Bug 211282 - EDNS is globally enabled, crashing CheckPoint FW-1
Summary: EDNS is globally enabled, crashing CheckPoint FW-1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Adam Tkac
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 213630
TreeView+ depends on / blocked
 
Reported: 2006-10-18 14:07 UTC by Giuseppe Paterno
Modified: 2013-04-30 23:34 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0743
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-15 16:03:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch for EDNS global option (4.04 KB, patch)
2006-10-18 14:07 UTC, Giuseppe Paterno 		no flags Details | Diff
PCAP with the problem (100 bytes, application/octet-stream)
2006-10-18 14:08 UTC, Giuseppe Paterno 		no flags Details
proposed patch (3.53 KB, patch)
2006-11-02 12:22 UTC, Martin Stransky 		no flags Details | Diff
proposed patch for RHEL-4 (bind-9.2.4) (3.23 KB, patch)
2007-01-03 10:45 UTC, Martin Stransky 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0743 0 normal SHIPPED_LIVE bind bug fix and enhancement update 2007-11-14 17:08:35 UTC

Description Giuseppe Paterno 2006-10-18 14:07:36 UTC 
Description of problem:
Bind 9.2.4 16.EL4

configured as caching nameserver. It sends EDNS packets to the root nameservers:
most of them replies with a "format error". Trace as follows:

-------------------------------------------------------------------------------------------
No.     Time        Delta       Source                Destination          
Protocol Info
     18 0.513475    0.111514    212.77.0.2            10.41.0.64            DNS
     Standard query response, Format error

Frame 18 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0b:fc:90:ab:fc (00:0b:fc:90:ab:fc), Dst: 00:13:21:6b:ea:53
(00:13:21:6b:ea:53)
Internet Protocol, Src: 212.77.0.2 (212.77.0.2), Dst: 10.41.0.64 (10.41.0.64)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 51959 (51959)
Domain Name System (response)
    Transaction ID: 0xddda
    Flags: 0x8091 (Standard query response, Format error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was
not authenticated by the server
        .... .... .... 0001 = Reply code: Format error (1)
    Questions: 0
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0

0000  00 13 21 6b ea 53 00 0b fc 90 ab fc 08 00 45 00   ..!k.S........E.
0010  00 28 e0 34 00 00 12 11 e9 d8 d4 4d 00 02 0a 29   .(.4.......M...)
0020  00 40 00 35 ca f7 00 14 f7 74 dd da 80 91 00 00   .@.5.....t......
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

-------------------------------------------------------------------------------------------

This behaviour, although not high-impact as other dns availables, creates
logs entries in CheckPoint FW-1: resulting in FW-1 crash!

in Bind 9 you can turn ends off for a specific server, but not globally. The
suggested patch makes it available globally.
http://wilmer.gaast.net/downloads/bind-9.3-edns-global.diff

Pcap trace available upon request.
Comment 1 Giuseppe Paterno 2006-10-18 14:07:36 UTC 
Created attachment 138786 [details]
Patch for EDNS global option
Comment 2 Giuseppe Paterno 2006-10-18 14:08:50 UTC 
Created attachment 138787 [details]
PCAP with the problem

The pcap file with the DNS edns format error
Comment 3 Martin Stransky 2006-10-23 11:21:37 UTC 
okay, thanks for the report, I'll check it.
Comment 4 Martin Stransky 2006-10-31 09:30:45 UTC 
This patch is quite clear so I don't have any objections.
Comment 7 Martin Stransky 2006-11-02 12:22:38 UTC 
Created attachment 140113 [details]
proposed patch
Comment 8 Martin Stransky 2006-11-02 12:26:55 UTC 
applied in devel/FC6
Comment 15 Martin Stransky 2007-01-03 10:45:20 UTC 
Created attachment 144690 [details]
proposed patch for RHEL-4 (bind-9.2.4)

A backported patch for RHEL-4 package (bind-9.2.4)
Comment 16 RHEL Program Management 2007-03-10 00:56:08 UTC 
This bugzilla had previously been approved for engineering
consideration but Red Hat Product Management is currently reevaluating
this issue for inclusion in RHEL4.6.
Comment 21 errata-xmlrpc 2007-11-15 16:03:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0743.html
Note You need to log in before you can comment on or make changes to this bug.