1
0

000-fix-servfail-handling.patch 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130
  1. From 68f6312d4bae30b78daafcd6f51dc441b8685b1e Mon Sep 17 00:00:00 2001
  2. From: Baptiste Jonglez <git@bitsofnetworks.org>
  3. Date: Mon, 6 Feb 2017 21:09:11 +0000
  4. Subject: [PATCH] Stop treating SERVFAIL as a successful response from upstream
  5. servers.
  6. This effectively reverts most of 51967f9807 ("SERVFAIL is an expected
  7. error return, don't try all servers.") and 4ace25c5d6 ("Treat REFUSED (not
  8. SERVFAIL) as an unsuccessful upstream response").
  9. With the current behaviour, as soon as dnsmasq receives a SERVFAIL from an
  10. upstream server, it stops trying to resolve the query and simply returns
  11. SERVFAIL to the client. With this commit, dnsmasq will instead try to
  12. query other upstream servers upon receiving a SERVFAIL response.
  13. According to RFC 1034 and 1035, the semantic of SERVFAIL is that of a
  14. temporary error condition. Recursive resolvers are expected to encounter
  15. network or resources issues from time to time, and will respond with
  16. SERVFAIL in this case. Similarly, if a validating DNSSEC resolver [RFC
  17. 4033] encounters issues when checking signatures (unknown signing
  18. algorithm, missing signatures, expired signatures because of a wrong
  19. system clock, etc), it will respond with SERVFAIL.
  20. Note that all those behaviours are entirely different from a negative
  21. response, which would provide a definite indication that the requested
  22. name does not exist. In our case, if an upstream server responds with
  23. SERVFAIL, another upstream server may well provide a positive answer for
  24. the same query.
  25. Thus, this commit will increase robustness whenever some upstream servers
  26. encounter temporary issues or are misconfigured.
  27. Quoting RFC 1034, Section 4.3.1. "Queries and responses":
  28. If recursive service is requested and available, the recursive response
  29. to a query will be one of the following:
  30. - The answer to the query, possibly preface by one or more CNAME
  31. RRs that specify aliases encountered on the way to an answer.
  32. - A name error indicating that the name does not exist. This
  33. may include CNAME RRs that indicate that the original query
  34. name was an alias for a name which does not exist.
  35. - A temporary error indication.
  36. Here is Section 5.2.3. of RFC 1034, "Temporary failures":
  37. In a less than perfect world, all resolvers will occasionally be unable
  38. to resolve a particular request. This condition can be caused by a
  39. resolver which becomes separated from the rest of the network due to a
  40. link failure or gateway problem, or less often by coincident failure or
  41. unavailability of all servers for a particular domain.
  42. And finally, RFC 1035 specifies RRCODE 2 for this usage, which is now more
  43. widely known as SERVFAIL (RFC 1035, Section 4.1.1. "Header section format"):
  44. RCODE Response code - this 4 bit field is set as part of
  45. responses. The values have the following
  46. interpretation:
  47. (...)
  48. 2 Server failure - The name server was
  49. unable to process this query due to a
  50. problem with the name server.
  51. For the DNSSEC-related usage of SERVFAIL, here is RFC 4033
  52. Section 5. "Scope of the DNSSEC Document Set and Last Hop Issues":
  53. A validating resolver can determine the following 4 states:
  54. (...)
  55. Insecure: The validating resolver has a trust anchor, a chain of
  56. trust, and, at some delegation point, signed proof of the
  57. non-existence of a DS record. This indicates that subsequent
  58. branches in the tree are provably insecure. A validating resolver
  59. may have a local policy to mark parts of the domain space as
  60. insecure.
  61. Bogus: The validating resolver has a trust anchor and a secure
  62. delegation indicating that subsidiary data is signed, but the
  63. response fails to validate for some reason: missing signatures,
  64. expired signatures, signatures with unsupported algorithms, data
  65. missing that the relevant NSEC RR says should be present, and so
  66. forth.
  67. (...)
  68. This specification only defines how security-aware name servers can
  69. signal non-validating stub resolvers that data was found to be bogus
  70. (using RCODE=2, "Server Failure"; see [RFC4035]).
  71. Notice the difference between a definite negative answer ("Insecure"
  72. state), and an indefinite error condition ("Bogus" state). The second
  73. type of error may be specific to a recursive resolver, for instance
  74. because its system clock has been incorrectly set, or because it does not
  75. implement newer cryptographic primitives. Another recursive resolver may
  76. succeed for the same query.
  77. There are other similar situations in which the specified behaviour is
  78. similar to the one implemented by this commit.
  79. For instance, RFC 2136 specifies the behaviour of a "requestor" that wants
  80. to update a zone using the DNS UPDATE mechanism. The requestor tries to
  81. contact all authoritative name servers for the zone, with the following
  82. behaviour specified in RFC 2136, Section 4:
  83. 4.6. If a response is received whose RCODE is SERVFAIL or NOTIMP, or
  84. if no response is received within an implementation dependent timeout
  85. period, or if an ICMP error is received indicating that the server's
  86. port is unreachable, then the requestor will delete the unusable
  87. server from its internal name server list and try the next one,
  88. repeating until the name server list is empty. If the requestor runs
  89. out of servers to try, an appropriate error will be returned to the
  90. requestor's caller.
  91. ---
  92. src/forward.c | 3 ++-
  93. 1 file changed, 2 insertions(+), 1 deletion(-)
  94. --- a/src/forward.c
  95. +++ b/src/forward.c
  96. @@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim
  97. we get a good reply from another server. Kill it when we've
  98. had replies from all to avoid filling the forwarding table when
  99. everything is broken */
  100. - if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
  101. + if (forward->forwardall == 0 || --forward->forwardall == 1 ||
  102. + (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
  103. {
  104. int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;