diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/0033-Disable-lame-ttl-cache.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/debian/patches/0033-Disable-lame-ttl-cache.patch b/debian/patches/0033-Disable-lame-ttl-cache.patch new file mode 100644 index 0000000..efd2132 --- /dev/null +++ b/debian/patches/0033-Disable-lame-ttl-cache.patch @@ -0,0 +1,70 @@ +From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@sury.org> +Date: Fri, 24 Sep 2021 09:35:11 +0200 +Subject: Disable lame-ttl cache + +The lame-ttl cache is implemented in ADB as per-server locked +linked-list "indexed" with <qname,qtype>. This list has to be walked +every time there's a new query or new record added into the lame cache. +Determined attacker can use this to degrade performance of the resolver. + +Resolver testing has shown that disabling the lame cache has little +impact on the resolver performance and it's a minimal viable defense +against this kind of attack. +--- + bin/named/config.c | 2 +- + bin/named/server.c | 8 ++++++-- + doc/arm/Bv9ARM-book.xml | 9 +++------ + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index d22ee4b..ba5fa8a 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -170,7 +170,7 @@ options {\n\ + #ifdef HAVE_GEOIP + " geoip-use-ecs yes;\n" + #endif +-" lame-ttl 600;\n" ++" lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif +diff --git a/bin/named/server.c b/bin/named/server.c +index 149458e..748a150 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3971,8 +3971,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + result = ns_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asuint32(obj); +- if (lame_ttl > 1800) +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; ++ } + dns_resolver_setlamettl(view->resolver, lame_ttl); + + /* +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index 4b36bd0..7852b5a 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -8855,12 +8855,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + <term><command>lame-ttl</command></term> + <listitem> + <para> +- Sets the number of seconds to cache a +- lame server indication. 0 disables caching. (This is +- <emphasis role="bold">NOT</emphasis> recommended.) +- The default is <literal>600</literal> (10 minutes) and the +- maximum value is +- <literal>1800</literal> (30 minutes). ++ This is always set to 0. More information is available ++ in the <link xmlns:xlink="http://www.w3.org/1999/xlink" ++ xlink:href="https://kb.isc.org/docs/cve-2021-25219">security advisory for CVE-2021-25219</link>. + </para> + + </listitem> |