NSD 4.1.11rc1 maintainers prerelease

Hi,

NSD 4.1.11rc1 maintainers prerelease is available:
http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11rc1.tar.gz
sha1 ced7b2a5e8d6229496dd8ff6ab1be7d89b820f01
sha256 4414c46fef8221c2d5c910b15b6d8d827243e6f29ca080bd5ff2dc7abe1794d1
pgp http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11rc1.tar.gz.asc

This is the maintainers prerelease, for package tests.

This release contains a patch for the unlimited AXFR vulnerability; with
a config option to limit AXFR sizes.

Bug fixes when without IPv6 and for serving DS records with no NS record
in parent-child co-hosted setups.

4.1.11

Hi,

NSD 4.1.11rc2 maintainers prerelease is available:
http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11rc2.tar.gz
sha1 9d4c3ea429a291965fa2ac3eaa8310a154f75c27
sha256 e646a883b9c78dccd239185d390f2f5aa8f3318baf1177c46475b79b8674686e
pgp http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11rc2.tar.gz.asc

This is release candidate 2, with one extra bug fix compared to release
candidate 1.

BUG FIXES:
- Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

Best regards, Wouter

Seems to work, but some warnings:

xfrd-tcp.c: In function 'pipeline_find':
xfrd-tcp.c:236: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:234: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:224: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:223: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:222: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:221: note: initialized from here

Paul

NSD 4.1.11rc2 maintainers prerelease is available:
http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11rc2.tar.gz

Seems to work, but some warnings:

xfrd-tcp.c: In function 'pipeline_find':
xfrd-tcp.c:236: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:234: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:224: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:223: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:222: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:221: note: initialized from here

Yes, same here but with few more warnings.

xfrd-tcp.c: In function 'pipeline_find':
xfrd-tcp.c:236: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:234: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:224: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:223: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:222: warning: dereferencing pointer 'key' does break strict-aliasing rules
xfrd-tcp.c:221: note: initialized from here

ipc.c: In function 'child_handle_parent_command':
ipc.c:85: warning: ignoring return value of 'write', declared with attribute warn_unused_result

zonec.c: In function 'zparser_conv_loc':
zonec.c:956: warning: ignoring return value of 'strtol', declared with attribute warn_unused_result

Paul
_______________________________________________
nsd-users mailing list
nsd-users@NLnetLabs.nl
https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

Kabindra Shrestha

Which compiler? I don't see these with FreeBSD (various versions) compilers .

  jaap

Kabindra Shrestha writes:

I get these warnings on GCC 4.4.7, which is the default for CentOS 6.

Regards,
Anand

Hi,

Which compiler? I don't see these with FreeBSD (various versions) compilers.

I get these warnings on GCC 4.4.7, which is the default for CentOS 6.

Older, and newer gcc do not give the warnings about type punned
pointers. I'll just wait for gcc to get updated, the warnings are spurious.

I have tried to fix the unused result warnings for the write and strtol,
and committed it in the code repository for later releases.

Best regards, Wouter

Hi,

NSD 4.1.11 is available:
http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11.tar.gz
sha1 bd70fc0735f885ef80d33a32bdf139970ce830a4
sha256 c7712fd05eb0ab97040738e01d9369d02b89c0a7fa0943fd5bfc43b2111a92df
pgp http://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.11.tar.gz.asc

This release contains a patch for the unlimited AXFR vulnerability; with
a config option to limit AXFR sizes.

Bug fixes when without IPv6 and for serving DS records with no NS record
in parent-child co-hosted setups.

4.1.11

Hi

When wil the Launchpad repo be updated it's still at 4.1.6?

With kind regards,

Bas van den Dikkenberg
-----Oorspronkelijk bericht-----

W.C.A. Wijngaards:

NSD 4.1.11 is available

I'm a litte bit to late, just started yesterday playing with rc2 :-/

beside "thanks for nsd", some notes:

1. a typo
xfrd.c, line 1995: "transfered" should be written "transferred"

2. comiler warnings:

**** Debian Jessie, i386
gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c configlexer.c
<stdout>: In function 'c__get_next_buffer':
<stdout>:1490:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
<stdout>:2427:3: note: in expansion of macro 'YY_INPUT'
<stdout>:2435:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c xfrd-disk.c
xfrd-disk.c: In function 'xfrd_read_state':
xfrd-disk.c:270:19: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    if (soa_refresh > zone->zone_options->pattern->max_refresh_time)
                    ^
xfrd-disk.c:272:24: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    else if (soa_refresh < zone->zone_options->pattern->min_refresh_time)
                         ^
xfrd-disk.c:277:5: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
      > soa_refresh))
      ^

gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c xfrd.c
xfrd.c: In function 'xfrd_set_timer_refresh':
xfrd.c:706:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
   if (set_refresh > zone->zone_options->pattern->max_refresh_time)
                   ^
xfrd.c:708:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
   else if (set_refresh < zone->zone_options->pattern->min_refresh_time)
                        ^
xfrd.c: In function 'xfrd_set_timer_retry':
xfrd.c:753:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    if(set_retry > zone->zone_options->pattern->max_retry_time)
                 ^
xfrd.c:755:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    else if(set_retry < zone->zone_options->pattern->min_retry_time)
                      ^
gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c ipc.c
ipc.c: In function 'child_handle_parent_command':
ipc.c:85:3: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result]
    (void)write(fd, &mode, sizeof(mode));
    ^

**** Debian Jessie, amd64
gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c configlexer.c
<stdout>: In function 'c__get_next_buffer':
<stdout>:1490:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
<stdout>:2427:3: note: in expansion of macro 'YY_INPUT'
<stdout>:2435:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c ipc.c
ipc.c: In function 'child_handle_parent_command':
ipc.c:85:3: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result]
    (void)write(fd, &mode, sizeof(mode));
    ^

gcc -D_FORTIFY_SOURCE=2 -I. -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -Wall -Wextra -Wdeclaration-after-statement -c zlexer.c
<stdout>: In function 'yy_get_next_buffer':
<stdout>:760:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
<stdout>:1466:3: note: in expansion of macro 'YY_INPUT'
<stdout>:1474:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

**** SLES11, i586
gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c configlexer.c
<stdout>: In function 'c__get_next_buffer':
<stdout>:2427: warning: comparison between signed and unsigned
<stdout>:2435: warning: comparison between signed and unsigned

gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c xfrd-disk.c
xfrd-disk.c: In function 'xfrd_read_state':
xfrd-disk.c:270: warning: comparison between signed and unsigned
xfrd-disk.c:272: warning: comparison between signed and unsigned
xfrd-disk.c:277: warning: comparison between signed and unsigned

gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c xfrd.c
xfrd.c: In function 'xfrd_set_timer_refresh':
xfrd.c:706: warning: comparison between signed and unsigned
xfrd.c:708: warning: comparison between signed and unsigned
xfrd.c: In function 'xfrd_set_timer_retry':
xfrd.c:753: warning: comparison between signed and unsigned
xfrd.c:755: warning: comparison between signed and unsigned

gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c ipc.c
ipc.c: In function 'child_handle_parent_command':
ipc.c:85: warning: ignoring return value of 'write', declared with attribute warn_unused_result

gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c zlexer.c
<stdout>: In function 'yy_get_next_buffer':
<stdout>:1466: warning: comparison between signed and unsigned
<stdout>:1474: warning: comparison between signed and unsigned

gcc -I. -march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c zonec.c
zonec.c: In function 'zparser_conv_loc':
zonec.c:956: warning: ignoring return value of 'strtol', declared with attribute warn_unused_result

*** SLES11, x86_64
gcc -I. -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c configlexer.c
<stdout>: In function 'c__get_next_buffer':
<stdout>:2427: warning: comparison between signed and unsigned
<stdout>:2435: warning: comparison between signed and unsigned

gcc -I. -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c ipc.c
ipc.c: In function 'child_handle_parent_command':
ipc.c:85: warning: ignoring return value of 'write', declared with attribute warn_unused_result

gcc -I. -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c zlexer.c
<stdout>: In function 'yy_get_next_buffer':
<stdout>:1466: warning: comparison between signed and unsigned
<stdout>:1474: warning: comparison between signed and unsigned

gcc -I. -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -W -Wall -Wextra -Wdeclaration-after-statement -c zonec.c
zonec.c: In function 'zparser_conv_loc':
zonec.c:956: warning: ignoring return value of 'strtol', declared with attribute warn_unused_result

Andreas

Hi Andreas,

W.C.A. Wijngaards:

NSD 4.1.11 is available

I'm a litte bit to late, just started yesterday playing with rc2 :-/

beside "thanks for nsd", some notes:

1. a typo
xfrd.c, line 1995: "transfered" should be written "transferred"

Fixed.

2. comiler warnings:

I fixed most : the strtol, write and xfrd.c/xfrd-disk.c warnings. These
fixes are in the code repository (not in 4.1.11).

The warnings in configlexer.c and zlexer.c are in the output of the
'flex' tool. https://sourceforge.net/p/flex/bugs/140/
Perhaps an upgrade of flex can solve the problem?

Best regards, Wouter

Hi Bas,

When wil the Launchpad repo be updated it's still at 4.1.6?

NLnet Labs does not maintain the NSD package in the Launchpad/Ubuntu repo. But if I am correct, Xenial (16.04) provides 4.1.7 and Yakkety (16.10) has 4.1.10 (and my guess it will probably pick up 4.1.11 soon).

Best,

— Benno

If this is a known vulnerability, is there a reason why the default
config has not enabled any kind of limits? This release is now just
as vulnerable as before because no upper limits have actually been
enabled.

Paul

Hi Paul,

If this is a known vulnerability, is there a reason why the default
config has not enabled any kind of limits? This release is now just
as vulnerable as before because no upper limits have actually been
enabled.

Introducing a limit has the potential of breaking some configurations if
they have large zones.

Given that this vulnerability only affects slave NSDs, and that most
configs will have well-known masters, I don't think it's such huge problem.

FYI, Knot DNS has also introduced a similar option, but it also defaults
to unlimited.

Regards,
Anand