bin/53845: "bad cookie" in authoritative DNS server since bind 9.12 import

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53845: "bad cookie" in authoritative DNS server since bind 9.12 import
From: tho%useless-ficus.net@localhost
Date: Tue, 8 Jan 2019 21:55:00 +0000 (UTC)

>Number:         53845
>Category:       bin
>Synopsis:       "bad cookie" in authoritative DNS server since bind 9.12 import
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 08 21:55:00 +0000 2019
>Originator:     Anthony Mallet
>Release:        -current
>Organization:
>Environment:
NetBSD 8.99.25: Fri Nov  9 00:44:50 CET 2018 
>Description:
Since the import of bind 9.12, I am getting loads of "bad cookie from ..." syslog message from my recursive named resolver. This delays all requests a lot (and sometimes even leads to a SERVFAIL).

I figured out that this comes from the CPPFLAGS used to build 
bind/lib/dns/resolver.c (and probably other files as well).

Looking at bind/include/config.h, line #153
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/include/config.h#L153
it can be seen that NetBSD does _not_ define AES_CC

However, the file bind/dist/lib/dns/resolver.c, line #2211
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L2211
defines the "compute_cc" function according to this #define AES_CC
(in a rather awful way IMHO, but anyway)

This compute_cc is used line #7657 to set cc_bad=1 if the expected "edns cookie" does not match the response.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7657

And cc_bad is checked line #7135 to display the infamous "bad cookie from ..." message.
https://github.com/NetBSD/src/blob/trunk/external/mpl/bind/dist/lib/dns/resolver.c#L7135

The attached patch adds an hardcoded CPPFLAGS+=-DAES_CC to the global bind Makefile. I'm not sure if this is the proper way to fix this (e.g. why is the #define AEC_CC disabled in bind/include/config.h for NetBSD ?). It still fixes the issue for me.

Also, I'm wondering how it works if the "cookie-algorithm" is set to something else than AES in named.conf (e.g. sha256), but I could check that my patch still works in this case.

So, if someone could have a look at this and either commit the patch or find "the right fix", my DNS and I would be very grateful! :)

>How-To-Repeat:
Set up recent named (9.12) as a recursive resolver.
Query any host, e.g:
# host example.com
and watch /var/log/named for "bad cookie" message.

>Fix:
Index: Makefile.inc
===================================================================
RCS file: /cvsroot/src/external/mpl/bind/Makefile.inc,v
retrieving revision 1.2
diff -u -r1.2 Makefile.inc
--- Makefile.inc        16 Aug 2018 16:34:33 -0000      1.2
+++ Makefile.inc        8 Jan 2019 21:42:42 -0000
@@ -50,6 +50,7 @@
 CPPFLAGS+=     -DWANT_IPV6
 CPPFLAGS+=     -DALLOW_FILTER_AAAA
 .endif
+CPPFLAGS+=     -DAES_CC
 
 .if defined(HAVE_GCC)
 COPTS+=        -Wno-pointer-sign

Prev by Date: Re: lib/53838 (openssl lib OPENSSL_rdtsc() fails on macppc ppc601)
Next by Date: PR/53845 CVS commit: src/external/mpl/bind/include
Previous by Thread: Re: lib/53838 (openssl lib OPENSSL_rdtsc() fails on macppc ppc601)
Next by Thread: PR/53845 CVS commit: src/external/mpl/bind/include
Indexes:

Home | Main Index | Thread Index | Old Index