From: Paul Simmons <redneckmother@hughes.net>
To: development@lists.ipfire.org
Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable
Date: Wed, 01 Mar 2017 12:00:34 -0600 [thread overview]
Message-ID: <1488391234.8219.7.camel@hughes.net> (raw)
In-Reply-To: <1488385031.2493.4.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8479 bytes --]
On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote:
> Hello,
>
> so I wanted to highlight this patch a little which has been merged
> into
> next.
>
> It will change fallback behaviour of DNS again which before switched
> to
> recursor mode if no usable forwarder could be found. Now IPFire will
> test if any of the root servers is available and if so, fall back to
> recursor mode. If not, it will change DNSSEC into permissive mode and
> will use all given forwarders.
>
> The idea behind this is to always be able to provide at least *some*
> DNS, although DNSSEC will be practically deactivated.
>
> It is still missing that we show a big warning where necessary, but
> at
> least for some people who were forced by their providers to use their
> own name servers which do not support DNSSEC at all.
>
> So, for the people who have been affected by this issue I can only
> recommend to test this and give us feedback within about one week. I
> would like to close the merge window for the next core update around
> then.
>
> Best,
> -Michael
>
> On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote:
> > The tests when assigning DNS name servers has been extended so that
> > if no working forwarder can be found, we will test if the local
> > recursor
> > mode is an option.
> >
> > If not, we will configure unbound's validator module into
> > permissive
> > mode so that at least some DNS functionality is available.
> >
> > Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> > ---
> > config/rootfiles/core/110/filelists/files | 1 +
> > lfs/unbound | 1 +
> > src/initscripts/init.d/unbound | 67
> > ++++++++++++++++++++--
> > ...ting-validator-permissive-mode-at-runtime.patch | 43
> > ++++++++++++++
> > 4 files changed, 107 insertions(+), 5 deletions(-)
> > create mode 100644 src/patches/unbound-allow-setting-validator-
> > permissive-mode-at-runtime.patch
> >
> > diff --git a/config/rootfiles/core/110/filelists/files
> > b/config/rootfiles/core/110/filelists/files
> > index 670b9ae..f4ce989 100644
> > --- a/config/rootfiles/core/110/filelists/files
> > +++ b/config/rootfiles/core/110/filelists/files
> > @@ -1,5 +1,6 @@
> > etc/system-release
> > etc/issue
> > +etc/rc.d/init.d/unbound
> > srv/web/ipfire/cgi-bin/index.cgi
> > srv/web/ipfire/cgi-bin/vpnmain.cgi
> > usr/lib/libssp.so.0
> > diff --git a/lfs/unbound b/lfs/unbound
> > index 2b7745c..f361f24 100644
> > --- a/lfs/unbound
> > +++ b/lfs/unbound
> > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
> > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > @$(PREBUILD)
> > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> > $(DIR_DL)/$(DL_FILE)
> > + cd $(DIR_APP) && patch -Np1 <
> > $(DIR_SRC)/src/patches/unbound-allow-setting-validator-permissive-
> > mode-at-runtime.patch
> > cd $(DIR_APP) && \
> > ./configure \
> > --prefix=/usr \
> > diff --git a/src/initscripts/init.d/unbound
> > b/src/initscripts/init.d/unbound
> > index 8802781..bbf9c00 100644
> > --- a/src/initscripts/init.d/unbound
> > +++ b/src/initscripts/init.d/unbound
> > @@ -114,17 +114,38 @@ update_forwarders() {
> > echo_warning
> > fi
> >
> > - if [ -n "${broken_forwarders}" -a -z
> > "${forwarders}"
> > ]; then
> > - boot_mesg "Falling back to recursor mode"
> > ${WARNING}
> > - echo_warning
> > -
> > - elif [ -n "${forwarders}" ]; then
> > + if [ -n "${forwarders}" ]; then
> > boot_mesg "Configuring upstream name
> > server(s): ${forwarders:1}" ${INFO}
> > echo_ok
> >
> > + # Make sure DNSSEC is activated
> > + enable_dnssec
> > +
> > echo "${forwarders}" > /var/ipfire/red/dns
> > unbound-control -q forward ${forwarders}
> > return 0
> > +
> > + # In case we have found no working forwarders
> > + else
> > + # Test if the recursor mode is available
> > + if can_resolve_root
> > +bufsize=${new_edns_buffer_size}; then
> > + # Make sure DNSSEC is activated
> > + enable_dnssec
> > +
> > + boot_mesg "Falling back to
> > recursor
> > mode" ${WARNING}
> > + echo_warning
> > +
> > + # If not, we set DNSSEC in permissive mode
> > and allow using all recursors
> > + elif [ -n "${broken_forwarders}" ]; then
> > + disable_dnssec
> > +
> > + boot_mesg "DNSSEC has been set to
> > permissive mode" ${FAILURE}
> > + echo_failure
> > +
> > + echo "${broken_forwarders}" >
> > /var/ipfire/red/dns
> > + unbound-control -q forward
> > ${broken_forwarders}
> > + return 0
> > + fi
> > fi
> > fi
> >
> > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() {
> > return 1
> > }
> >
> > +get_root_nameservers() {
> > + while read -r hostname ttl record address; do
> > + # Searching for A records
> > + [ "${record}" = "A" ] || continue
> > +
> > + echo "${address}"
> > + done < /etc/unbound/root.hints
> > +}
> > +
> > +can_resolve_root() {
> > + local ns
> > + for ns in $(get_root_nameservers); do
> > + if dig @${ns} +dnssec SOA . $@ >/dev/null; then
> > + return 0
> > + fi
> > + done
> > +
> > + # none of the servers was reachable
> > + return 1
> > +}
> > +
> > +enable_dnssec() {
> > + local status=$(unbound-control get_option val-permissive-
> > mode)
> > +
> > + # Don't do anything if DNSSEC is already activated
> > + [ "${status}" = "no" ] && return 0
> > +
> > + # Activate DNSSEC and flush cache with any stale and
> > unvalidated data
> > + unbound-control -q set_option val-permissive-mode: no
> > + unbound-control -q flush_zone .
> > +}
> > +
> > +disable_dnssec() {
> > + unbound-control -q set_option val-permissive-mode: yes
> > +}
> > +
> > case "$1" in
> > start)
> > # Print a nicer messagen when unbound is already
> > running
> > diff --git a/src/patches/unbound-allow-setting-validator-
> > permissive-
> > mode-at-runtime.patch b/src/patches/unbound-allow-setting-
> > validator-
> > permissive-mode-at-runtime.patch
> > new file mode 100644
> > index 0000000..f476d08
> > --- /dev/null
> > +++ b/src/patches/unbound-allow-setting-validator-permissive-mode-
> > at-
> > runtime.patch
> > @@ -0,0 +1,43 @@
> > +diff --git a/validator/validator.c b/validator/validator.c
> > +index 676dcdf..7c19f3d 100644
> > +--- a/validator/validator.c
> > ++++ b/validator/validator.c
> > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct
> > val_env* val_env,
> > + int c;
> > + val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
> > + val_env->clean_additional = cfg->val_clean_additional;
> > +- val_env->permissive_mode = cfg->val_permissive_mode;
> > ++ val_env->permissive_mode = &cfg->val_permissive_mode;
> > + if(!env->anchors)
> > + env->anchors = anchors_create();
> > + if(!env->anchors) {
> > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id)
> > + }
> > + env->modinfo[id] = (void*)val_env;
> > + env->need_to_validate = 1;
> > +- val_env->permissive_mode = 0;
> > + lock_basic_init(&val_env->bogus_lock);
> > + lock_protect(&val_env->bogus_lock, &val_env-
> > > num_rrset_bogus,
> >
> > + sizeof(val_env->num_rrset_bogus));
> > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate*
> > qstate,
> > struct val_qstate* vq,
> > + }
> > + }
> > + /* If we are in permissive mode, bogus gets
> > indeterminate */
> > +- if(ve->permissive_mode)
> > ++ if(*ve->permissive_mode)
> > + vq->orig_msg->rep->security =
> > sec_status_indeterminate;
> > + }
> > +
> > +diff --git a/validator/validator.h b/validator/validator.h
> > +index 23d3072..f8464b8 100644
> > +--- a/validator/validator.h
> > ++++ b/validator/validator.h
> > +@@ -104,7 +104,7 @@ struct val_env {
> > + * This allows an operator to run validation 'shadow'
> > without
> > + * hurting responses to clients.
> > + */
> > +- int permissive_mode;
> > ++ int* permissive_mode;
> > +
> > + /**
> > + * Number of entries in the NSEC3 maximum iteration count
> > table.
>
I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3
available locally, and will beg my users for downtime to test.
Thank you, and best regards,
Paul
>
next prev parent reply other threads:[~2017-03-01 18:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-01 16:11 Michael Tremer
2017-03-01 16:17 ` Michael Tremer
2017-03-01 18:00 ` Paul Simmons [this message]
2017-03-03 20:54 ` Paul Simmons
2017-03-05 11:42 ` Michael Tremer
2017-03-06 18:18 ` Paul Simmons
2017-03-06 21:00 ` Michael Tremer
2017-03-06 21:47 ` Paul Simmons
2017-03-06 22:37 ` Michael Tremer
2017-03-06 23:29 ` Paul Simmons
2017-03-07 12:06 ` Michael Tremer
[not found] <1488903324.21248.2.camel@hughes.net>
2017-03-08 12:09 ` Michael Tremer
2017-03-08 16:19 ` Paul Simmons
[not found] <1490455220.20288.4.camel@hughes.net>
2017-03-30 16:51 ` Michael Tremer
2017-03-30 18:21 ` Paul Simmons
[not found] <1490979195.2643.88.camel@ipfire.org>
2017-04-02 16:37 ` Paul Simmons
2017-04-02 18:03 ` Michael Tremer
2017-04-02 19:07 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488391234.8219.7.camel@hughes.net \
--to=redneckmother@hughes.net \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox