From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A84C8158041 for ; Sat, 24 Feb 2024 12:37:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E8803E2A21; Sat, 24 Feb 2024 12:37:47 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BCE32E2A21 for ; Sat, 24 Feb 2024 12:37:47 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DAE72343062 for ; Sat, 24 Feb 2024 12:37:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 36E4FB2F for ; Sat, 24 Feb 2024 12:37:45 +0000 (UTC) From: "Michael Orlitzky" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michael Orlitzky" Message-ID: <1708777944.9c51d1e85c83c2c1af71f61cc2f003374ca902c9.mjo@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-dns/djbdns/djbdns-1.05-r39.ebuild net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch X-VCS-Directories: net-dns/djbdns/files/ net-dns/djbdns/ X-VCS-Committer: mjo X-VCS-Committer-Name: Michael Orlitzky X-VCS-Revision: 9c51d1e85c83c2c1af71f61cc2f003374ca902c9 X-VCS-Branch: master Date: Sat, 24 Feb 2024 12:37:45 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 5dd379d5-1cec-4cf3-bf4a-e725ba634e03 X-Archives-Hash: 283eb7d52665ad01a1f173af4362bbf6 commit: 9c51d1e85c83c2c1af71f61cc2f003374ca902c9 Author: Michael Orlitzky gentoo org> AuthorDate: Sat Feb 24 12:07:59 2024 +0000 Commit: Michael Orlitzky gentoo org> CommitDate: Sat Feb 24 12:32:24 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c51d1e8 net-dns/djbdns: new revision with configurable UDP response limit This new revision allows the user to set TRUNCATELEN in the environment to a value between 512 (per the RFC) and 16384. This affects only the dnscache daemon and is useful in some cases to work around implementation bugs; for example, https://forum.mikrotik.com/viewtopic.php?t=200627 Thanks to Jaco Kroon for the patches. Closes: https://bugs.gentoo.org/916209 Signed-off-by: Michael Orlitzky gentoo.org> net-dns/djbdns/djbdns-1.05-r39.ebuild | 136 +++++++++++++++++++++ ...s-dnscache-configurable-truncate-manpages.patch | 53 ++++++++ ...-dnscache-configurable-truncate-size-nov6.patch | 83 +++++++++++++ ...ns-dnscache-configurable-truncate-size-v6.patch | 87 +++++++++++++ 4 files changed, 359 insertions(+) diff --git a/net-dns/djbdns/djbdns-1.05-r39.ebuild b/net-dns/djbdns/djbdns-1.05-r39.ebuild new file mode 100644 index 000000000000..2801d37b2612 --- /dev/null +++ b/net-dns/djbdns/djbdns-1.05-r39.ebuild @@ -0,0 +1,136 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit readme.gentoo-r1 toolchain-funcs + +DESCRIPTION="Collection of DNS client/server software" +HOMEPAGE="https://cr.yp.to/djbdns.html" +IPV6_PATCH="test32" + +SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz + http://smarden.org/pape/djb/manpages/${P}-man.tar.gz + ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )" + +SLOT="0" +LICENSE="public-domain" +KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86" +IUSE="ipv6 selinux" + +RDEPEND=" + acct-user/dnscache + acct-user/dnslog + acct-user/tinydns + sys-apps/ucspi-tcp + virtual/daemontools + selinux? ( sec-policy/selinux-djbdns )" + +src_unpack() { + # Unpack both djbdns and its man pages to separate directories. + default + + # Now move the man pages under ${S} so that user patches can be + # applied to them as well in src_prepare(). + mv "${PN}-man" "${P}/man" || die "failed to transplant man pages" +} + +PATCHES=( + "${FILESDIR}/dnsroots.patch" + "${FILESDIR}/dnstracesort.patch" + "${FILESDIR}/string_length_255.patch" + "${FILESDIR}/srv_record_support.patch" + "${FILESDIR}/increase-cname-recustion-depth.patch" + "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch" + "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch" + "${FILESDIR}/AR-and-RANLIB-support.patch" + "${FILESDIR}/tinydns-softlimit.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch" +) + +src_prepare() { + if use ipv6; then + PATCHES=(${PATCHES[@]} + # The big ipv6 patch. + "${WORKDIR}/${P}-${IPV6_PATCH}.diff" + # Fix CVE2008-4392 (ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch" + ) + else + PATCHES=(${PATCHES[@]} + # Fix CVE2008-4392 (no ipv6) + "${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" + "${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch" + # Later versions of the ipv6 patch include this + "${FILESDIR}/${PV}-errno-r1.patch" + "${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch" + ) + fi + + default + + # Change "head -X" to the posix-compatible "head -nX" within the + # Makefile. We do this with sed instead of a patch because the ipv6 + # patch uses some of the surrounding lines; we'd need two versions + # of the patch. + sed -i Makefile \ + -e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \ + || die 'failed to sed head in the Makefile' +} + +src_compile() { + echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die + echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die + echo "/usr" > conf-home || die + emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) +} + +src_install() { + insinto /etc + doins dnsroots.global + + into /usr + dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \ + *-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \ + dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort + + if use ipv6; then + dobin dnsip6 dnsip6q + fi + + dodoc CHANGES README + + doman man/*.[158] + + readme.gentoo_create_doc +} + +DISABLE_AUTOFORMATTING=1 +DOC_CONTENTS=' +To configure djbdns, please follow the instructions at, + + http://cr.yp.to/djbdns.html + +Of particular interest are, + + axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html + dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html + tinydns : http://cr.yp.to/djbdns/run-server.html + +Portage has created users for axfrdns, dnscache, and tinydns; the +commands to configure these programs are, + + 1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip + 2. dnscache-conf dnscache dnslog /var/dnscache $ip + 3. tinydns-conf tinydns dnslog /var/tinydns $ip + +(replace $ip with the ip address on which the server will run). + +If you wish to configure rbldns or walldns, you will need to create +those users yourself (although you should still use the "dnslog" +user for the logs): + + 4. rbldns-conf $username dnslog /var/rbldns $ip $base + 5. walldns-conf $username dnslog /var/walldns $ip +' diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch new file mode 100644 index 000000000000..0b022299ab1c --- /dev/null +++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch @@ -0,0 +1,53 @@ +From 927121fa9afe047009a2502491d1c7000871b45c Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Wed, 25 Oct 2023 19:28:50 -0400 +Subject: [PATCH] dnscache.8,tinydns.8: document TRUNCATELEN hack for microtiks + +--- + dnscache.8 | 9 +++++++++ + tinydns.8 | 9 +++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/dnscache.8 b/dnscache.8 +index 54fd357..38dab27 100644 +--- a/man/dnscache.8 ++++ b/man/dnscache.8 +@@ -116,6 +116,15 @@ for other caches, not root servers. + It forwards queries to those caches the same way that a client does, + rather than contacting a chain of servers according to NS records. + ++.B dnscache ++will use the value of ++.I $TRUNCATELEN ++as the cut-off for a UDP response. The standard value according to the ++RFC is 512 (bytes), but ++.I $TRUNCATELEN ++can be anywhere between 512 and 16384. This may be necessary to work ++around implementation bugs. ++ + .SH Memory use + + .B dnscache +diff --git a/tinydns.8 b/tinydns.8 +index ff92edd..bc991dd 100644 +--- a/man/tinydns.8 ++++ b/man/tinydns.8 +@@ -47,6 +47,15 @@ as specified by + a binary file created by + .BR tinydns-data (8). + ++.B tinydns ++will use the value of ++.I $TRUNCATELEN ++as the cut-off for a UDP response. The standard value according to the ++RFC is 512 (bytes), but ++.I $TRUNCATELEN ++can be anywhere between 512 and 16384. This may be necessary to work ++around implementation bugs. ++ + .SH Further details + + .B tinydns +-- +2.41.0 + diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch new file mode 100644 index 000000000000..9f16531a5441 --- /dev/null +++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch @@ -0,0 +1,83 @@ +From: Jaco Kroon +Date: Tue, 24 Oct 2023 06:36:10 +0200 +Subject: [PATCH] dnscache: Enable larger truncation + +This variation conflicts with the IPv6 patch. + +This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627 +where Mikrotik doesn't fall back if the UDP response is truncated. + +This is done by enabling larger (configurable) than 512 byte responses on UDP +such that Mikrotik doesn't have a need to revert to TCP. Since it's impossible +to truly know the maximum size of a DNS response trivially this is made +configurable and the upper limit is arbitrarily capped to 16KB. + +Signed-off-by: Jaco Kroon +diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c +--- djbdns-1.05.o/dnscache.c 2024-02-23 08:05:00.037623680 +0200 ++++ djbdns-1.05/dnscache.c 2024-02-23 08:18:26.320580927 +0200 +@@ -52,6 +52,7 @@ + static char buf[1024]; + uint64 numqueries = 0; + ++static unsigned int truncate_len = 512; + + static int udp53; + +@@ -77,7 +78,7 @@ + { + if (!u[j].active) return; + response_id(u[j].id); +- if (response_len > 512) response_tc(); ++ if (response_len > truncate_len) response_tc(); + socket_send4(udp53,response,response_len,u[j].ip,u[j].port); + log_querydone(&u[j].active,response_len); + u[j].active = 0; --uactive; +@@ -430,6 +431,15 @@ + if (!cache_init(cachesize)) + strerr_die3x(111,FATAL,"not enough memory for cache of size ",x); + ++ x = env_get("TRUNCATELEN"); ++ if (x) { ++ scan_ulong(x,&truncate_len); ++ if (truncate_len < 512) ++ truncate_len = 512; ++ if (truncate_len > 16384) ++ truncate_len = 16384; ++ } ++ + if (env_get("HIDETTL")) + response_hidettl(); + if (env_get("FORWARDONLY")) +diff -Nbrau djbdns-1.05.o/server.c djbdns-1.05/server.c +--- djbdns-1.05.o/server.c 2001-02-11 23:11:45.000000000 +0200 ++++ djbdns-1.05/server.c 2024-02-23 08:19:40.020855813 +0200 +@@ -83,6 +83,7 @@ + { + char *x; + int udp53; ++ unsigned int truncate_len = 512; + + x = env_get("IP"); + if (!x) +@@ -105,11 +106,19 @@ + + buffer_putsflush(buffer_2,starting); + ++ x = env_get("TRUNCATELEN"); ++ if (x) { ++ scan_ulong(x,&truncate_len); ++ if (truncate_len < 512) ++ truncate_len = 512; ++ if (truncate_len > 16384) ++ truncate_len = 16384; ++ } + for (;;) { + len = socket_recv4(udp53,buf,sizeof buf,ip,&port); + if (len < 0) continue; + if (!doit()) continue; +- if (response_len > 512) response_tc(); ++ if (response_len > truncate_len) response_tc(); + socket_send4(udp53,response,response_len,ip,port); + /* may block for buffer space; if it fails, too bad */ + } diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch new file mode 100644 index 000000000000..291ebe4f5c44 --- /dev/null +++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch @@ -0,0 +1,87 @@ +From: Jaco Kroon +Date: Tue, 24 Oct 2023 06:36:10 +0200 +Subject: [PATCH] dnscache: Enable larger truncation + +This variation applies on top of the IPv6 patch. + +This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627 +where Mikrotik doesn't fall back if the UDP response is truncated. + +This is done by enabling larger (configurable) than 512 byte responses on UDP +such that Mikrotik doesn't have a need to revert to TCP. Since it's impossible +to truly know the maximum size of a DNS response trivially this is made +configurable and the upper limit is arbitrarily capped to 16KB. + +Signed-off-by: Jaco Kroon +diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c +--- a/dnscache.c 2023-10-20 00:34:15.788688135 +0200 ++++ b/dnscache.c 2023-10-20 00:46:55.030355147 +0200 +@@ -58,6 +58,7 @@ + static char buf[1024]; + uint64 numqueries = 0; + ++static unsigned int truncate_len = 512; + + static int udp53; + +@@ -84,7 +85,7 @@ + { + if (!u[j].active) return; + response_id(u[j].id); +- if (response_len > 512) response_tc(); ++ if (response_len > truncate_len) response_tc(); + socket_send6(udp53,response,response_len,u[j].ip,u[j].port,u[j].scope_id); + log_querydone(&u[j].active,response_len); + u[j].active = 0; --uactive; +@@ -449,6 +450,15 @@ + if (!cache_init(cachesize)) + strerr_die3x(111,FATAL,"not enough memory for cache of size ",x); + ++ x = env_get("TRUNCATELEN"); ++ if (x) { ++ scan_ulong(x,&truncate_len); ++ if (truncate_len < 512) ++ truncate_len = 512; ++ if (truncate_len > 16384) ++ truncate_len = 16384; ++ } ++ + if (openreadclose("ignoreip",&sa,64) < 0) + strerr_die2x(111,FATAL,"trouble reading ignoreip"); + for(j = k = i = 0; i < sa.len; i++) +Only in djbdns-1.05/: .dnscache.c.swp +diff -bru djbdns-1.05.o/server.c djbdns-1.05/server.c +--- djbdns-1.05.o/server.c 2023-10-20 00:34:15.778688116 +0200 ++++ djbdns-1.05/server.c 2023-10-20 00:43:31.519954643 +0200 +@@ -94,6 +94,7 @@ + int *udp53; + unsigned int off; + unsigned int cnt; ++ unsigned int truncate_len = 512; + iopause_fd *iop; + + x = env_get("IP"); +@@ -154,6 +155,14 @@ + + buffer_putsflush(buffer_2,starting); + ++ x = env_get("TRUNCATELEN"); ++ if (x) { ++ scan_ulong(x,&truncate_len); ++ if (truncate_len < 512) ++ truncate_len = 512; ++ if (truncate_len > 16384) ++ truncate_len = 16384; ++ } + for (;;) { + struct taia stamp; + struct taia deadline; +@@ -168,7 +177,7 @@ + len = socket_recv6(udp53[i],buf,sizeof buf,ip,&port,&ifid); + if (len < 0) continue; + if (!doit()) continue; +- if (response_len > 512) response_tc(); ++ if (response_len > truncate_len) response_tc(); + socket_send6(udp53[i],response,response_len,ip,port,ifid); + /* may block for buffer space; if it fails, too bad */ + }