Bug 211282 - EDNS is globally enabled, crashing CheckPoint FW-1
EDNS is globally enabled, crashing CheckPoint FW-1
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Adam Tkac
Ben Levenson
: FutureFeature, Patch
Depends On:
Blocks: 213630
  Show dependency treegraph
 
Reported: 2006-10-18 10:07 EDT by Giuseppe Paterno
Modified: 2013-04-30 19:34 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0743
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:03:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for EDNS global option (4.04 KB, patch)
2006-10-18 10:07 EDT, Giuseppe Paterno
no flags Details | Diff
PCAP with the problem (100 bytes, application/octet-stream)
2006-10-18 10:08 EDT, Giuseppe Paterno
no flags Details
proposed patch (3.53 KB, patch)
2006-11-02 07:22 EST, Martin Stransky
no flags Details | Diff
proposed patch for RHEL-4 (bind-9.2.4) (3.23 KB, patch)
2007-01-03 05:45 EST, Martin Stransky
no flags Details | Diff

  None (edit)
Description Giuseppe Paterno 2006-10-18 10:07:36 EDT
Description of problem:
Bind 9.2.4 16.EL4

configured as caching nameserver. It sends EDNS packets to the root nameservers:
most of them replies with a "format error". Trace as follows:

-------------------------------------------------------------------------------------------
No.     Time        Delta       Source                Destination          
Protocol Info
     18 0.513475    0.111514    212.77.0.2            10.41.0.64            DNS
     Standard query response, Format error

Frame 18 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0b:fc:90:ab:fc (00:0b:fc:90:ab:fc), Dst: 00:13:21:6b:ea:53
(00:13:21:6b:ea:53)
Internet Protocol, Src: 212.77.0.2 (212.77.0.2), Dst: 10.41.0.64 (10.41.0.64)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 51959 (51959)
Domain Name System (response)
    Transaction ID: 0xddda
    Flags: 0x8091 (Standard query response, Format error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was
not authenticated by the server
        .... .... .... 0001 = Reply code: Format error (1)
    Questions: 0
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0

0000  00 13 21 6b ea 53 00 0b fc 90 ab fc 08 00 45 00   ..!k.S........E.
0010  00 28 e0 34 00 00 12 11 e9 d8 d4 4d 00 02 0a 29   .(.4.......M...)
0020  00 40 00 35 ca f7 00 14 f7 74 dd da 80 91 00 00   .@.5.....t......
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

-------------------------------------------------------------------------------------------

This behaviour, although not high-impact as other dns availables, creates
logs entries in CheckPoint FW-1: resulting in FW-1 crash!

in Bind 9 you can turn ends off for a specific server, but not globally. The
suggested patch makes it available globally.
http://wilmer.gaast.net/downloads/bind-9.3-edns-global.diff

Pcap trace available upon request.
Comment 1 Giuseppe Paterno 2006-10-18 10:07:36 EDT
Created attachment 138786 [details]
Patch for EDNS global option
Comment 2 Giuseppe Paterno 2006-10-18 10:08:50 EDT
Created attachment 138787 [details]
PCAP with the problem

The pcap file with the DNS edns format error
Comment 3 Martin Stransky 2006-10-23 07:21:37 EDT
okay, thanks for the report, I'll check it.
Comment 4 Martin Stransky 2006-10-31 04:30:45 EST
This patch is quite clear so I don't have any objections.
Comment 7 Martin Stransky 2006-11-02 07:22:38 EST
Created attachment 140113 [details]
proposed patch
Comment 8 Martin Stransky 2006-11-02 07:26:55 EST
applied in devel/FC6
Comment 15 Martin Stransky 2007-01-03 05:45:20 EST
Created attachment 144690 [details]
proposed patch for RHEL-4 (bind-9.2.4)

A backported patch for RHEL-4 package (bind-9.2.4)
Comment 16 RHEL Product and Program Management 2007-03-09 19:56:08 EST
This bugzilla had previously been approved for engineering
consideration but Red Hat Product Management is currently reevaluating
this issue for inclusion in RHEL4.6.
Comment 21 errata-xmlrpc 2007-11-15 11:03:32 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0743.html

Note You need to log in before you can comment on or make changes to this bug.