On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote: > Hello, > > so I wanted to highlight this patch a little which has been merged > into > next. > > It will change fallback behaviour of DNS again which before switched > to > recursor mode if no usable forwarder could be found. Now IPFire will > test if any of the root servers is available and if so, fall back to > recursor mode. If not, it will change DNSSEC into permissive mode and > will use all given forwarders. > > The idea behind this is to always be able to provide at least *some* > DNS, although DNSSEC will be practically deactivated. > > It is still missing that we show a big warning where necessary, but > at > least for some people who were forced by their providers to use their > own name servers which do not support DNSSEC at all. > > So, for the people who have been affected by this issue I can only > recommend to test this and give us feedback within about one week. I > would like to close the merge window for the next core update around > then. > > Best, > -Michael > > On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote: > > The tests when assigning DNS name servers has been extended so that > > if no working forwarder can be found, we will test if the local > > recursor > > mode is an option. > > > > If not, we will configure unbound's validator module into > > permissive > > mode so that at least some DNS functionality is available. > > > > Signed-off-by: Michael Tremer > > --- > >  config/rootfiles/core/110/filelists/files          |  1 + > >  lfs/unbound                                        |  1 + > >  src/initscripts/init.d/unbound                     | 67 > > ++++++++++++++++++++-- > >  ...ting-validator-permissive-mode-at-runtime.patch | 43 > > ++++++++++++++ > >  4 files changed, 107 insertions(+), 5 deletions(-) > >  create mode 100644 src/patches/unbound-allow-setting-validator- > > permissive-mode-at-runtime.patch > > > > diff --git a/config/rootfiles/core/110/filelists/files > > b/config/rootfiles/core/110/filelists/files > > index 670b9ae..f4ce989 100644 > > --- a/config/rootfiles/core/110/filelists/files > > +++ b/config/rootfiles/core/110/filelists/files > > @@ -1,5 +1,6 @@ > >  etc/system-release > >  etc/issue > > +etc/rc.d/init.d/unbound > >  srv/web/ipfire/cgi-bin/index.cgi > >  srv/web/ipfire/cgi-bin/vpnmain.cgi > >  usr/lib/libssp.so.0 > > diff --git a/lfs/unbound b/lfs/unbound > > index 2b7745c..f361f24 100644 > > --- a/lfs/unbound > > +++ b/lfs/unbound > > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > >   @$(PREBUILD) > >   @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf > > $(DIR_DL)/$(DL_FILE) > > + cd $(DIR_APP) && patch -Np1 < > > $(DIR_SRC)/src/patches/unbound-allow-setting-validator-permissive- > > mode-at-runtime.patch > >   cd $(DIR_APP) && \ > >   ./configure \ > >   --prefix=/usr \ > > diff --git a/src/initscripts/init.d/unbound > > b/src/initscripts/init.d/unbound > > index 8802781..bbf9c00 100644 > > --- a/src/initscripts/init.d/unbound > > +++ b/src/initscripts/init.d/unbound > > @@ -114,17 +114,38 @@ update_forwarders() { > >   echo_warning > >   fi > >   > > - if [ -n "${broken_forwarders}" -a -z > > "${forwarders}" > > ]; then > > - boot_mesg "Falling back to recursor mode" > > ${WARNING} > > - echo_warning > > - > > - elif [ -n "${forwarders}" ]; then > > + if [ -n "${forwarders}" ]; then > >   boot_mesg "Configuring upstream name > > server(s): ${forwarders:1}" ${INFO} > >   echo_ok > >   > > + # Make sure DNSSEC is activated > > + enable_dnssec > > + > >   echo "${forwarders}" > /var/ipfire/red/dns > >   unbound-control -q forward ${forwarders} > >   return 0 > > + > > + # In case we have found no working forwarders > > + else > > + # Test if the recursor mode is available > > + if can_resolve_root > > +bufsize=${new_edns_buffer_size}; then > > + # Make sure DNSSEC is activated > > + enable_dnssec > > + > > + boot_mesg "Falling back to > > recursor > > mode" ${WARNING} > > + echo_warning > > + > > + # If not, we set DNSSEC in permissive mode > > and allow using all recursors > > + elif [ -n "${broken_forwarders}" ]; then > > + disable_dnssec > > + > > + boot_mesg "DNSSEC has been set to > > permissive mode" ${FAILURE} > > + echo_failure > > + > > + echo "${broken_forwarders}" > > > /var/ipfire/red/dns > > + unbound-control -q forward > > ${broken_forwarders} > > + return 0 > > + fi > >   fi > >   fi > >   > > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() { > >   return 1 > >  } > >   > > +get_root_nameservers() { > > + while read -r hostname ttl record address; do > > + # Searching for A records > > + [ "${record}" = "A" ] || continue > > + > > + echo "${address}" > > + done < /etc/unbound/root.hints > > +} > > + > > +can_resolve_root() { > > + local ns > > + for ns in $(get_root_nameservers); do > > + if dig @${ns} +dnssec SOA . $@ >/dev/null; then > > + return 0 > > + fi > > + done > > + > > + # none of the servers was reachable > > + return 1 > > +} > > + > > +enable_dnssec() { > > + local status=$(unbound-control get_option val-permissive- > > mode) > > + > > + # Don't do anything if DNSSEC is already activated > > + [ "${status}" = "no" ] && return 0 > > + > > + # Activate DNSSEC and flush cache with any stale and > > unvalidated data > > + unbound-control -q set_option val-permissive-mode: no > > + unbound-control -q flush_zone . > > +} > > + > > +disable_dnssec() { > > + unbound-control -q set_option val-permissive-mode: yes > > +} > > + > >  case "$1" in > >   start) > >   # Print a nicer messagen when unbound is already > > running > > diff --git a/src/patches/unbound-allow-setting-validator- > > permissive- > > mode-at-runtime.patch b/src/patches/unbound-allow-setting- > > validator- > > permissive-mode-at-runtime.patch > > new file mode 100644 > > index 0000000..f476d08 > > --- /dev/null > > +++ b/src/patches/unbound-allow-setting-validator-permissive-mode- > > at- > > runtime.patch > > @@ -0,0 +1,43 @@ > > +diff --git a/validator/validator.c b/validator/validator.c > > +index 676dcdf..7c19f3d 100644 > > +--- a/validator/validator.c > > ++++ b/validator/validator.c > > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct > > val_env* val_env, > > +  int c; > > +  val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; > > +  val_env->clean_additional = cfg->val_clean_additional; > > +- val_env->permissive_mode = cfg->val_permissive_mode; > > ++ val_env->permissive_mode = &cfg->val_permissive_mode; > > +  if(!env->anchors) > > +  env->anchors = anchors_create(); > > +  if(!env->anchors) { > > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id) > > +  } > > +  env->modinfo[id] = (void*)val_env; > > +  env->need_to_validate = 1; > > +- val_env->permissive_mode = 0; > > +  lock_basic_init(&val_env->bogus_lock); > > +  lock_protect(&val_env->bogus_lock, &val_env- > > > num_rrset_bogus, > > > > +  sizeof(val_env->num_rrset_bogus)); > > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate* > > qstate, > > struct val_qstate* vq, > > +  } > > +  } > > +  /* If we are in permissive mode, bogus gets > > indeterminate */ > > +- if(ve->permissive_mode) > > ++ if(*ve->permissive_mode) > > +  vq->orig_msg->rep->security = > > sec_status_indeterminate; > > +  } > > +  > > +diff --git a/validator/validator.h b/validator/validator.h > > +index 23d3072..f8464b8 100644 > > +--- a/validator/validator.h > > ++++ b/validator/validator.h > > +@@ -104,7 +104,7 @@ struct val_env { > > +   * This allows an operator to run validation 'shadow' > > without > > +   * hurting responses to clients. > > +   */ > > +- int permissive_mode; > > ++ int* permissive_mode; > > +  > > +  /** > > +   * Number of entries in the NSEC3 maximum iteration count > > table. > I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3 available locally, and will beg my users for downtime to test. Thank you, and best regards, Paul >