From e30ec7d49f7cb229732b43ffc50f3f2247d9e9dc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Wed, 21 Feb 2018 14:35:09 +0100 Subject: [PATCH] - rel 2; fix CAA queries on CNAME loops --- unbound-bug-3512.patch | 40 ++++++++++++++++++++++++++++++++++++++++ unbound.spec | 4 +++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 unbound-bug-3512.patch diff --git a/unbound-bug-3512.patch b/unbound-bug-3512.patch new file mode 100644 index 0000000..e58a4e5 --- /dev/null +++ b/unbound-bug-3512.patch @@ -0,0 +1,40 @@ +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 7f3c6573..26660059 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -1157,6 +1157,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, + if(iq->query_restart_count > MAX_RESTART_COUNT) { + verbose(VERB_QUERY, "request has exceeded the maximum number" + " of query restarts with %d", iq->query_restart_count); ++ if(iq->response) { ++ /* return the partial CNAME loop, i.e. with the ++ * actual packet in iq->response cleared of RRsets, ++ * the stored prepend RRsets contain the loop contents ++ * with duplicates removed */ ++ return next_state(iq, FINISHED_STATE); ++ } + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + +@@ -1246,6 +1253,10 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, + iq->qchase.qname_len = slen; + /* This *is* a query restart, even if it is a cheap + * one. */ ++ msg->rep->an_numrrsets = 0; ++ msg->rep->ns_numrrsets = 0; ++ msg->rep->ar_numrrsets = 0; ++ msg->rep->rrset_count = 0; + iq->dp = NULL; + iq->refetch_glue = 0; + iq->query_restart_count++; +@@ -2739,6 +2750,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + if (qstate->env->cfg->qname_minimisation) + iq->minimisation_state = INIT_MINIMISE_STATE; + /* Clear the query state, since this is a query restart. */ ++ iq->response->rep->an_numrrsets = 0; ++ iq->response->rep->ns_numrrsets = 0; ++ iq->response->rep->ar_numrrsets = 0; ++ iq->response->rep->rrset_count = 0; + iq->deleg_msg = NULL; + iq->dp = NULL; + iq->dsns_point = NULL; diff --git a/unbound.spec b/unbound.spec index 5e6951c..6f402e1 100644 --- a/unbound.spec +++ b/unbound.spec @@ -8,7 +8,7 @@ Summary: Recursive, validating DNS resolver Summary(pl.UTF-8): Rekurencyjny, weryfikujący resolver DNS Name: unbound Version: 1.6.8 -Release: 1 +Release: 2 License: BSD Group: Applications/Network Source0: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -23,6 +23,7 @@ Patch0: %{name}-default_trust_anchor.patch Patch1: %{name}-sh.patch Patch2: %{name}-pythondir.patch Patch3: %{name}-flex.patch +Patch4: unbound-bug-3512.patch URL: http://unbound.net/ BuildRequires: autoconf >= 2.56 BuildRequires: automake @@ -129,6 +130,7 @@ Pythonowy interfejs do biblioteki unbound. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build %{__libtoolize} -- 2.44.0