NetBSD Problem Report #53845
From www@NetBSD.org Tue Jan 8 21:54:33 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id CAC9D7A1E8
for <gnats-bugs@gnats.NetBSD.org>; Tue, 8 Jan 2019 21:54:33 +0000 (UTC)
Message-Id: <20190108215432.8B09B7A25E@mollari.NetBSD.org>
Date: Tue, 8 Jan 2019 21:54:32 +0000 (UTC)
From: tho@useless-ficus.net
Reply-To: tho@useless-ficus.net
To: gnats-bugs@NetBSD.org
Subject: "bad cookie" in authoritative DNS server since bind 9.12 import
X-Send-Pr-Version: www-1.0
>Number: 53845
>Category: bin
>Synopsis: "bad cookie" in authoritative DNS server since bind 9.12 import
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jan 08 21:55:00 +0000 2019
>Closed-Date: Fri May 03 19:59:27 +0000 2024
>Last-Modified: Fri May 03 19:59:27 +0000 2024
>Originator: Anthony Mallet
>Release: -current
>Organization:
>Environment:
NetBSD 8.99.25: Fri Nov 9 00:44:50 CET 2018
>Description:
Since the import of bind 9.12, I am getting loads of "bad cookie from ..." syslog message from my recursive named resolver. This delays all requests a lot (and sometimes even leads to a SERVFAIL).
I figured out that this comes from the CPPFLAGS used to build
bind/lib/dns/resolver.c (and probably other files as well).
Looking at bind/include/config.h, line #153
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/include/config.h#L153
it can be seen that NetBSD does _not_ define AES_CC
However, the file bind/dist/lib/dns/resolver.c, line #2211
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L2211
defines the "compute_cc" function according to this #define AES_CC
(in a rather awful way IMHO, but anyway)
This compute_cc is used line #7657 to set cc_bad=1 if the expected "edns cookie" does not match the response.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7657
And cc_bad is checked line #7135 to display the infamous "bad cookie from ..." message.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7135
The attached patch adds an hardcoded CPPFLAGS+=-DAES_CC to the global bind Makefile. I'm not sure if this is the proper way to fix this (e.g. why is the #define AEC_CC disabled in bind/include/config.h for NetBSD ?). It still fixes the issue for me.
Also, I'm wondering how it works if the "cookie-algorithm" is set to something else than AES in named.conf (e.g. sha256), but I could check that my patch still works in this case.
So, if someone could have a look at this and either commit the patch or find "the right fix", my DNS and I would be very grateful! :)
>How-To-Repeat:
Set up recent named (9.12) as a recursive resolver.
Query any host, e.g:
# host example.com
and watch /var/log/named for "bad cookie" message.
>Fix:
Index: Makefile.inc
===================================================================
RCS file: /cvsroot/src/external/mpl/bind/Makefile.inc,v
retrieving revision 1.2
diff -u -r1.2 Makefile.inc
--- Makefile.inc 16 Aug 2018 16:34:33 -0000 1.2
+++ Makefile.inc 8 Jan 2019 21:42:42 -0000
@@ -50,6 +50,7 @@
CPPFLAGS+= -DWANT_IPV6
CPPFLAGS+= -DALLOW_FILTER_AAAA
.endif
+CPPFLAGS+= -DAES_CC
.if defined(HAVE_GCC)
COPTS+= -Wno-pointer-sign
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 17:19:28 -0500
Module Name: src
Committed By: christos
Date: Tue Jan 8 22:19:28 UTC 2019
Modified Files:
src/external/mpl/bind/include: config.h
Log Message:
PR/53845: Anthony Mallet: "bad cookie" in authoritative DNS server since bind
9.12 import. AES_CC needs to always be enabled.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/external/mpl/bind/include/config.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Anthony Mallet <tho@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 23:27:24 +0100
On Tuesday 8 Jan 2019, at 22:20, Christos Zoulas wrote:
> Modified Files:
> src/external/mpl/bind/include: config.h
>
> Log Message: PR/53845: Anthony Mallet: "bad cookie" in
> authoritative DNS server since bind 9.12 import. AES_CC needs to
> always be enabled.
OK, it makes sense to do it like this.
Thanks!
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
tho@useless-ficus.net
Cc:
Subject: Re: PR/53845 CVS commit: src/external/mpl/bind/include
Date: Tue, 8 Jan 2019 17:31:27 -0500
On Jan 8, 10:30pm, tho@netbsd.org (Anthony Mallet) wrote:
-- Subject: PR/53845 CVS commit: src/external/mpl/bind/include
| OK, it makes sense to do it like this.
|
| Thanks!
Yes, I mismerged the AES_SIT change which was optional (and I guess gone
in 9.12).
christos
State-Changed-From-To: open->closed
State-Changed-By: reed@NetBSD.org
State-Changed-When: Fri, 03 May 2024 19:59:27 +0000
State-Changed-Why:
This was fixed on same day in 2019.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.