From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Wed, 01 Mar 2017 16:17:11 +0000 Message-ID: <1488385031.2493.4.camel@ipfire.org> In-Reply-To: <20170301161141.4628-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9089119304610893452==" List-Id: --===============9089119304610893452== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, so I wanted to highlight this patch a little which has been merged into next. It will change fallback behaviour of DNS again which before switched to recursor mode if no usable forwarder could be found. Now IPFire will test if any of the root servers is available and if so, fall back to recursor mode. If not, it will change DNSSEC into permissive mode and will use all given forwarders. The idea behind this is to always be able to provide at least *some* DNS, although DNSSEC will be practically deactivated. It is still missing that we show a big warning where necessary, but at least for some people who were forced by their providers to use their own name servers which do not support DNSSEC at all. So, for the people who have been affected by this issue I can only recommend to test this and give us feedback within about one week. I would like to close the merge window for the next core update around then. Best, -Michael On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote: > The tests when assigning DNS name servers has been extended so that > if no working forwarder can be found, we will test if the local > recursor > mode is an option. >=20 > If not, we will configure unbound's validator module into permissive > mode so that at least some DNS functionality is available. >=20 > Signed-off-by: Michael Tremer > --- > =C2=A0config/rootfiles/core/110/filelists/files=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A01 + > =C2=A0lfs/unbound=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A01 + > =C2=A0src/initscripts/init.d/unbound=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0| 67 > ++++++++++++++++++++-- > =C2=A0...ting-validator-permissive-mode-at-runtime.patch | 43 > ++++++++++++++ > =C2=A04 files changed, 107 insertions(+), 5 deletions(-) > =C2=A0create mode 100644 src/patches/unbound-allow-setting-validator- > permissive-mode-at-runtime.patch >=20 > diff --git a/config/rootfiles/core/110/filelists/files > b/config/rootfiles/core/110/filelists/files > index 670b9ae..f4ce989 100644 > --- a/config/rootfiles/core/110/filelists/files > +++ b/config/rootfiles/core/110/filelists/files > @@ -1,5 +1,6 @@ > =C2=A0etc/system-release > =C2=A0etc/issue > +etc/rc.d/init.d/unbound > =C2=A0srv/web/ipfire/cgi-bin/index.cgi > =C2=A0srv/web/ipfire/cgi-bin/vpnmain.cgi > =C2=A0usr/lib/libssp.so.0 > diff --git a/lfs/unbound b/lfs/unbound > index 2b7745c..f361f24 100644 > --- a/lfs/unbound > +++ b/lfs/unbound > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : > =C2=A0$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > =C2=A0 @$(PREBUILD) > =C2=A0 @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf > $(DIR_DL)/$(DL_FILE) > + cd $(DIR_APP) && patch -Np1 < > $(DIR_SRC)/src/patches/unbound-allow-setting-validator-permissive- > mode-at-runtime.patch > =C2=A0 cd $(DIR_APP) && \ > =C2=A0 ./configure \ > =C2=A0 --prefix=3D/usr \ > diff --git a/src/initscripts/init.d/unbound > b/src/initscripts/init.d/unbound > index 8802781..bbf9c00 100644 > --- a/src/initscripts/init.d/unbound > +++ b/src/initscripts/init.d/unbound > @@ -114,17 +114,38 @@ update_forwarders() { > =C2=A0 echo_warning > =C2=A0 fi > =C2=A0 > - if [ -n "${broken_forwarders}" -a -z "${forwarders}" > ]; then > - boot_mesg "Falling back to recursor mode" > ${WARNING} > - echo_warning > - > - elif [ -n "${forwarders}" ]; then > + if [ -n "${forwarders}" ]; then > =C2=A0 boot_mesg "Configuring upstream name > server(s): ${forwarders:1}" ${INFO} > =C2=A0 echo_ok > =C2=A0 > + # Make sure DNSSEC is activated > + enable_dnssec > + > =C2=A0 echo "${forwarders}" > /var/ipfire/red/dns > =C2=A0 unbound-control -q forward ${forwarders} > =C2=A0 return 0 > + > + # In case we have found no working forwarders > + else > + # Test if the recursor mode is available > + if can_resolve_root > +bufsize=3D${new_edns_buffer_size}; then > + # Make sure DNSSEC is activated > + enable_dnssec > + > + boot_mesg "Falling back to recursor > mode" ${WARNING} > + echo_warning > + > + # If not, we set DNSSEC in permissive mode > and allow using all recursors > + elif [ -n "${broken_forwarders}" ]; then > + disable_dnssec > + > + boot_mesg "DNSSEC has been set to > permissive mode" ${FAILURE} > + echo_failure > + > + echo "${broken_forwarders}" > > /var/ipfire/red/dns > + unbound-control -q forward > ${broken_forwarders} > + return 0 > + fi > =C2=A0 fi > =C2=A0 fi > =C2=A0 > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() { > =C2=A0 return 1 > =C2=A0} > =C2=A0 > +get_root_nameservers() { > + while read -r hostname ttl record address; do > + # Searching for A records > + [ "${record}" =3D "A" ] || continue > + > + echo "${address}" > + done < /etc/unbound/root.hints > +} > + > +can_resolve_root() { > + local ns > + for ns in $(get_root_nameservers); do > + if dig @${ns} +dnssec SOA . $@ >/dev/null; then > + return 0 > + fi > + done > + > + # none of the servers was reachable > + return 1 > +} > + > +enable_dnssec() { > + local status=3D$(unbound-control get_option val-permissive- > mode) > + > + # Don't do anything if DNSSEC is already activated > + [ "${status}" =3D "no" ] && return 0 > + > + # Activate DNSSEC and flush cache with any stale and > unvalidated data > + unbound-control -q set_option val-permissive-mode: no > + unbound-control -q flush_zone . > +} > + > +disable_dnssec() { > + unbound-control -q set_option val-permissive-mode: yes > +} > + > =C2=A0case "$1" in > =C2=A0 start) > =C2=A0 # Print a nicer messagen when unbound is already > running > diff --git a/src/patches/unbound-allow-setting-validator-permissive- > mode-at-runtime.patch b/src/patches/unbound-allow-setting-validator- > permissive-mode-at-runtime.patch > new file mode 100644 > index 0000000..f476d08 > --- /dev/null > +++ b/src/patches/unbound-allow-setting-validator-permissive-mode-at- > runtime.patch > @@ -0,0 +1,43 @@ > +diff --git a/validator/validator.c b/validator/validator.c > +index 676dcdf..7c19f3d 100644 > +--- a/validator/validator.c > ++++ b/validator/validator.c > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct > val_env* val_env, > +=C2=A0 int c; > +=C2=A0 val_env->bogus_ttl =3D (uint32_t)cfg->bogus_ttl; > +=C2=A0 val_env->clean_additional =3D cfg->val_clean_additional; > +- val_env->permissive_mode =3D cfg->val_permissive_mode; > ++ val_env->permissive_mode =3D &cfg->val_permissive_mode; > +=C2=A0 if(!env->anchors) > +=C2=A0 env->anchors =3D anchors_create(); > +=C2=A0 if(!env->anchors) { > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id) > +=C2=A0 } > +=C2=A0 env->modinfo[id] =3D (void*)val_env; > +=C2=A0 env->need_to_validate =3D 1; > +- val_env->permissive_mode =3D 0; > +=C2=A0 lock_basic_init(&val_env->bogus_lock); > +=C2=A0 lock_protect(&val_env->bogus_lock, &val_env- > >num_rrset_bogus, > +=C2=A0 sizeof(val_env->num_rrset_bogus)); > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate* qstate, > struct val_qstate* vq, > +=C2=A0 } > +=C2=A0 } > +=C2=A0 /* If we are in permissive mode, bogus gets > indeterminate */ > +- if(ve->permissive_mode) > ++ if(*ve->permissive_mode) > +=C2=A0 vq->orig_msg->rep->security =3D > sec_status_indeterminate; > +=C2=A0 } > +=C2=A0 > +diff --git a/validator/validator.h b/validator/validator.h > +index 23d3072..f8464b8 100644 > +--- a/validator/validator.h > ++++ b/validator/validator.h > +@@ -104,7 +104,7 @@ struct val_env { > +=C2=A0 =C2=A0* This allows an operator to run validation 'shadow' > without > +=C2=A0 =C2=A0* hurting responses to clients. > +=C2=A0 =C2=A0*/ > +- int permissive_mode; > ++ int* permissive_mode; > +=C2=A0 > +=C2=A0 /** > +=C2=A0 =C2=A0* Number of entries in the NSEC3 maximum iteration count > table. --===============9089119304610893452== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSll0dlFIQUFvSkVJQjU4UDl2a0FrSEYrWVFBSkNTTHhoZHc1YVJCMGZvZGY4SEx6QjkK ZWk3VjZZTWxoVm1SQld4ZDRJamltTlc1c2tXVjgvRnhLYzQ0MDF0dkFTWk8waXJRcVhCUTJlTUYw cThCYmxyZApYT0YrZi9VdHdmeEtGY3B1UkE1ZFBXVWVpQWF2VG8yRnI5ZXBKYWhleW1xaWdRTHE4 S0puSWdCa2tBTEFJRGdaCmcwRlNCMVRocE1BcDd1WC9xbDlUYTNaVlZQSGFaWmtzc09YcGxCdFVn ZGduL0lKaUl6WlpZaklDV2loQ3JyVTAKRHNHZi9TYUlTWVIzd0ZhYUhQbzk2THFMbUF3ZzYreTRo NWNaYmw0Ny9sRkp6SUJ1RHRYc051S3RXdTlQakFscApDNG5GSFM2QktVVjlzMFRuVTBZZzNKQnIz UVhYZmhGdDFRNXlJQlRVa1JRcVMvSTlUQnFpbCtxTVo1bEwvVVBhCmJscnd0NWpVTWxoSk1ZVlJo TmV3TThDRFYxV205a3FUUU9pMnFwcGlIUTJjMXYxK2FzOUdld1ZLQklDMDhCNGYKNERqRWE5R2F2 RlZJRFNrcEZoOEM0Zk9yRXRPS1B6Z3ZQMXFmQ2RTZDIrU2llQktrenErRDFYTXhDWHBGRlRLUgp2 WThTVnBNT01jUzJtSS90RXFvN0lXTndRZTkwU3lQUkg2dmtKcmdEMkRlRlpjODl5dTB3enAvZ05X WEJ3T3AzClpra1BzSjlTRnpzSEVKN05DUGF5T1JiWmMwVGw4N29PdWd2WkFMRWJmbEVTZU1Db1pD eDNlT3J4S2MyUTYrcGEKTHJoclpXOTVodVkyTWZlQWFXTzhxQTFrblVtVXlUSE12eGhxb3kvNC9m bVNraUVBRlA5ek5TdUg5aU03U3Vragp2QmJRSk4vRFdBNSs3Y2krMTV4dQo9ditmbQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============9089119304610893452==--