underscores and 8.2.2-P5

LaMont Jones lamont at security.hp.com
Wed Dec 1 20:49:29 UTC 1999


> 	I suspect the best way to "fix" this would be to look at the
> 	query and refuse to answer.  I would also have an acl which
> 	controls when the test is performed.

I added 'check-names request {fail | warn | ignore}', and then went to
change the docs and found this in options.html:

    If <CODE>check-names response fail</CODE> has been specified, and
    answering the client's question would require sending an invalid name
    to the client, the server will send a REFUSED response code to the
    client.

Based on that, since we would be returning an invalid name, we should be
returning REFUSED.  The only reason we return the answers is because we
don't run through ns_nameok until we get a response.  One solution is to
apply the patch below, which subjects the request to verification before
looking for it in the cache.

Another solution (which slows down startup a bit, but gets out of
req_query() and restores some performance...)  would be to modify the
startup phase to:
1. notice if there were any CNAME's with owners that fail res_ownok()
   during the load, and, if so, then once __all__ zones are loaded,
2. make a pass through the cache and verify that any such CNAME's point
   to things whose types permit the otherwise invalid owner of the CNAME,
   or which are not found in the cache.  (Either we know that it's
   NXDOMAIN, or we'll catch it when the response comes in from the auth
   NS.)

Being strapped for time, and having nameserver that are not too overloaded,
I'm going to leave it at the trivial, somewhat performance impacting patch.

Again, here is the offending cache data:
;; ANSWER SECTION:
a_1.example.com.        1D IN CNAME     b.example.com.
b.example.com.          1D IN A         10.0.0.1

lamont

--- ns_req.c.orig	Fri Oct 15 13:49:04 1999
+++ ns_req.c	Wed Dec  1 12:54:23 1999
@@ -643,6 +643,11 @@
 	afterq = *cpp;
 	qtypeIncr(type);
 
+	if (!ns_nameok(NULL, dnbuf, class, NULL, response_trans,
+		       ns_ownercontext(type, response_trans),
+		       dnbuf, from.sin_addr)) {
+		return (Refuse);
+	}
 	/*
 	 * Process query.
 	 */


More information about the bind-workers mailing list