misc/47024: named DNSSEC validation is broken in default install

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: misc/47024: named DNSSEC validation is broken in default install
From: Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
Date: Mon, 1 Oct 2012 02:15:01 +0000 (UTC)

>Number:         47024
>Category:       misc
>Synopsis:       named DNSSEC validation is broken in default install
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 01 02:15:00 +0000 2012
>Originator:     Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
>Release:        NetBSD 6.99.11
>Organization:
>Environment:
Architecture: i386
Machine: i386
>Description:

        There is no directory /etc/namedb/keys, but the named.conf we
        ship says to use it for BIND's managed-keys.  Thus, when BIND
        launches and tries to store managed-keys.bind there, it fails
        and consequently decides not to do DNSSEC validation.

        If you additionally set named_chrootdir=/var/chroot/named, then
        everything is hunky-dory.  But the afterboot(8) man page
        doesn't mention it, let alone recommend it, and the rc.conf(5)
        man page doesn't indicate that it has any important
        consequences other than running unprivileged or chrooted.

>How-To-Repeat:

        In a fresh install, set named=YES in /etc/rc.conf and start
        named.  Watch error messages fly by about failing to write to
        /etc/namedb/keys/managed-keys.frotz, and watch named fail to do
        DNSSEC validation.

>Fix:

        Yes, please!

        The naive easy thing to do would be to create /etc/namedb/keys
        in src/etc/mtree/NetBSD.dist.base or similar.  However, if we
        did that, then named -- which runs as root if you don't set a
        chroot directory -- would create root-owned files there, and
        subsequently setting

                named_chrootdir=/var/chroot/named

        in /etc/rc.conf would trigger /etc/rc.d/named's migration of
        /etc/namedb to /var/chroot/named/etc/namedb resulting in
        root-owned files in /var/chroot/named/etc/namedb/keys, which I
        expect would break the managed-keys stuff -- although you might
        not notice this for months or years until the root zone's key
        rolls over.  That doesn't seem like a good state of affairs.

        We could additionally change named_migrate in /etc/rc.d/named
        to `chown -R named:named $dst', but that might not be right
        either -- the operator may want a compromised named to be
        unable to edit /var/chroot/named/etc.

        We could set named_chrootdir=/var/chroot/named by default in
        /etc/defaults/rc.conf so that in all new installations, named
        runs chrooted and unprivileged.  I don't know any negative
        consequences to this, but for old installations we'd still have
        the problem that migrating /etc/namedb could either quietly
        make DNSSEC validation break a long time from now or open
        security holes.

        It would be nice to fix this for NetBSD 6 so that any new
        installations would get working DNSSEC validation, but this
        looks a bit hairy to solve on short notice.

Prev by Date: Re: toolchain/46827 (Cannot build the kernel, even Generic.)
Next by Date: PR/41760 CVS commit: src/libexec/ld.elf_so
Previous by Thread: Re: toolchain/46827 (Cannot build the kernel, even Generic.)
Next by Thread: PR/41760 CVS commit: src/libexec/ld.elf_so
Indexes:

Home | Main Index | Thread Index | Old Index