From fe6f384b2efde528dabbf822634eedc020be67e0 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 9 Mar 2006 03:30:18 +0000
Subject: [PATCH] 2006.   [security]      Allow-query-cache and allow-recursion
 now default                         to the builtin acls "localnets" and
 "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.
---
 CHANGES                 |  11 ++++
 bin/named/config.c      |   5 +-
 bin/named/server.c      |  14 ++++-
 doc/arm/Bv9ARM-book.xml | 128 +++++++++++++++++++---------------------
 4 files changed, 86 insertions(+), 72 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0705700295..6dfae786e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+2006.	[security]	Allow-query-cache and allow-recursion now default
+			to the builtin acls "localnets" and "localhost".
+
+			This is being done to make caching servers less
+			attractive as reflective amplifying targets for
+			spoofed traffic.  This still leave authoritative
+			servers exposed.
+
+			The best fix is for full BCP 38 deployment to
+			remove spoofed traffic.
+
 2005.	[bug]		libbind: Retransmission timeouts should be
 			based on which attempt it is to the nameserver
 			and not the nameserver itself. [RT #13548]
diff --git a/bin/named/config.c b/bin/named/config.c
index 1e9b94ff0f..c20e6019a1 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
+/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
 
 /*! \file */
 
@@ -103,7 +103,8 @@ options {\n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
-	allow-recursion {any;};\n\
+	allow-query-cache { localnets; localhost; };\n\
+	allow-recursion { localnets; localhost; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
diff --git a/bin/named/server.c b/bin/named/server.c
index fa62826319..7fdbdaf5ff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
 
 /*! \file */
 
@@ -1430,8 +1430,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
 				 actx, ns_g_mctx, &view->queryacl));
 	if (view->queryacl == NULL)
-		CHECK(configure_view_acl(vconfig, config, "allow-query",
-					 actx, ns_g_mctx, &view->queryacl));
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache", actx,
+					 ns_g_mctx, &view->queryacl));
 
 	if (strcmp(view->name, "_bind") != 0)
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
@@ -1450,6 +1451,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			      "both \"recursion no;\" and \"allow-recursion\" "
 			      "active%s%s", forview, viewname);
 
+	/*
+	 * Set default "allow-recursion" acl.
+	 */
+	if (view->recursionacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
+					 actx, ns_g_mctx, &view->recursionacl));
+
 	CHECK(configure_view_acl(vconfig, config, "sortlist",
 				 actx, ns_g_mctx, &view->sortlist));
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 14958e5e70..c3d888ea46 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.297 2006/03/06 01:27:52 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.298 2006/03/09 03:30:18 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -3069,20 +3069,21 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             and whether the element was negated.
           </para>
 
-          <para>
-            When used as an access control list, a non-negated match allows
-            access and a negated match denies access. If there is no match,
-            access is denied. The clauses <command>allow-notify</command>,
-            <command>allow-query</command>, <command>allow-query-cache</command>,
-            <command>allow-transfer</command>,
-            <command>allow-update</command>, <command>allow-update-forwarding</command>,
-            and <command>blackhole</command> all use address match
-            lists.
-            Similarly, the listen-on option will cause the server to not
-            accept
-            queries on any of the machine's addresses which do not match the
-            list.
-          </para>
+	  <para>
+	    When used as an access control list, a non-negated match
+	    allows access and a negated match denies access. If
+	    there is no match, access is denied. The clauses
+	    <command>allow-notify</command>,
+	    <command>allow-query</command>,
+	    <command>allow-query-cache</command>,
+	    <command>allow-transfer</command>,
+	    <command>allow-update</command>,
+	    <command>allow-update-forwarding</command>, and
+	    <command>blackhole</command> all use address match
+	    lists.  Similarly, the listen-on option will cause the
+	    server to not accept queries on any of the machine's
+	    addresses which do not match the list.
+	  </para>
 
           <para>
             Because of the first-match aspect of the algorithm, an element
@@ -5772,64 +5773,57 @@ options {
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><command>allow-query</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to
-                  ask ordinary DNS questions. <command>allow-query</command> may also
-                  be specified in the <command>zone</command>
-                  statement, in which
-                  case it overrides the <command>options allow-query</command> statement.
-                  <command>allow-query-cache</command> may also be
-                  specified and will
-                  overrides access to the cache.
-                  If not specified, the default is to allow queries from all
-                  hosts.
-                </para>
-              </listitem>
-            </varlistentry>
+	    <varlistentry>
+	      <term><command>allow-query</command></term>
+	      <listitem>
+		<para>
+		  Specifies which hosts are allowed to ask ordinary
+		  DNS questions. <command>allow-query</command> may
+		  also be specified in the <command>zone</command>
+		  statement, in which case it overrides the
+		  <command>options allow-query</command> statement.
+		  If not specified, the default is to allow queries
+		  from all hosts.
+		</para>
+		<note>
+		  <para>
+		    <command>allow-query-cache</command> is now
+		    used to specify access to the cache.
+		  </para>
+		</note>
+	      </listitem>
+	    </varlistentry>
 
-            <varlistentry>
-              <term><command>allow-query-cache</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to get answers
-                  from the cache.  If not set <command>allow-query</command> applies.
-                </para>
-                <para>
-                  The recommended way to set query access to the cache is now
-                  via
-                  <command>allow-query-cache</command> rather than
-                  <command>allow-query</command>.
-                  Inheritance from <command>allow-query</command>
-                  has been retained for
-                  backwards compatability.
-                </para>
-                <note>
-                  <para>
-                    If <command>allow-query-cache</command> is set
-                    at the options
-                    level and not set in the view it will still override a
-                    <command>allow-query</command> set at the view
-                    level.
-                  </para>
-                </note>
-              </listitem>
-            </varlistentry>
+	    <varlistentry>
+	      <term><command>allow-query-cache</command></term>
+	      <listitem>
+		<para>
+		  Specifies which hosts are allowed to get answers
+		  from the cache. The default is the builtin acls
+		  <command>localnets</command> and
+		  <command>localhost</command>.
+		</para>
+		<para>
+		  The way to set query access to the cache is now
+		  via <command>allow-query-cache</command>.
+		  This differs from earlier versions which used
+		  <command>allow-query</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
 
             <varlistentry>
               <term><command>allow-recursion</command></term>
               <listitem>
                 <para>
-                  Specifies which hosts are allowed to
-                  make recursive queries through this server. If not
-                  specified, the
-                  default is to allow recursive queries from all hosts.
-                  Note that disallowing recursive queries for a host does not
-                  prevent the
-                  host from retrieving data that is already in the server's
-                  cache.
+		  Specifies which hosts are allowed to make recursive
+		  queries through this server. If not specified,
+		  the default is to allow recursive queries from
+		  the builtin acls <command>localnets</command> and
+		  <command>localhost</command>.
+		  Note that disallowing recursive queries for a
+		  host does not prevent the host from retrieving
+		  data that is already in the server's cache.
                 </para>
               </listitem>
             </varlistentry>