NetBSD Problem Report #47024
From campbell@mumble.net Mon Oct 1 02:13:05 2012
Return-Path: <campbell@mumble.net>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 55E4463D798
for <gnats-bugs@gnats.NetBSD.org>; Mon, 1 Oct 2012 02:13:05 +0000 (UTC)
Message-Id: <20121001021240.E7882604ED@jupiter.mumble.net>
Date: Mon, 1 Oct 2012 02:12:40 +0000 (UTC)
From: Taylor R Campbell <campbell+netbsd@mumble.net>
Reply-To: Taylor R Campbell <campbell+netbsd@mumble.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: named DNSSEC validation is broken in default install
X-Send-Pr-Version: 3.95
>Number: 47024
>Category: misc
>Synopsis: named DNSSEC validation is broken in default install
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: misc-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Oct 01 02:15:00 +0000 2012
>Closed-Date: Mon Oct 07 06:46:00 +0000 2013
>Last-Modified: Mon Oct 07 06:46:00 +0000 2013
>Originator: Taylor R Campbell <campbell+netbsd@mumble.net>
>Release: NetBSD 6.99.11
>Organization:
>Environment:
Architecture: i386
Machine: i386
>Description:
There is no directory /etc/namedb/keys, but the named.conf we
ship says to use it for BIND's managed-keys. Thus, when BIND
launches and tries to store managed-keys.bind there, it fails
and consequently decides not to do DNSSEC validation.
If you additionally set named_chrootdir=/var/chroot/named, then
everything is hunky-dory. But the afterboot(8) man page
doesn't mention it, let alone recommend it, and the rc.conf(5)
man page doesn't indicate that it has any important
consequences other than running unprivileged or chrooted.
>How-To-Repeat:
In a fresh install, set named=YES in /etc/rc.conf and start
named. Watch error messages fly by about failing to write to
/etc/namedb/keys/managed-keys.frotz, and watch named fail to do
DNSSEC validation.
>Fix:
Yes, please!
The naive easy thing to do would be to create /etc/namedb/keys
in src/etc/mtree/NetBSD.dist.base or similar. However, if we
did that, then named -- which runs as root if you don't set a
chroot directory -- would create root-owned files there, and
subsequently setting
named_chrootdir=/var/chroot/named
in /etc/rc.conf would trigger /etc/rc.d/named's migration of
/etc/namedb to /var/chroot/named/etc/namedb resulting in
root-owned files in /var/chroot/named/etc/namedb/keys, which I
expect would break the managed-keys stuff -- although you might
not notice this for months or years until the root zone's key
rolls over. That doesn't seem like a good state of affairs.
We could additionally change named_migrate in /etc/rc.d/named
to `chown -R named:named $dst', but that might not be right
either -- the operator may want a compromised named to be
unable to edit /var/chroot/named/etc.
We could set named_chrootdir=/var/chroot/named by default in
/etc/defaults/rc.conf so that in all new installations, named
runs chrooted and unprivileged. I don't know any negative
consequences to this, but for old installations we'd still have
the problem that migrating /etc/namedb could either quietly
make DNSSEC validation break a long time from now or open
security holes.
It would be nice to fix this for NetBSD 6 so that any new
installations would get working DNSSEC validation, but this
looks a bit hairy to solve on short notice.
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47024 CVS commit: src/etc/rc.d
Date: Mon, 1 Oct 2012 14:46:44 -0400
Module Name: src
Committed By: christos
Date: Mon Oct 1 18:46:43 UTC 2012
Modified Files:
src/etc/rc.d: named
Log Message:
PR/47024: Taylor R Campbell: handle "keys" directory and directory
permissions in general
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/etc/rc.d/named
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47024 CVS commit: [netbsd-6] src/etc/rc.d
Date: Tue, 9 Oct 2012 22:58:35 +0000
Module Name: src
Committed By: riz
Date: Tue Oct 9 22:58:35 UTC 2012
Modified Files:
src/etc/rc.d [netbsd-6]: named
Log Message:
Pull up following revision(s) (requested by christos in ticket #587):
etc/rc.d/named: revision 1.23
PR/47024: Taylor R Campbell: handle "keys" directory and directory
permissions in general
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.8.1 src/etc/rc.d/named
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Oct 2013 06:46:00 +0000
State-Changed-Why:
fixed and pulled up (AFAICT)
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.