NetBSD Problem Report #47024

From campbell@mumble.net  Mon Oct  1 02:13:05 2012
Return-Path: <campbell@mumble.net>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 55E4463D798
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  1 Oct 2012 02:13:05 +0000 (UTC)
Message-Id: <20121001021240.E7882604ED@jupiter.mumble.net>
Date: Mon,  1 Oct 2012 02:12:40 +0000 (UTC)
From: Taylor R Campbell <campbell+netbsd@mumble.net>
Reply-To: Taylor R Campbell <campbell+netbsd@mumble.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: named DNSSEC validation is broken in default install
X-Send-Pr-Version: 3.95

>Number:         47024
>Category:       misc
>Synopsis:       named DNSSEC validation is broken in default install
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 01 02:15:00 +0000 2012
>Closed-Date:    Mon Oct 07 06:46:00 +0000 2013
>Last-Modified:  Mon Oct 07 06:46:00 +0000 2013
>Originator:     Taylor R Campbell <campbell+netbsd@mumble.net>
>Release:        NetBSD 6.99.11
>Organization:
>Environment:
Architecture: i386
Machine: i386
>Description:

	There is no directory /etc/namedb/keys, but the named.conf we
	ship says to use it for BIND's managed-keys.  Thus, when BIND
	launches and tries to store managed-keys.bind there, it fails
	and consequently decides not to do DNSSEC validation.

	If you additionally set named_chrootdir=/var/chroot/named, then
	everything is hunky-dory.  But the afterboot(8) man page
	doesn't mention it, let alone recommend it, and the rc.conf(5)
	man page doesn't indicate that it has any important
	consequences other than running unprivileged or chrooted.

>How-To-Repeat:

	In a fresh install, set named=YES in /etc/rc.conf and start
	named.  Watch error messages fly by about failing to write to
	/etc/namedb/keys/managed-keys.frotz, and watch named fail to do
	DNSSEC validation.

>Fix:

	Yes, please!

	The naive easy thing to do would be to create /etc/namedb/keys
	in src/etc/mtree/NetBSD.dist.base or similar.  However, if we
	did that, then named -- which runs as root if you don't set a
	chroot directory -- would create root-owned files there, and
	subsequently setting

		named_chrootdir=/var/chroot/named

	in /etc/rc.conf would trigger /etc/rc.d/named's migration of
	/etc/namedb to /var/chroot/named/etc/namedb resulting in
	root-owned files in /var/chroot/named/etc/namedb/keys, which I
	expect would break the managed-keys stuff -- although you might
	not notice this for months or years until the root zone's key
	rolls over.  That doesn't seem like a good state of affairs.

	We could additionally change named_migrate in /etc/rc.d/named
	to `chown -R named:named $dst', but that might not be right
	either -- the operator may want a compromised named to be
	unable to edit /var/chroot/named/etc.

	We could set named_chrootdir=/var/chroot/named by default in
	/etc/defaults/rc.conf so that in all new installations, named
	runs chrooted and unprivileged.  I don't know any negative
	consequences to this, but for old installations we'd still have
	the problem that migrating /etc/namedb could either quietly
	make DNSSEC validation break a long time from now or open
	security holes.

	It would be nice to fix this for NetBSD 6 so that any new
	installations would get working DNSSEC validation, but this
	looks a bit hairy to solve on short notice.

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47024 CVS commit: src/etc/rc.d
Date: Mon, 1 Oct 2012 14:46:44 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Mon Oct  1 18:46:43 UTC 2012

 Modified Files:
 	src/etc/rc.d: named

 Log Message:
 PR/47024: Taylor R Campbell: handle "keys" directory and directory
 permissions in general


 To generate a diff of this commit:
 cvs rdiff -u -r1.22 -r1.23 src/etc/rc.d/named

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47024 CVS commit: [netbsd-6] src/etc/rc.d
Date: Tue, 9 Oct 2012 22:58:35 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Tue Oct  9 22:58:35 UTC 2012

 Modified Files:
 	src/etc/rc.d [netbsd-6]: named

 Log Message:
 Pull up following revision(s) (requested by christos in ticket #587):
 	etc/rc.d/named: revision 1.23
 PR/47024: Taylor R Campbell: handle "keys" directory and directory
 permissions in general


 To generate a diff of this commit:
 cvs rdiff -u -r1.22 -r1.22.8.1 src/etc/rc.d/named

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Oct 2013 06:46:00 +0000
State-Changed-Why:
fixed and pulled up (AFAICT)


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.