summaryrefslogtreecommitdiffstats
path: root/debian/patches/0033-Disable-lame-ttl-cache.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/0033-Disable-lame-ttl-cache.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/debian/patches/0033-Disable-lame-ttl-cache.patch b/debian/patches/0033-Disable-lame-ttl-cache.patch
new file mode 100644
index 0000000..efd2132
--- /dev/null
+++ b/debian/patches/0033-Disable-lame-ttl-cache.patch
@@ -0,0 +1,70 @@
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@sury.org>
+Date: Fri, 24 Sep 2021 09:35:11 +0200
+Subject: Disable lame-ttl cache
+
+The lame-ttl cache is implemented in ADB as per-server locked
+linked-list "indexed" with <qname,qtype>. This list has to be walked
+every time there's a new query or new record added into the lame cache.
+Determined attacker can use this to degrade performance of the resolver.
+
+Resolver testing has shown that disabling the lame cache has little
+impact on the resolver performance and it's a minimal viable defense
+against this kind of attack.
+---
+ bin/named/config.c | 2 +-
+ bin/named/server.c | 8 ++++++--
+ doc/arm/Bv9ARM-book.xml | 9 +++------
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index d22ee4b..ba5fa8a 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -170,7 +170,7 @@ options {\n\
+ #ifdef HAVE_GEOIP
+ " geoip-use-ecs yes;\n"
+ #endif
+-" lame-ttl 600;\n"
++" lame-ttl 0;\n"
+ #ifdef HAVE_LMDB
+ " lmdb-mapsize 32M;\n"
+ #endif
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 149458e..748a150 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3971,8 +3971,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ result = ns_config_get(maps, "lame-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ lame_ttl = cfg_obj_asuint32(obj);
+- if (lame_ttl > 1800)
+- lame_ttl = 1800;
++ if (lame_ttl > 0) {
++ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
++ "disabling lame cache despite lame-ttl > 0 as it "
++ "may cause performance issues");
++ lame_ttl = 0;
++ }
+ dns_resolver_setlamettl(view->resolver, lame_ttl);
+
+ /*
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 4b36bd0..7852b5a 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -8855,12 +8855,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ <term><command>lame-ttl</command></term>
+ <listitem>
+ <para>
+- Sets the number of seconds to cache a
+- lame server indication. 0 disables caching. (This is
+- <emphasis role="bold">NOT</emphasis> recommended.)
+- The default is <literal>600</literal> (10 minutes) and the
+- maximum value is
+- <literal>1800</literal> (30 minutes).
++ This is always set to 0. More information is available
++ in the <link xmlns:xlink="http://www.w3.org/1999/xlink"
++ xlink:href="https://kb.isc.org/docs/cve-2021-25219">security advisory for CVE-2021-25219</link>.
+ </para>
+
+ </listitem>