NetBSD Problem Report #53845

From www@NetBSD.org  Tue Jan  8 21:54:33 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id CAC9D7A1E8
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  8 Jan 2019 21:54:33 +0000 (UTC)
Message-Id: <20190108215432.8B09B7A25E@mollari.NetBSD.org>
Date: Tue,  8 Jan 2019 21:54:32 +0000 (UTC)
From: tho@useless-ficus.net
Reply-To: tho@useless-ficus.net
To: gnats-bugs@NetBSD.org
Subject: "bad cookie" in authoritative DNS server since bind 9.12 import
X-Send-Pr-Version: www-1.0

>Number:         53845
>Category:       bin
>Synopsis:       "bad cookie" in authoritative DNS server since bind 9.12 import
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 08 21:55:00 +0000 2019
>Closed-Date:    Fri May 03 19:59:27 +0000 2024
>Last-Modified:  Fri May 03 19:59:27 +0000 2024
>Originator:     Anthony Mallet
>Release:        -current
>Organization:
>Environment:
NetBSD 8.99.25: Fri Nov  9 00:44:50 CET 2018 
>Description:
Since the import of bind 9.12, I am getting loads of "bad cookie from ..." syslog message from my recursive named resolver. This delays all requests a lot (and sometimes even leads to a SERVFAIL).

I figured out that this comes from the CPPFLAGS used to build 
bind/lib/dns/resolver.c (and probably other files as well).

Looking at bind/include/config.h, line #153
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/include/config.h#L153
it can be seen that NetBSD does _not_ define AES_CC

However, the file bind/dist/lib/dns/resolver.c, line #2211
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L2211
defines the "compute_cc" function according to this #define AES_CC
(in a rather awful way IMHO, but anyway)

This compute_cc is used line #7657 to set cc_bad=1 if the expected "edns cookie" does not match the response.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7657

And cc_bad is checked line #7135 to display the infamous "bad cookie from ..." message.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7135

The attached patch adds an hardcoded CPPFLAGS+=-DAES_CC to the global bind Makefile. I'm not sure if this is the proper way to fix this (e.g. why is the #define AEC_CC disabled in bind/include/config.h for NetBSD ?). It still fixes the issue for me.

Also, I'm wondering how it works if the "cookie-algorithm" is set to something else than AES in named.conf (e.g. sha256), but I could check that my patch still works in this case.

So, if someone could have a look at this and either commit the patch or find "the right fix", my DNS and I would be very grateful! :)

>How-To-Repeat:
Set up recent named (9.12) as a recursive resolver.
Query any host, e.g:
# host example.com
and watch /var/log/named for "bad cookie" message.

>Fix:
Index: Makefile.inc
===================================================================
RCS file: /cvsroot/src/external/mpl/bind/Makefile.inc,v
retrieving revision 1.2
diff -u -r1.2 Makefile.inc
--- Makefile.inc        16 Aug 2018 16:34:33 -0000      1.2
+++ Makefile.inc        8 Jan 2019 21:42:42 -0000
@@ -50,6 +50,7 @@
 CPPFLAGS+=     -DWANT_IPV6
 CPPFLAGS+=     -DALLOW_FILTER_AAAA
 .endif
+CPPFLAGS+=     -DAES_CC

 .if defined(HAVE_GCC)
 COPTS+=        -Wno-pointer-sign

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 17:19:28 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Tue Jan  8 22:19:28 UTC 2019

 Modified Files:
 	src/external/mpl/bind/include: config.h

 Log Message:
 PR/53845: Anthony Mallet: "bad cookie" in authoritative DNS server since bind
 9.12 import. AES_CC needs to always be enabled.


 To generate a diff of this commit:
 cvs rdiff -u -r1.1 -r1.2 src/external/mpl/bind/include/config.h

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Anthony Mallet <tho@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 23:27:24 +0100

 On Tuesday  8 Jan 2019, at 22:20, Christos Zoulas wrote:
 >  Modified Files:
 >  	src/external/mpl/bind/include: config.h
 >
 >  Log Message: PR/53845: Anthony Mallet: "bad cookie" in
 >  authoritative DNS server since bind 9.12 import. AES_CC needs to
 >  always be enabled.

 OK, it makes sense to do it like this.

 Thanks!

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, 
	tho@useless-ficus.net
Cc: 
Subject: Re: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 17:31:27 -0500

 On Jan 8, 10:30pm, tho@netbsd.org (Anthony Mallet) wrote:
 -- Subject: PR/53845 CVS commit: src/external/mpl/bind/include

 | OK, it makes sense to do it like this.
 |  
 | Thanks!

 Yes, I mismerged the AES_SIT change which was optional (and I guess gone
 in 9.12).

 christos

State-Changed-From-To: open->closed
State-Changed-By: reed@NetBSD.org
State-Changed-When: Fri, 03 May 2024 19:59:27 +0000
State-Changed-Why:
This was fixed on same day in 2019.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.