From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Wed, 01 Mar 2017 12:00:34 -0600 Message-ID: <1488391234.8219.7.camel@hughes.net> In-Reply-To: <1488385031.2493.4.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7918231071118333155==" List-Id: --===============7918231071118333155== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote: > Hello, >=20 > so I wanted to highlight this patch a little which has been merged > into > next. >=20 > It will change fallback behaviour of DNS again which before switched > to > recursor mode if no usable forwarder could be found. Now IPFire will > test if any of the root servers is available and if so, fall back to > recursor mode. If not, it will change DNSSEC into permissive mode and > will use all given forwarders. >=20 > The idea behind this is to always be able to provide at least *some* > DNS, although DNSSEC will be practically deactivated. >=20 > It is still missing that we show a big warning where necessary, but > at > least for some people who were forced by their providers to use their > own name servers which do not support DNSSEC at all. >=20 > So, for the people who have been affected by this issue I can only > recommend to test this and give us feedback within about one week. I > would like to close the merge window for the next core update around > then. >=20 > Best, > -Michael >=20 > On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote: > > The tests when assigning DNS name servers has been extended so that > > if no working forwarder can be found, we will test if the local > > recursor > > mode is an option. > >=20 > > If not, we will configure unbound's validator module into > > permissive > > mode so that at least some DNS functionality is available. > >=20 > > Signed-off-by: Michael Tremer > > --- > > =C2=A0config/rootfiles/core/110/filelists/files=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A01 + > > =C2=A0lfs/unbound=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A01 + > > =C2=A0src/initscripts/init.d/unbound=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0| 67 > > ++++++++++++++++++++-- > > =C2=A0...ting-validator-permissive-mode-at-runtime.patch | 43 > > ++++++++++++++ > > =C2=A04 files changed, 107 insertions(+), 5 deletions(-) > > =C2=A0create mode 100644 src/patches/unbound-allow-setting-validator- > > permissive-mode-at-runtime.patch > >=20 > > diff --git a/config/rootfiles/core/110/filelists/files > > b/config/rootfiles/core/110/filelists/files > > index 670b9ae..f4ce989 100644 > > --- a/config/rootfiles/core/110/filelists/files > > +++ b/config/rootfiles/core/110/filelists/files > > @@ -1,5 +1,6 @@ > > =C2=A0etc/system-release > > =C2=A0etc/issue > > +etc/rc.d/init.d/unbound > > =C2=A0srv/web/ipfire/cgi-bin/index.cgi > > =C2=A0srv/web/ipfire/cgi-bin/vpnmain.cgi > > =C2=A0usr/lib/libssp.so.0 > > diff --git a/lfs/unbound b/lfs/unbound > > index 2b7745c..f361f24 100644 > > --- a/lfs/unbound > > +++ b/lfs/unbound > > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : > > =C2=A0$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > =C2=A0 @$(PREBUILD) > > =C2=A0 @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf > > $(DIR_DL)/$(DL_FILE) > > + cd $(DIR_APP) && patch -Np1 < > > $(DIR_SRC)/src/patches/unbound-allow-setting-validator-permissive- > > mode-at-runtime.patch > > =C2=A0 cd $(DIR_APP) && \ > > =C2=A0 ./configure \ > > =C2=A0 --prefix=3D/usr \ > > diff --git a/src/initscripts/init.d/unbound > > b/src/initscripts/init.d/unbound > > index 8802781..bbf9c00 100644 > > --- a/src/initscripts/init.d/unbound > > +++ b/src/initscripts/init.d/unbound > > @@ -114,17 +114,38 @@ update_forwarders() { > > =C2=A0 echo_warning > > =C2=A0 fi > > =C2=A0 > > - if [ -n "${broken_forwarders}" -a -z > > "${forwarders}" > > ]; then > > - boot_mesg "Falling back to recursor mode" > > ${WARNING} > > - echo_warning > > - > > - elif [ -n "${forwarders}" ]; then > > + if [ -n "${forwarders}" ]; then > > =C2=A0 boot_mesg "Configuring upstream name > > server(s): ${forwarders:1}" ${INFO} > > =C2=A0 echo_ok > > =C2=A0 > > + # Make sure DNSSEC is activated > > + enable_dnssec > > + > > =C2=A0 echo "${forwarders}" > /var/ipfire/red/dns > > =C2=A0 unbound-control -q forward ${forwarders} > > =C2=A0 return 0 > > + > > + # In case we have found no working forwarders > > + else > > + # Test if the recursor mode is available > > + if can_resolve_root > > +bufsize=3D${new_edns_buffer_size}; then > > + # Make sure DNSSEC is activated > > + enable_dnssec > > + > > + boot_mesg "Falling back to > > recursor > > mode" ${WARNING} > > + echo_warning > > + > > + # If not, we set DNSSEC in permissive mode > > and allow using all recursors > > + elif [ -n "${broken_forwarders}" ]; then > > + disable_dnssec > > + > > + boot_mesg "DNSSEC has been set to > > permissive mode" ${FAILURE} > > + echo_failure > > + > > + echo "${broken_forwarders}" > > > /var/ipfire/red/dns > > + unbound-control -q forward > > ${broken_forwarders} > > + return 0 > > + fi > > =C2=A0 fi > > =C2=A0 fi > > =C2=A0 > > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() { > > =C2=A0 return 1 > > =C2=A0} > > =C2=A0 > > +get_root_nameservers() { > > + while read -r hostname ttl record address; do > > + # Searching for A records > > + [ "${record}" =3D "A" ] || continue > > + > > + echo "${address}" > > + done < /etc/unbound/root.hints > > +} > > + > > +can_resolve_root() { > > + local ns > > + for ns in $(get_root_nameservers); do > > + if dig @${ns} +dnssec SOA . $@ >/dev/null; then > > + return 0 > > + fi > > + done > > + > > + # none of the servers was reachable > > + return 1 > > +} > > + > > +enable_dnssec() { > > + local status=3D$(unbound-control get_option val-permissive- > > mode) > > + > > + # Don't do anything if DNSSEC is already activated > > + [ "${status}" =3D "no" ] && return 0 > > + > > + # Activate DNSSEC and flush cache with any stale and > > unvalidated data > > + unbound-control -q set_option val-permissive-mode: no > > + unbound-control -q flush_zone . > > +} > > + > > +disable_dnssec() { > > + unbound-control -q set_option val-permissive-mode: yes > > +} > > + > > =C2=A0case "$1" in > > =C2=A0 start) > > =C2=A0 # Print a nicer messagen when unbound is already > > running > > diff --git a/src/patches/unbound-allow-setting-validator- > > permissive- > > mode-at-runtime.patch b/src/patches/unbound-allow-setting- > > validator- > > permissive-mode-at-runtime.patch > > new file mode 100644 > > index 0000000..f476d08 > > --- /dev/null > > +++ b/src/patches/unbound-allow-setting-validator-permissive-mode- > > at- > > runtime.patch > > @@ -0,0 +1,43 @@ > > +diff --git a/validator/validator.c b/validator/validator.c > > +index 676dcdf..7c19f3d 100644 > > +--- a/validator/validator.c > > ++++ b/validator/validator.c > > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct > > val_env* val_env, > > +=C2=A0 int c; > > +=C2=A0 val_env->bogus_ttl =3D (uint32_t)cfg->bogus_ttl; > > +=C2=A0 val_env->clean_additional =3D cfg->val_clean_additional; > > +- val_env->permissive_mode =3D cfg->val_permissive_mode; > > ++ val_env->permissive_mode =3D &cfg->val_permissive_mode; > > +=C2=A0 if(!env->anchors) > > +=C2=A0 env->anchors =3D anchors_create(); > > +=C2=A0 if(!env->anchors) { > > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id) > > +=C2=A0 } > > +=C2=A0 env->modinfo[id] =3D (void*)val_env; > > +=C2=A0 env->need_to_validate =3D 1; > > +- val_env->permissive_mode =3D 0; > > +=C2=A0 lock_basic_init(&val_env->bogus_lock); > > +=C2=A0 lock_protect(&val_env->bogus_lock, &val_env- > > > num_rrset_bogus, > >=20 > > +=C2=A0 sizeof(val_env->num_rrset_bogus)); > > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate* > > qstate, > > struct val_qstate* vq, > > +=C2=A0 } > > +=C2=A0 } > > +=C2=A0 /* If we are in permissive mode, bogus gets > > indeterminate */ > > +- if(ve->permissive_mode) > > ++ if(*ve->permissive_mode) > > +=C2=A0 vq->orig_msg->rep->security =3D > > sec_status_indeterminate; > > +=C2=A0 } > > +=C2=A0 > > +diff --git a/validator/validator.h b/validator/validator.h > > +index 23d3072..f8464b8 100644 > > +--- a/validator/validator.h > > ++++ b/validator/validator.h > > +@@ -104,7 +104,7 @@ struct val_env { > > +=C2=A0 =C2=A0* This allows an operator to run validation 'shadow' > > without > > +=C2=A0 =C2=A0* hurting responses to clients. > > +=C2=A0 =C2=A0*/ > > +- int permissive_mode; > > ++ int* permissive_mode; > > +=C2=A0 > > +=C2=A0 /** > > +=C2=A0 =C2=A0* Number of entries in the NSEC3 maximum iteration count > > table. >=20 I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3 available locally, and will beg my users for downtime to test. Thank you, and best regards, Paul >=20 --===============7918231071118333155==--