mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-21 17:01:23 -05:00
allow-recursion could incorrectly inherit from the default allow-query
This commit is contained in:
Evan Hunt
Ondřej Surý
parent
92b4e70d35
commit
03ecba2cdc
3 changed files with 44 additions and 14 deletions
7
CHANGES
7
CHANGES
|
|
@ -29,7 +29,12 @@
|
|||
4961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94).
|
||||
[GL #295]
|
||||
|
||||
4960. [placeholder]
|
||||
4960. [security] When recursion is enabled, but the "allow-recursion"
|
||||
and "allow-query-cache" ACLs are not specified,
|
||||
they should be limited to local networks,
|
||||
but were inadvertently set to match the default
|
||||
"allow-query", thus allowing remote queries.
|
||||
(CVE-2018-5738) [GL #309]
|
||||
|
||||
4959. [func] NSID logging (enabled by the "request-nsid" option)
|
||||
now has its own "nsid" category, instead of using the
|
||||
|
|
|
|||
|
|
@ -3726,10 +3726,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
|||
CHECKM(named_config_getport(config, &port), "port");
|
||||
dns_view_setdstport(view, port);
|
||||
|
||||
CHECK(configure_view_acl(vconfig, config, named_g_config,
|
||||
"allow-query", NULL, actx,
|
||||
named_g_mctx, &view->queryacl));
|
||||
|
||||
/*
|
||||
* Make the list of response policy zone names for a view that
|
||||
* is used for real lookups and so cares about hints.
|
||||
|
|
@ -4714,21 +4710,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
|||
"allow-query-cache-on", NULL, actx,
|
||||
named_g_mctx, &view->cacheonacl));
|
||||
/*
|
||||
* Set "allow-query-cache", "allow-recursion", and
|
||||
* "allow-recursion-on" acls if configured in named.conf.
|
||||
* (Ignore the global defaults for now, because these ACLs
|
||||
* can inherit from each other when only some of them set at
|
||||
* the options/view level.)
|
||||
* Set the "allow-query", "allow-query-cache", "allow-recursion",
|
||||
* and "allow-recursion-on" ACLs if configured in named.conf, but
|
||||
* NOT from the global defaults. This is done by leaving the third
|
||||
* argument to configure_view_acl() NULL.
|
||||
*
|
||||
* We ignore the global defaults here because these ACLs
|
||||
* can inherit from each other. If any are still unset after
|
||||
* applying the inheritance rules, we'll look up the defaults at
|
||||
* that time.
|
||||
*/
|
||||
CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
|
||||
NULL, actx, named_g_mctx, &view->cacheacl));
|
||||
|
||||
/* named.conf only */
|
||||
CHECK(configure_view_acl(vconfig, config, NULL,
|
||||
"allow-query", NULL, actx,
|
||||
named_g_mctx, &view->queryacl));
|
||||
|
||||
/* named.conf only */
|
||||
CHECK(configure_view_acl(vconfig, config, NULL,
|
||||
"allow-query-cache", NULL, actx,
|
||||
named_g_mctx, &view->cacheacl));
|
||||
|
||||
if (strcmp(view->name, "_bind") != 0 &&
|
||||
view->rdclass != dns_rdataclass_chaos)
|
||||
{
|
||||
/* named.conf only */
|
||||
CHECK(configure_view_acl(vconfig, config, NULL,
|
||||
"allow-recursion", NULL, actx,
|
||||
named_g_mctx, &view->recursionacl));
|
||||
/* named.conf only */
|
||||
CHECK(configure_view_acl(vconfig, config, NULL,
|
||||
"allow-recursion-on", NULL, actx,
|
||||
named_g_mctx, &view->recursiononacl));
|
||||
|
|
@ -4766,18 +4776,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
|||
* the global config.
|
||||
*/
|
||||
if (view->recursionacl == NULL) {
|
||||
/* global default only */
|
||||
CHECK(configure_view_acl(NULL, NULL, named_g_config,
|
||||
"allow-recursion", NULL,
|
||||
actx, named_g_mctx,
|
||||
&view->recursionacl));
|
||||
}
|
||||
if (view->recursiononacl == NULL) {
|
||||
/* global default only */
|
||||
CHECK(configure_view_acl(NULL, NULL, named_g_config,
|
||||
"allow-recursion-on", NULL,
|
||||
actx, named_g_mctx,
|
||||
&view->recursiononacl));
|
||||
}
|
||||
if (view->cacheacl == NULL) {
|
||||
/* global default only */
|
||||
CHECK(configure_view_acl(NULL, NULL, named_g_config,
|
||||
"allow-query-cache", NULL,
|
||||
actx, named_g_mctx,
|
||||
|
|
@ -4791,6 +4804,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
|||
CHECK(dns_acl_none(mctx, &view->cacheacl));
|
||||
}
|
||||
|
||||
if (view->queryacl == NULL) {
|
||||
/* global default only */
|
||||
CHECK(configure_view_acl(NULL, NULL, named_g_config,
|
||||
"allow-query", NULL,
|
||||
actx, named_g_mctx,
|
||||
&view->queryacl));
|
||||
}
|
||||
|
||||
/*
|
||||
* Ignore case when compressing responses to the specified
|
||||
* clients. This causes case not always to be preserved,
|
||||
|
|
|
|||
|
|
@ -65,7 +65,11 @@
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
None.
|
||||
When recursion is enabled but the <command>allow-recursion</command>
|
||||
and <command>allow-query-cache</command> ACLs are not specified, they
|
||||
should be limited to local networks, but they were inadvertently set
|
||||
to match the default <command>allow-query</command>, thus allowing
|
||||
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
|
@ -89,7 +93,7 @@
|
|||
information about root key rollover status can be gathered.
|
||||
To disable this feature, add
|
||||
<command>root-key-sentinel no;</command> to
|
||||
<filename>named.conf</filename>.
|
||||
<filename>named.conf</filename>. [GL #37]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
|
|
|||
Loading…
Reference in a new issue