From owner-freebsd-i386@FreeBSD.ORG  Sat Jul 19 14:30:04 2008
Return-Path: <owner-freebsd-i386@FreeBSD.ORG>
Delivered-To: freebsd-i386@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B2EB21065674
	for <freebsd-i386@hub.freebsd.org>;
	Sat, 19 Jul 2008 14:30:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 7599D8FC1B
	for <freebsd-i386@hub.freebsd.org>;
	Sat, 19 Jul 2008 14:30:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6JEU4FU027127
	for <freebsd-i386@freefall.freebsd.org>; Sat, 19 Jul 2008 14:30:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6JEU4Aj027124;
	Sat, 19 Jul 2008 14:30:04 GMT (envelope-from gnats)
Resent-Date: Sat, 19 Jul 2008 14:30:04 GMT
Resent-Message-Id: <200807191430.m6JEU4Aj027124@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-i386@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Mats Dufberg <dufberg@dufberg.se>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C356B1065672
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 19 Jul 2008 14:28:03 +0000 (UTC)
	(envelope-from dufberg@maildump.narnia.pp.se)
Received: from proxy2.bredband.net (proxy2.bredband.net [195.54.101.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 477708FC08
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 19 Jul 2008 14:28:03 +0000 (UTC)
	(envelope-from dufberg@maildump.narnia.pp.se)
Received: from ironport2.bredband.com (195.54.101.122) by proxy2.bredband.net
	(7.3.127) id 4811833301683A56 for FreeBSD-gnats-submit@freebsd.org;
	Sat, 19 Jul 2008 16:07:51 +0200
Received: from ua-83-227-136-82.cust.bredbandsbolaget.se (HELO
	mail.narnia.pp.se) ([83.227.136.82])
	by ironport2.bredband.com with ESMTP; 19 Jul 2008 16:07:51 +0200
Received: from maildump.narnia.pp.se (loevsta.narnia.pp.se [172.16.25.60])
	by mail.narnia.pp.se (Postfix) with ESMTP id 0D5B511502
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 19 Jul 2008 16:07:51 +0200 (CEST)
Received: by maildump.narnia.pp.se (Postfix, from userid 1001)
	id 0070F17038; Sat, 19 Jul 2008 16:07:50 +0200 (CEST)
Message-Id: <20080719140751.0070F17038@maildump.narnia.pp.se>
Date: Sat, 19 Jul 2008 16:07:50 +0200 (CEST)
From: Mats Dufberg <dufberg@dufberg.se>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: i386/125771: bind in base system incorrectly sets AD bit even when
	not requested
X-BeenThere: freebsd-i386@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: I386-specific issues for FreeBSD <freebsd-i386.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-i386>
List-Post: <mailto:freebsd-i386@freebsd.org>
List-Help: <mailto:freebsd-i386-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2008 14:30:04 -0000


>Number:         125771
>Category:       i386
>Synopsis:       bind in base system incorrectly sets AD bit even when not requested
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 19 14:30:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Mats Dufberg
>Release:        FreeBSD 6.3-RELEASE-p3 i386
>Organization:
private
>Environment:
System: FreeBSD loevsta.narnia.pp.se 6.3-RELEASE-p3 FreeBSD 6.3-RELEASE-p3 #14: Mon Jul 14 10:36:54 CEST 2008 dufberg@loevsta.narnia.pp.se:/usr/obj/usr/src/sys/LOEVSTA i386


	
>Description:

The error is found in bind 9.3.4-P1, which is part of FreeBSD
6.3-RELEASE-p3. It will only be seen when named is working in
resolving moded with DNSsec turned on (" dnssec-enable yes;"). It is
also required that named is configured with a trust-anchor
("trusted-keys {...};") for some DNSsec enabled zone, and that zone is
not a local zone.

As an example we have configured named for DNSsec with one of the keys
(KSK, keys signing keys) for .SE, which also is an DNSsec enabled
zone. In this case the resolver can validate all queries for the .SE
zone and any DNSsec enabled child zones of .SE. Queries for other
zones can not be validated. This distinction can be reported back to
the client with the AD bit in the reply.

The AD bit should only be set if data could be validated and if the
query contained the DO flag, which signals that the client is prepared
to interpret DNSsec data. If the DO flag is not set in the query, the
reply should be plain DNS, i.e. without AD bit, even if data is
validated. 

Named in FreeBSD 6.3-RELEASE-p3 (bind 9.3.4-P1) incorrectly sets the
AD bit even when the DO flag is not set in the query. For some strange
reason named is not completely consequent in its behavior. In some
cases the erroneous AD bit is not set, but in most cases.


>How-To-Repeat:


1. Set named up as resolving server with DNSsec turned on:

options {
	(...)
        allow-query             { localhost; };
        dnssec-enable           yes;
	(...)
};

2. Add a trust anchor for .SE:

trusted-keys {
    # Expected to be valid until 2009-01-01
    se. 257 3 5 "AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSa
                 ZcmrmZiRMF8FPppD+XuKSau0rgu4eBwYdpkEoMVR4FhI
                 8frkuPHIue2LP1ETo+2hCrdr60K1538yLvzbOhMxXt6k
                 njPN+OlalMmCknadaofKga5FLKOPQs2C3nw6AH4WUNGr
                 chmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrF
                 v8NhNnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeU
                 nNWu3AOsRAshgOcDBOAPUvKJNEq6RHELFmvXOOe2d8H2
                 yzv02EMQik6GwUm16DrSdmX+SWfelQs+9ELFN6k=";
};

3. Restart.

4. Send a query where the AD bit is expected to be on:

# dig @localhost se soa +dnssec

; <<>> DiG 9.3.4-P1 <<>> @localhost se soa +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48000
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1200
;; QUESTION SECTION:
;se.                            IN      SOA

;; ANSWER SECTION:
se.                     2551    IN      SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2008071905 1800
1800 2419200 7200
se.                     2551    IN      RRSIG   SOA 5 1 172800
20080726013017 20080719101242 23073
se. UtHVakbAm1kaaxg6BQAA29EgzjuaD04eMF+PR0NhBsybFSkzDhauVnyI
co+SoSkrCSYdAVv3KLgabbiKaGRzTHS0lp2hYR5bBqy8ATR2Cp8FU99e
w+kpQL6quOMdAp72hmrK8sZtxB6Z686Js+J+9TEWuDKSFauGss2hDiIG 04M=

;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:20:09 2008
;; MSG SIZE  rcvd: 269



5. Send a query where the AD bit will not be set (DNSsec not
available). In this case, if you set '+dnssec' or not will not make
any difference for anything since there is no trust anchor for .NU.

# dig @localhost nu soa

; <<>> DiG 9.3.4-P1 <<>> @localhost nu soa +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40971
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1200
;; QUESTION SECTION:
;nu.                            IN      SOA

;; ANSWER SECTION:
nu.                     1800    IN      SOA
ns.nic.nu. hostmaster.nic.nu. 2008071903 10800 1800 2592000 1800

;; AUTHORITY SECTION:
nu.                     86400   IN      NS      ns.nic.nu.
nu.                     86400   IN      NS      ns0.de.nic.nu.
nu.                     86400   IN      NS      ns0.telia.nic.nu.
nu.                     86400   IN      NS      tld1.ultradns.net.
nu.                     86400   IN      NS      tld2.ultradns.net.

;; ADDITIONAL SECTION:
tld1.ultradns.net.      5283    IN      A       204.74.112.1
tld1.ultradns.net.      92108   IN      AAAA    2001:502:d399::1
tld2.ultradns.net.      5283    IN      A       204.74.113.1

;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:23:58 2008
;; MSG SIZE  rcvd: 254


6. Send a query where the AD bit is set, but it should NOT be set. In
some cases the AD bit was not set, but was set again when I asked for
some othere type, e.g. ns instead for soa.

# dig @localhost se soa

; <<>> DiG 9.3.4-P1 <<>> @localhost se soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18722
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 9, ADDITIONAL:
; 0

;; QUESTION SECTION:
;se.                            IN      SOA

;; ANSWER SECTION:
se.                     3550    IN      SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2008071906 1800
1800 2419200 7200

;; AUTHORITY SECTION:
se.                     3550    IN      NS      i.ns.se.
se.                     3550    IN      NS      a.ns.se.
se.                     3550    IN      NS      b.ns.se.
se.                     3550    IN      NS      c.ns.se.
se.                     3550    IN      NS      d.ns.se.
se.                     3550    IN      NS      e.ns.se.
se.                     3550    IN      NS      f.ns.se.
se.                     3550    IN      NS      g.ns.se.
se.                     3550    IN      NS      h.ns.se.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 19 15:29:31 2008
;; MSG SIZE  rcvd: 243






>Fix:

Upgrade when ISC has fixed, or switch to bind from ports, e.g. dns/bind94.


>Release-Note:
>Audit-Trail:
>Unformatted: