From 5a21e7e0bfb1f17486d8a1333deea314999dead1 Mon Sep 17 00:00:00 2001 From: Martin Stransky Date: Nov 02 2006 12:27:31 +0000 Subject: fix for #211282: EDNS is globally enabled, crashing CheckPoint FW-1 --- diff --git a/bind-9.3.3-edns.patch b/bind-9.3.3-edns.patch new file mode 100644 index 0000000..fa9004b --- /dev/null +++ b/bind-9.3.3-edns.patch @@ -0,0 +1,87 @@ +--- bind-9.3.3rc2/doc/misc/options.edns 2005-05-13 04:43:27.000000000 +0200 ++++ bind-9.3.3rc2/doc/misc/options 2006-11-02 13:00:25.000000000 +0100 +@@ -83,6 +83,7 @@ + edns-udp-size ; + root-delegation-only [ exclude { ; ... } ]; + disable-algorithms { ; ... }; ++ edns-enable ; + dnssec-enable ; + dnssec-lookaside trust-anchor ; + dnssec-must-be-secure ; +@@ -263,6 +264,7 @@ + edns-udp-size ; + root-delegation-only [ exclude { ; ... } ]; + disable-algorithms { ; ... }; ++ edns-enable ; + dnssec-enable ; + dnssec-lookaside trust-anchor ; + dnssec-must-be-secure ; +--- bind-9.3.3rc2/lib/dns/view.c.edns 2004-03-10 03:55:58.000000000 +0100 ++++ bind-9.3.3rc2/lib/dns/view.c 2006-11-02 12:47:07.000000000 +0100 +@@ -156,6 +156,7 @@ + view->additionalfromcache = ISC_TRUE; + view->additionalfromauth = ISC_TRUE; + view->enablednssec = ISC_TRUE; ++ view->enableedns = ISC_TRUE; + view->minimalresponses = ISC_FALSE; + view->transfer_format = dns_one_answer; + view->queryacl = NULL; +--- bind-9.3.3rc2/lib/dns/include/dns/view.h.edns 2004-03-10 03:55:58.000000000 +0100 ++++ bind-9.3.3rc2/lib/dns/include/dns/view.h 2006-11-02 12:47:07.000000000 +0100 +@@ -109,6 +109,7 @@ + isc_boolean_t additionalfromauth; + isc_boolean_t minimalresponses; + isc_boolean_t enablednssec; ++ isc_boolean_t enableedns; + dns_transfer_format_t transfer_format; + dns_acl_t * queryacl; + dns_acl_t * recursionacl; +--- bind-9.3.3rc2/lib/isccfg/namedconf.c.edns 2006-03-02 01:37:20.000000000 +0100 ++++ bind-9.3.3rc2/lib/isccfg/namedconf.c 2006-11-02 12:47:07.000000000 +0100 +@@ -726,6 +726,7 @@ + { "root-delegation-only", &cfg_type_optional_exclude, 0 }, + { "disable-algorithms", &cfg_type_disablealgorithm, + CFG_CLAUSEFLAG_MULTI }, ++ { "edns-enable", &cfg_type_boolean, 0 }, + { "dnssec-enable", &cfg_type_boolean, 0 }, + { "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI }, + { "dnssec-must-be-secure", &cfg_type_mustbesecure, +--- bind-9.3.3rc2/bin/named/server.c.edns 2006-11-02 12:47:07.000000000 +0100 ++++ bind-9.3.3rc2/bin/named/server.c 2006-11-02 12:47:07.000000000 +0100 +@@ -1181,6 +1181,11 @@ + result = ns_config_get(maps, "provide-ixfr", &obj); + INSIST(result == ISC_R_SUCCESS); + view->provideixfr = cfg_obj_asboolean(obj); ++ ++ obj = NULL; ++ (void)ns_config_get(maps, "edns-enable", &obj); ++ if (obj != NULL) ++ view->enableedns = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-enable", &obj); +--- bind-9.3.3rc2/bin/named/query.c.edns 2006-08-31 05:57:11.000000000 +0200 ++++ bind-9.3.3rc2/bin/named/query.c 2006-11-02 12:47:07.000000000 +0100 +@@ -3558,6 +3558,12 @@ + if (client->view->enablednssec) + message->flags |= DNS_MESSAGEFLAG_AD; + ++ /* ++ * Disable edns if an user require it. ++ */ ++ if (!client->view->enableedns) ++ client->query.fetchoptions |= DNS_FETCHOPT_NOEDNS0; ++ + qclient = NULL; + ns_client_attach(client, &qclient); + query_find(qclient, NULL, qtype); +--- bind-9.3.3rc2/bin/named/config.c.edns 2006-02-28 07:32:53.000000000 +0100 ++++ bind-9.3.3rc2/bin/named/config.c 2006-11-02 12:47:07.000000000 +0100 +@@ -125,6 +125,7 @@ + check-names master fail;\n\ + check-names slave warn;\n\ + check-names response ignore;\n\ ++ edns-enable yes;\n\ + dnssec-enable no; /* Make yes for 9.4. */ \n\ + " + diff --git a/bind.spec b/bind.spec index b834a5f..fb13b62 100644 --- a/bind.spec +++ b/bind.spec @@ -77,6 +77,7 @@ Patch23: bind-9.3.1-dbus_archdep_libdir.patch Patch28: bind-9.3.3rc2-dbus-0.6.patch Patch32: bind-9.3.2-prctl_set_dumpable.patch Patch51: bind-9.3.2-tmpfile.patch +Patch52: bind-9.3.3-edns.patch # Requires: bind-libs = %{epoch}:%{version}-%{release}, glibc >= 2.2, mktemp Requires(post): bash, coreutils, sed, grep, chkconfig >= 1.3.26 @@ -289,6 +290,7 @@ cp -fp bin/named/include/named/{globals.h,server.h,log.h,types.h} bin/named_sdb/ %endif %patch32 -p1 -b .prctl_set_dumpable %patch51 -p1 -b .tmp +%patch52 -p1 -b .edns :; @@ -448,7 +450,7 @@ for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.int echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done -/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.138 2006/10/30 13:37:47 stransky Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ +/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.139 2006/11/02 12:27:31 stransky Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ *\ * NOTE: you only need to create this file if it is to\ * differ from the following default contents: @@ -779,9 +781,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog * Mon Oct 30 2006 Martin Stransky - 30:9.3.3-6 - fix for #200465: named-checkzone and co. cannot be run as non-root user -- added fix for #212348: chroot'd named causes df permission denied error -- added fix for #211249, #211083 - problems with stopping named -- added fix for #212549: init script does not unmount /proc filesystem +- fix for #212348: chroot'd named causes df permission denied error +- fix for #211249, #211083 - problems with stopping named +- fix for #212549: init script does not unmount /proc filesystem +- fix for #211282: EDNS is globally enabled, crashing CheckPoint FW-1, + added edns-enable options to named configuration file which can suppress + EDNS in queries to DNS servers (see /usr/share/doc/bind-9.3.3/misc/options) * Fri Oct 13 2006 Martin Stransky - 30:9.3.3-5 - fix for #209359: bind-libs from compatlayer CD will not