Bug 572848

Summary: bind repeatedly requests DNSKEY records after getting responses with unknown keys
Product: Red Hat Enterprise Linux 5 Reporter: Adam Tkac <atkac>
Component: bindAssignee: Martin Cermak <mcermak>
Status: CLOSED ERRATA QA Contact: Martin Cermak <mcermak>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: amessina, antonio, atkac, azelinka, fnadge, ovasik, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the named demon, configured as recursive nameserver, could have continuously asked for missing DNSKEY keys which could have caused a Distributed Denial of Service on authoritative servers for a particular domain. With this update, when DNSKEY of a domain cannot be fetched, the named demon caches it and asks again.
 Story Points: ---
Clone Of: 556366
: 572850 (view as bug list) Environment:
Last Closed: 2011-01-13 22:26:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 556366    
Bug Blocks: 572850    

Description Adam Tkac 2010-03-12 07:44:00 UTC 
+++ This bug was initially created as a clone of Bug #556366 +++

Description of problem:
In bug 556365 I reported how as the dnssec reverse zone keys were not up to date, bind was generating a lot of unwanted messages. To copy a bit from that report:

-----
I noticed that bind had begun to generate thousands of messages like this in /var/log/messages:
Jan 17 20:07:47 localhost named[1521]: no valid KEY resolving '80.in-addr.arpa/DNSKEY/IN': 202.12.29.59#53

In fact, in little over 24 hours I had 240,000 of these messages, all for
different reverse zones, and bind was chewing through a surprising amount of
bandwidth. This was prompted solely by the occasional reverse lookup by sshd.

It seems bind forgets it has no valid key and just repeatedly tries to request DNSKEY's for the same reverse zones from the same servers. For example, for just the 80.in-addr zone, in 24 hours bind retried the DNSKEY query almost 2000 times for each of 9 DNS servers (nearly 18000 retries in total)! Multiply this by the number of reverse zones with keys and this becomes fairly annoying. I'm almost surprised that I didn't receive a complaint from my ISP.
-----

Version: bind-9.6.1-13.P2.fc12.x86_64

I don't really understand how DNSSEC works, so please excuse me if I'm wrong, but this is what I think is happening:
- bind sends a DNSKEY request for a particular reverse zone
- bind receives a response, but it is signed with a key that bind doesn't know

Now, bind shouldn't stop trying after the first response with an unknown key, since otherwise a third party malicious host may be able to forge responses with bad keys so that bind would give up in its search for the DNSKEY.

However, is there a point at which, after a number of responses with unknown keys (and not a single response for that zone with a known key), bind should decide to wait a period of time before trying that zone again?

I hope that makes some amount of sense.
Comment 7 Florian Nadge 2010-10-11 13:52:38 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the named demon, configured as recursive nameserver, could have continuously asked for missing DNSKEY keys which could have caused a Distributed Denial of Service on authoritative servers for a particular domain. With this update, when DNSKEY of a domain cannot be fetched, the named demon caches it and asks again.
Comment 10 Martin Cermak 2010-10-20 15:48:46 UTC 
=> VERIFIED
Comment 14 errata-xmlrpc 2011-01-13 22:26:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0032.html