Date: Sat, 19 Jul 2008 16:07:50 +0200 (CEST) From: Mats Dufberg <dufberg@dufberg.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: i386/125771: bind in base system incorrectly sets AD bit even when not requested Message-ID: <20080719140751.0070F17038@maildump.narnia.pp.se> Resent-Message-ID: <200807191430.m6JEU4Aj027124@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125771
>Category: i386
>Synopsis: bind in base system incorrectly sets AD bit even when not requested
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jul 19 14:30:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Mats Dufberg
>Release: FreeBSD 6.3-RELEASE-p3 i386
>Organization:
private
>Environment:
System: FreeBSD loevsta.narnia.pp.se 6.3-RELEASE-p3 FreeBSD 6.3-RELEASE-p3 #14: Mon Jul 14 10:36:54 CEST 2008 dufberg@loevsta.narnia.pp.se:/usr/obj/usr/src/sys/LOEVSTA i386
>Description:
The error is found in bind 9.3.4-P1, which is part of FreeBSD
6.3-RELEASE-p3. It will only be seen when named is working in
resolving moded with DNSsec turned on (" dnssec-enable yes;"). It is
also required that named is configured with a trust-anchor
("trusted-keys {...};") for some DNSsec enabled zone, and that zone is
not a local zone.
As an example we have configured named for DNSsec with one of the keys
(KSK, keys signing keys) for .SE, which also is an DNSsec enabled
zone. In this case the resolver can validate all queries for the .SE
zone and any DNSsec enabled child zones of .SE. Queries for other
zones can not be validated. This distinction can be reported back to
the client with the AD bit in the reply.
The AD bit should only be set if data could be validated and if the
query contained the DO flag, which signals that the client is prepared
to interpret DNSsec data. If the DO flag is not set in the query, the
reply should be plain DNS, i.e. without AD bit, even if data is
validated.
Named in FreeBSD 6.3-RELEASE-p3 (bind 9.3.4-P1) incorrectly sets the
AD bit even when the DO flag is not set in the query. For some strange
reason named is not completely consequent in its behavior. In some
cases the erroneous AD bit is not set, but in most cases.
>How-To-Repeat:
1. Set named up as resolving server with DNSsec turned on:
options {
(...)
allow-query { localhost; };
dnssec-enable yes;
(...)
};
2. Add a trust anchor for .SE:
trusted-keys {
# Expected to be valid until 2009-01-01
se. 257 3 5 "AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSa
ZcmrmZiRMF8FPppD+XuKSau0rgu4eBwYdpkEoMVR4FhI
8frkuPHIue2LP1ETo+2hCrdr60K1538yLvzbOhMxXt6k
njPN+OlalMmCknadaofKga5FLKOPQs2C3nw6AH4WUNGr
chmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrF
v8NhNnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeU
nNWu3AOsRAshgOcDBOAPUvKJNEq6RHELFmvXOOe2d8H2
yzv02EMQik6GwUm16DrSdmX+SWfelQs+9ELFN6k=";
};
3. Restart.
4. Send a query where the AD bit is expected to be on:
# dig @localhost se soa +dnssec
; <<>> DiG 9.3.4-P1 <<>> @localhost se soa +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48000
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1200
;; QUESTION SECTION:
;se. IN SOA
;; ANSWER SECTION:
se. 2551 IN SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2008071905 1800
1800 2419200 7200
se. 2551 IN RRSIG SOA 5 1 172800
20080726013017 20080719101242 23073
se. UtHVakbAm1kaaxg6BQAA29EgzjuaD04eMF+PR0NhBsybFSkzDhauVnyI
co+SoSkrCSYdAVv3KLgabbiKaGRzTHS0lp2hYR5bBqy8ATR2Cp8FU99e
w+kpQL6quOMdAp72hmrK8sZtxB6Z686Js+J+9TEWuDKSFauGss2hDiIG 04M=
;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:20:09 2008
;; MSG SIZE rcvd: 269
5. Send a query where the AD bit will not be set (DNSsec not
available). In this case, if you set '+dnssec' or not will not make
any difference for anything since there is no trust anchor for .NU.
# dig @localhost nu soa
; <<>> DiG 9.3.4-P1 <<>> @localhost nu soa +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40971
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1200
;; QUESTION SECTION:
;nu. IN SOA
;; ANSWER SECTION:
nu. 1800 IN SOA
ns.nic.nu. hostmaster.nic.nu. 2008071903 10800 1800 2592000 1800
;; AUTHORITY SECTION:
nu. 86400 IN NS ns.nic.nu.
nu. 86400 IN NS ns0.de.nic.nu.
nu. 86400 IN NS ns0.telia.nic.nu.
nu. 86400 IN NS tld1.ultradns.net.
nu. 86400 IN NS tld2.ultradns.net.
;; ADDITIONAL SECTION:
tld1.ultradns.net. 5283 IN A 204.74.112.1
tld1.ultradns.net. 92108 IN AAAA 2001:502:d399::1
tld2.ultradns.net. 5283 IN A 204.74.113.1
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:23:58 2008
;; MSG SIZE rcvd: 254
6. Send a query where the AD bit is set, but it should NOT be set. In
some cases the AD bit was not set, but was set again when I asked for
some othere type, e.g. ns instead for soa.
# dig @localhost se soa
; <<>> DiG 9.3.4-P1 <<>> @localhost se soa
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18722
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 9, ADDITIONAL:
; 0
;; QUESTION SECTION:
;se. IN SOA
;; ANSWER SECTION:
se. 3550 IN SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2008071906 1800
1800 2419200 7200
;; AUTHORITY SECTION:
se. 3550 IN NS i.ns.se.
se. 3550 IN NS a.ns.se.
se. 3550 IN NS b.ns.se.
se. 3550 IN NS c.ns.se.
se. 3550 IN NS d.ns.se.
se. 3550 IN NS e.ns.se.
se. 3550 IN NS f.ns.se.
se. 3550 IN NS g.ns.se.
se. 3550 IN NS h.ns.se.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:29:31 2008
;; MSG SIZE rcvd: 243
>Fix:
Upgrade when ISC has fixed, or switch to bind from ports, e.g. dns/bind94.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080719140751.0070F17038>