1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
commit 3d71785ef143b670409affee203145eb39266d87
Author: Evan Hunt <each@isc.org>
Date: 2018-06-04 21:55:41 -0700
allow-recursion could incorrectly inherit from the default allow-query
--- CHANGES.orig 2018-03-08 20:55:28 UTC
+++ CHANGES
@@ -1,3 +1,10 @@
+4960. [security] When recursion is enabled, but the "allow-recursion"
+ and "allow-query-cache" ACLs are not specified,
+ they should be limited to local networks,
+ but were inadvertently set to match the default
+ "allow-query", thus allowing remote queries.
+ (CVE-2018-5738) [GL #309]
+
--- 9.11.3 released ---
--- 9.11.3rc2 released ---
--- bin/named/server.c.orig 2018-03-08 20:55:28 UTC
+++ bin/named/server.c
@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_vie
dns_acache_setcachesize(view->acache, max_acache_size);
}
- CHECK(configure_view_acl(vconfig, config, ns_g_config,
- "allow-query", NULL, actx,
- ns_g_mctx, &view->queryacl));
-
/*
* Make the list of response policy zone names for a view that
* is used for real lookups and so cares about hints.
@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_vie
INSIST(result == ISC_R_SUCCESS);
view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
- CHECK(configure_view_acl(vconfig, config, ns_g_config,
- "allow-query-cache-on", NULL, actx,
- ns_g_mctx, &view->cacheonacl));
/*
* Set sources where additional data and CNAME/DNAME
* targets for authoritative answers may be found.
@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_vie
view->additionalfromcache = ISC_TRUE;
}
+ CHECK(configure_view_acl(vconfig, config, ns_g_config,
+ "allow-query-cache-on", NULL, actx,
+ ns_g_mctx, &view->cacheonacl));
+
/*
- * Set "allow-query-cache", "allow-recursion", and
- * "allow-recursion-on" acls if configured in named.conf.
- * (Ignore the global defaults for now, because these ACLs
- * can inherit from each other when only some of them set at
- * the options/view level.)
+ * Set the "allow-query", "allow-query-cache", "allow-recursion",
+ * and "allow-recursion-on" ACLs if configured in named.conf, but
+ * NOT from the global defaults. This is done by leaving the third
+ * argument to configure_view_acl() NULL.
+ *
+ * We ignore the global defaults here because these ACLs
+ * can inherit from each other. If any are still unset after
+ * applying the inheritance rules, we'll look up the defaults at
+ * that time.
*/
- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
- NULL, actx, ns_g_mctx, &view->cacheacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query", NULL, actx,
+ ns_g_mctx, &view->queryacl));
+
+ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-query-cache", NULL, actx,
+ ns_g_mctx, &view->cacheacl));
if (strcmp(view->name, "_bind") != 0 &&
view->rdclass != dns_rdataclass_chaos)
{
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion", NULL, actx,
ns_g_mctx, &view->recursionacl));
+ /* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion-on", NULL, actx,
ns_g_mctx, &view->recursiononacl));
@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_vie
* the global config.
*/
if (view->recursionacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion", NULL,
actx, ns_g_mctx,
&view->recursionacl));
}
if (view->recursiononacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion-on", NULL,
actx, ns_g_mctx,
&view->recursiononacl));
}
if (view->cacheacl == NULL) {
+ /* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-query-cache", NULL,
actx, ns_g_mctx,
@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_vie
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
+ if (view->queryacl == NULL) {
+ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ "allow-query", NULL,
+ actx, ns_g_mctx,
+ &view->queryacl));
+ }
+
/*
* Ignore case when compressing responses to the specified
* clients. This causes case not always to be preserved,
|
