not be present at startup.
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 45213
This patch tries to
- Let the DHCPv6 feature depend on CONFIG_IPV6.
- Conditionally select libnettle, kmod-ipv6, kmod-ipt-ipset only if the
corresponding features are enabled.
- Install `trust-anchors.conf` only if DNSSEC is selected.
- Add PKG_CONFIG_DEPENDS for the configurable options.
- Add a patch to let the Makefile of dnsmasq be aware of changes in
COPTS variable.
Big thanks goes to Frank Schäfer <fschaefer.oss@googlemail.com> for
providing necessary information on connections and dependency relations
between these CONFIGs and packages.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 43851
* Add Authoritative DNS and IPSET to full variant
* Remove some bloat from IPSET support
* Reintroduce "DHCP no address warning"-patch
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 41246
