Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable

[Paul Simmons <redneckmother@hughes.net>]

[-- Attachment #1: Type: text/plain, Size: 9439 bytes --]

On Wed, 2017-03-01 at 12:00 -0600, Paul Simmons wrote:
> On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote:
> > Hello,
> > 
> > so I wanted to highlight this patch a little which has been merged
> > into
> > next.
> > 
> > It will change fallback behaviour of DNS again which before
> > switched
> > to
> > recursor mode if no usable forwarder could be found. Now IPFire
> > will
> > test if any of the root servers is available and if so, fall back
> > to
> > recursor mode. If not, it will change DNSSEC into permissive mode
> > and
> > will use all given forwarders.
> > 
> > The idea behind this is to always be able to provide at least
> > *some*
> > DNS, although DNSSEC will be practically deactivated.
> > 
> > It is still missing that we show a big warning where necessary, but
> > at
> > least for some people who were forced by their providers to use
> > their
> > own name servers which do not support DNSSEC at all.
> > 
> > So, for the people who have been affected by this issue I can only
> > recommend to test this and give us feedback within about one week.
> > I
> > would like to close the merge window for the next core update
> > around
> > then.
> > 
> > Best,
> > -Michael
> > 
> > On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote:
> > > The tests when assigning DNS name servers has been extended so
> > > that
> > > if no working forwarder can be found, we will test if the local
> > > recursor
> > > mode is an option.
> > > 
> > > If not, we will configure unbound's validator module into
> > > permissive
> > > mode so that at least some DNS functionality is available.
> > > 
> > > Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> > > ---
> > >  config/rootfiles/core/110/filelists/files          |  1 +
> > >  lfs/unbound                                        |  1 +
> > >  src/initscripts/init.d/unbound                     | 67
> > > ++++++++++++++++++++--
> > >  ...ting-validator-permissive-mode-at-runtime.patch | 43
> > > ++++++++++++++
> > >  4 files changed, 107 insertions(+), 5 deletions(-)
> > >  create mode 100644 src/patches/unbound-allow-setting-validator-
> > > permissive-mode-at-runtime.patch
> > > 
> > > diff --git a/config/rootfiles/core/110/filelists/files
> > > b/config/rootfiles/core/110/filelists/files
> > > index 670b9ae..f4ce989 100644
> > > --- a/config/rootfiles/core/110/filelists/files
> > > +++ b/config/rootfiles/core/110/filelists/files
> > > @@ -1,5 +1,6 @@
> > >  etc/system-release
> > >  etc/issue
> > > +etc/rc.d/init.d/unbound
> > >  srv/web/ipfire/cgi-bin/index.cgi
> > >  srv/web/ipfire/cgi-bin/vpnmain.cgi
> > >  usr/lib/libssp.so.0
> > > diff --git a/lfs/unbound b/lfs/unbound
> > > index 2b7745c..f361f24 100644
> > > --- a/lfs/unbound
> > > +++ b/lfs/unbound
> > > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
> > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  	@$(PREBUILD)
> > >  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> > > $(DIR_DL)/$(DL_FILE)
> > > +	cd $(DIR_APP) && patch -Np1 <
> > > $(DIR_SRC)/src/patches/unbound-allow-setting-validator-
> > > permissive-
> > > mode-at-runtime.patch
> > >  	cd $(DIR_APP) && \
> > >  		./configure \
> > >  			--prefix=/usr \
> > > diff --git a/src/initscripts/init.d/unbound
> > > b/src/initscripts/init.d/unbound
> > > index 8802781..bbf9c00 100644
> > > --- a/src/initscripts/init.d/unbound
> > > +++ b/src/initscripts/init.d/unbound
> > > @@ -114,17 +114,38 @@ update_forwarders() {
> > >  			echo_warning
> > >  		fi
> > >  
> > > -		if [ -n "${broken_forwarders}" -a -z
> > > "${forwarders}"
> > > ]; then
> > > -			boot_mesg "Falling back to recursor
> > > mode"
> > > ${WARNING}
> > > -			echo_warning
> > > -
> > > -		elif [ -n "${forwarders}" ]; then
> > > +		if [ -n "${forwarders}" ]; then
> > >  			boot_mesg "Configuring upstream name
> > > server(s): ${forwarders:1}" ${INFO}
> > >  			echo_ok
> > >  
> > > +			# Make sure DNSSEC is activated
> > > +			enable_dnssec
> > > +
> > >  			echo "${forwarders}" >
> > > /var/ipfire/red/dns
> > >  			unbound-control -q forward ${forwarders}
> > >  			return 0
> > > +
> > > +		# In case we have found no working forwarders
> > > +		else
> > > +			# Test if the recursor mode is available
> > > +			if can_resolve_root
> > > +bufsize=${new_edns_buffer_size}; then
> > > +				# Make sure DNSSEC is activated
> > > +				enable_dnssec
> > > +
> > > +				boot_mesg "Falling back to
> > > recursor
> > > mode" ${WARNING}
> > > +				echo_warning
> > > +
> > > +			# If not, we set DNSSEC in permissive
> > > mode
> > > and allow using all recursors
> > > +			elif [ -n "${broken_forwarders}" ]; then
> > > +				disable_dnssec
> > > +
> > > +				boot_mesg "DNSSEC has been set
> > > to
> > > permissive mode" ${FAILURE}
> > > +				echo_failure
> > > +
> > > +				echo "${broken_forwarders}" >
> > > /var/ipfire/red/dns
> > > +				unbound-control -q forward
> > > ${broken_forwarders}
> > > +				return 0
> > > +			fi
> > >  		fi
> > >  	fi
> > >  
> > > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() {
> > >  	return 1
> > >  }
> > >  
> > > +get_root_nameservers() {
> > > +	while read -r hostname ttl record address; do
> > > +		# Searching for A records
> > > +		[ "${record}" = "A" ] || continue
> > > +
> > > +		echo "${address}"
> > > +	done < /etc/unbound/root.hints
> > > +}
> > > +
> > > +can_resolve_root() {
> > > +	local ns
> > > +	for ns in $(get_root_nameservers); do
> > > +		if dig @${ns} +dnssec SOA . $@ >/dev/null; then
> > > +			return 0
> > > +		fi
> > > +	done
> > > +
> > > +	# none of the servers was reachable
> > > +	return 1
> > > +}
> > > +
> > > +enable_dnssec() {
> > > +	local status=$(unbound-control get_option val-
> > > permissive-
> > > mode)
> > > +
> > > +	# Don't do anything if DNSSEC is already activated
> > > +	[ "${status}" = "no" ] && return 0
> > > +
> > > +	# Activate DNSSEC and flush cache with any stale and
> > > unvalidated data
> > > +	unbound-control -q set_option val-permissive-mode: no
> > > +	unbound-control -q flush_zone .
> > > +}
> > > +
> > > +disable_dnssec() {
> > > +	unbound-control -q set_option val-permissive-mode: yes
> > > +}
> > > +
> > >  case "$1" in
> > >  	start)
> > >  		# Print a nicer messagen when unbound is already
> > > running
> > > diff --git a/src/patches/unbound-allow-setting-validator-
> > > permissive-
> > > mode-at-runtime.patch b/src/patches/unbound-allow-setting-
> > > validator-
> > > permissive-mode-at-runtime.patch
> > > new file mode 100644
> > > index 0000000..f476d08
> > > --- /dev/null
> > > +++ b/src/patches/unbound-allow-setting-validator-permissive-
> > > mode-
> > > at-
> > > runtime.patch
> > > @@ -0,0 +1,43 @@
> > > +diff --git a/validator/validator.c b/validator/validator.c
> > > +index 676dcdf..7c19f3d 100644
> > > +--- a/validator/validator.c
> > > ++++ b/validator/validator.c
> > > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct
> > > val_env* val_env,
> > > + 	int c;
> > > + 	val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
> > > + 	val_env->clean_additional = cfg->val_clean_additional;
> > > +-	val_env->permissive_mode = cfg->val_permissive_mode;
> > > ++	val_env->permissive_mode = &cfg->val_permissive_mode;
> > > + 	if(!env->anchors)
> > > + 		env->anchors = anchors_create();
> > > + 	if(!env->anchors) {
> > > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id)
> > > + 	}
> > > + 	env->modinfo[id] = (void*)val_env;
> > > + 	env->need_to_validate = 1;
> > > +-	val_env->permissive_mode = 0;
> > > + 	lock_basic_init(&val_env->bogus_lock);
> > > + 	lock_protect(&val_env->bogus_lock, &val_env-
> > > > num_rrset_bogus,
> > > 
> > > + 		sizeof(val_env->num_rrset_bogus));
> > > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate*
> > > qstate,
> > > struct val_qstate* vq,
> > > + 			}
> > > + 		}
> > > + 		/* If we are in permissive mode, bogus gets
> > > indeterminate */
> > > +-		if(ve->permissive_mode)
> > > ++		if(*ve->permissive_mode)
> > > + 			vq->orig_msg->rep->security =
> > > sec_status_indeterminate;
> > > + 	}
> > > + 
> > > +diff --git a/validator/validator.h b/validator/validator.h
> > > +index 23d3072..f8464b8 100644
> > > +--- a/validator/validator.h
> > > ++++ b/validator/validator.h
> > > +@@ -104,7 +104,7 @@ struct val_env {
> > > + 	 * This allows an operator to run validation 'shadow'
> > > without
> > > + 	 * hurting responses to clients.
> > > + 	 */
> > > +-	int permissive_mode;
> > > ++	int* permissive_mode;
> > > + 
> > > + 	/**
> > > + 	 * Number of entries in the NSEC3 maximum iteration
> > > count
> > > table.
> 
> I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3
> available locally, and will beg my users for downtime to test.
> 
> Thank you, and best regards,
> Paul
> 
> 

Bad juju - build c016773b couldn't resolve any hosts (other than those in "localdomain").

Provider is "hughes.net" and is the only ISP available (no hardlines or other LOS/NLOS WISPs available).

Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no change.

Paul

>