8677508 2002-07-02 00:33 -0400  /38 rader/ Tim Gladding <tim@gladding.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-02  21:24  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22915>
Ärende: BIND 9.2.1 patch, multiple RR's for singleton types.
------------------------------------------------------------
From: Tim Gladding <tim@gladding.com>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33L2.0207012310170.3589-200000@xena.spodnet.org>

With the release of the libbind buffer overflow a number of people
have suggested loading a copy of BIND locally and pointing your local
resolver at just that name server, providing a sanity check of all
incoming DNS traffic.  For the most part this will work, however, for
it to work effectively you must be using BIND 9.x because BIND 8.x
does not reconstruct all responses before forwarding them on.

For more information on the libbind buffer overflow bug please see:
http://www.cert.org/advisories/CA-2002-19.html

However, your situation may preclude you from running BIND 9 either
locally or at the site level.  One such situation would be that you
are already running BIND 8 and you have zones loaded that will not
load in to BIND 9 because they have multiple resource records
assigned to one singleton data type.  For example, an A record
pointing to a list of CNAMES:

	fuzzy	IN	CNAME	www.snuggie.com.
		IN	CNAME	www.r-9.net.

Normally BIND 9 would reject this as part of a zone.

To overcome this particular problem I have produced the attached
patch(1) to BIND 9.2.1 which, when applied, will again allow you to
use multiple CNAMEs etc. on one RR.  This patch is the equivalent of
the 'multiple-cnames yes;' option in bind 8.x.

WARNING!!  Although I am running this patch in a production
environment I cannot guarantee that this patch will work for you.
Please be sure to double check the functionality of this patch before
employing it in any environment!!

-- 
Tim Gladding
(8677508) /Tim Gladding <tim@gladding.com>/(Ombruten)
Bilaga (text/plain) i text 8677509
Kommentar i text 8678073 av Jim Reid <jim@rfc1035.com>
8677509 2002-07-02 00:33 -0400  /38 rader/ Tim Gladding <tim@gladding.com>
Bilagans filnamn: "rdataslab.c.patch"
Importerad: 2002-07-02  21:24  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22916>
Bilaga (text/plain) till text 8677508
Ärende: Bilaga (rdataslab.c.patch) till: BIND 9.2.1 patch, multiple RR's for singleton types.
------------------------------------------------------------
--- bind-9.2.1/lib/dns/rdataslab.c.orig	Tue Jan  9 16:51:25 2001
+++ bind-9.2.1/lib/dns/rdataslab.c	Mon Jul  1 22:49:19 2002
@@ -111,14 +111,14 @@
 	/*
 	 * Ensure that singleton types are actually singletons.
 	 */
-	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
+	/* if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) { */
 		/*
 		 * We have a singleton type, but there's more than one
 		 * RR in the rdataset.
 		 */
-		result = DNS_R_SINGLETON;
+		/* result = DNS_R_SINGLETON;
 		goto free_rdatas;
-	}
+	} */
 
 	/*
 	 * Allocate the memory, set up a buffer, start copying in
@@ -310,13 +310,13 @@
 	/*
 	 * Ensure that singleton types are actually singletons.
 	 */
-	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
+	/* if (tcount > 1 && dns_rdatatype_issingleton(type)) { */
 		/*
 		 * We have a singleton type, but there's more than one
 		 * RR in the rdataset.
 		 */
-		return (DNS_R_SINGLETON);
-	}
+		/* return (DNS_R_SINGLETON);
+	} */
 
 	/*
 	 * Copy the reserved area from the new slab.
(8677509) /Tim Gladding <tim@gladding.com>/---------
8678073 2002-07-02 20:49 +0100  /59 rader/ Jim Reid <jim@rfc1035.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-03  00:02  av Brevbäraren
Extern mottagare: Tim Gladding <tim@gladding.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22927>
Kommentar till text 8677508 av Tim Gladding <tim@gladding.com>
Ärende: Re: BIND 9.2.1 patch, multiple RR's for singleton types.
------------------------------------------------------------
From: Jim Reid <jim@rfc1035.com>
To: Tim Gladding <tim@gladding.com>
Cc: bugtraq@securityfocus.com
Message-ID: <14589.1025639383@gromit.rfc1035.com>

>>>>> "Tim" == Tim Gladding <tim@gladding.com> writes:

    Tim> However, your situation may preclude you from running BIND 9
    Tim> either locally or at the site level.  One such situation
    Tim> would be that you are already running BIND 8 and you have
    Tim> zones loaded that will not load in to BIND 9 because they
    Tim> have multiple resource records assigned to one singleton data
    Tim> type.  For example, an A record pointing to a list of CNAMES:

    Tim> 	fuzzy IN CNAME www.snuggie.com.
    Tim>              IN CNAME www.r-9.net.

    Tim> Normally BIND 9 would reject this as part of a zone.

Correct. And that's the way it should be. RFC1034 is very clear that
multiple CNAMEs are illegal. I quote:

	If a CNAME RR is present at a node, no other data should be
	present; this ensures that the data for a canonical name and
	its aliases cannot be different.  This rule also insures that
	a cached CNAME can be used without checking with an
	authoritative server for other RR types. 

And before any DNS pedants chime in, this rule has been relaxed in
RFC2181 so that when DNSSEC is in use, a CNAME may have KEY, SIG or
NXT records.

    Tim> To overcome this particular problem I have produced the
    Tim> attached patch(1) to BIND 9.2.1 which, when applied, will
    Tim> again allow you to use multiple CNAMEs etc. on one RR.  This
    Tim> patch is the equivalent of the 'multiple-cnames yes;' option
    Tim> in bind 8.x.

This is a very unwise thing to do and I strongly recommend against
applying this patch. It will cause more problems than it apparently
"solves". Aside from creating a name server that violates RFC1034, the
patch needlessly creates an interoperability and software maintenance
nightmare. What if your slave (secondary) servers reject these illegal
multiple CNAMEs? What happens when the next BIND9 release comes along?
What if somebody else in your organisation installs it and they're
unaware of this special patch? Your patches miss a few things too:
like the code that parses named.conf or the documentation. For BIND9
the documentation does an accurate job of describing the code and it's
not nice to introduce gratuitous discrepancies.

The real solution to the question you pose is to fix the underlying
problem at source (forgive the pun). Get rid of the illegal multiple
CNAMEs. For the example above, just provide two A records for fuzzie
that have the IP addresses of www.snuggie.com and ww.r-9.net. And put
some comments in the zone file and version control logs explaining
what these RRs are for and why they are there. This will save another
maintenance headache for your eventual successor.
(8678073) /Jim Reid <jim@rfc1035.com>/--------------
Kommentar i text 8687624 av der Mouse <mouse@Rodents.Montreal.QC.CA>
Kommentar i text 8689223 av Tim Gladding <tim@gladding.com>
8687624 2002-07-04 09:54 -0400  /31 rader/ der Mouse <mouse@Rodents.Montreal.QC.CA>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-04  21:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22957>
Kommentar till text 8678073 av Jim Reid <jim@rfc1035.com>
Ärende: Re: BIND 9.2.1 patch, multiple RR's for singleton types.
------------------------------------------------------------
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
To: bugtraq@securityfocus.com
Message-ID: <200207041354.JAA21105@Sparkle.Rodents.Montreal.QC.CA>

>> 	fuzzy IN CNAME www.snuggie.com.
>>            IN CNAME www.r-9.net.

> The real solution to the question you pose is to fix the underlying
> problem at source (forgive the pun).  Get rid of the illegal multiple
> CNAMEs.  For the example above, just provide two A records for fuzzie
> that have the IP addresses of www.snuggie.com and ww.r-9.net.  And
> put some comments in the zone file and version control logs
> explaining what these RRs are for and why they are there.  This will
> save another maintenance headache for your eventual successor.

While creating a maintenance headache whenever www.snuggie.com and/or
www.r-9.net happen to modify the list of addresses they resolve to.

This "solution" creates problems of its own; it is no more a "real
solution" than the other.  The only real benefit I can see to it is
that it doesn't involve fixing the underlying lack and thus requires
no effort from the rest of the world, and even that is a benefit only
to that "rest of the world", not to the person you are offering it as
a "solution" to.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
(8687624) /der Mouse <mouse@Rodents.Montreal.QC.CA>/(Ombruten)
8689223 2002-07-03 09:00 -0400  /120 rader/ Tim Gladding <tim@gladding.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-05  08:56  av Brevbäraren
Extern mottagare: Jim Reid <jim@rfc1035.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22960>
Kommentar till text 8678073 av Jim Reid <jim@rfc1035.com>
Ärende: Re: BIND 9.2.1 patch, multiple RR's for singleton types.
------------------------------------------------------------
From: Tim Gladding <tim@gladding.com>
To: Jim Reid <jim@rfc1035.com>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33L2.0207030829510.3589-100000@xena.spodnet.org>

On Tue, 2 Jul 2002, Jim Reid wrote:

> >>>>> "Tim" == Tim Gladding <tim@gladding.com> writes:
>
>     Tim> However, your situation may preclude you from running BIND 9
>     Tim> either locally or at the site level.  One such situation
>     Tim> would be that you are already running BIND 8 and you have
>     Tim> zones loaded that will not load in to BIND 9 because they
>     Tim> have multiple resource records assigned to one singleton data
>     Tim> type.  For example, an A record pointing to a list of CNAMES:
>
>     Tim> 	fuzzy IN CNAME www.snuggie.com.
>     Tim>              IN CNAME www.r-9.net.
>
>     Tim> Normally BIND 9 would reject this as part of a zone.
>
> Correct. And that's the way it should be. RFC1034 is very clear that
> multiple CNAMEs are illegal.

You're missing the point!

>     Tim> To overcome this particular problem I have produced the
>     Tim> attached patch(1) to BIND 9.2.1 which, when applied, will
>     Tim> again allow you to use multiple CNAMEs etc. on one RR.  This
>     Tim> patch is the equivalent of the 'multiple-cnames yes;' option
>     Tim> in bind 8.x.
>
> This is a very unwise thing to do and I strongly recommend against
> applying this patch. It will cause more problems than it apparently
> "solves". Aside from creating a name server that violates RFC1034, the
> patch needlessly creates an interoperability and software maintenance
> nightmare. What if your slave (secondary) servers reject these illegal
> multiple CNAMEs? What happens when the next BIND9 release comes along?
> What if somebody else in your organisation installs it and they're
> unaware of this special patch? Your patches miss a few things too:
> like the code that parses named.conf or the documentation. For BIND9
> the documentation does an accurate job of describing the code and it's
> not nice to introduce gratuitous discrepancies.

Yeah, all very real and valid points, however, my patch is a quick,
dirty, messy, throw it up now and fix 'em all later solution to the
underlying problem that is multiple vulnerable resolvers living on
your network of which not all will be patched in time for the holiday
weekend because vendors just aren't coming out with the patches fast
enough.

Let's say you have 1,000 hosts of which only about half can be
patched at the moment (remember, you can't just drop BIND 8.3.3's
libbind on every piece of network equipment that does dns
resolution), and 20 name servers currently running BIND 8.  You want
to protect those remaining 500 hosts by putting BIND 9 between them
and the world but you can't simply run BIND 9 because you have
possibly hundreds of zone files created by a huge number of people
dating back several years, a number of which break RFC1034, to load.
Sure, you can and SHOULD fix the errors in your zone files but are
you going to be able to complete this task between now and the
holiday weekend.. or are you planning to stay in the office through
Monday?  or perhaps you'd rather just leave those 500 hosts exposed
to the world and pray that no-one figures out where you are and that
you are still using a vulnerable resolver?

In short.. yeah I know it breaks RFC1034, yeah I know you should fix
your zone files instead, however, given the choice I'd rather have a
holiday weekend with secure hosts sitting behind my patched BIND 9
servers!  It's up to you, and judging by the number of mails I've
received saying 'thanks!' or 'that's great but my mail server blocked
your attachment, please please please send it to me!', the people
agree :)

Which reminds me, because lots of people were not able to receive the
attachment, here is the patch again included.. enjoy!

Tim Gladding

******************************************************************************

--- bind-9.2.1/lib/dns/rdataslab.c.orig	Tue Jan  9 16:51:25 2001
+++ bind-9.2.1/lib/dns/rdataslab.c	Mon Jul  1 22:49:19 2002
@@ -111,14 +111,14 @@
 	/*
 	 * Ensure that singleton types are actually singletons.
 	 */
-	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
+	/* if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) { */
 		/*
 		 * We have a singleton type, but there's more than one
 		 * RR in the rdataset.
 		 */
-		result = DNS_R_SINGLETON;
+		/* result = DNS_R_SINGLETON;
 		goto free_rdatas;
-	}
+	} */

 	/*
 	 * Allocate the memory, set up a buffer, start copying in
@@ -310,13 +310,13 @@
 	/*
 	 * Ensure that singleton types are actually singletons.
 	 */
-	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
+	/* if (tcount > 1 && dns_rdatatype_issingleton(type)) { */
 		/*
 		 * We have a singleton type, but there's more than one
 		 * RR in the rdataset.
 		 */
-		return (DNS_R_SINGLETON);
-	}
+		/* return (DNS_R_SINGLETON);
+	} */

 	/*
 	 * Copy the reserved area from the new slab.

******************************************************************************
(8689223) /Tim Gladding <tim@gladding.com>/(Ombruten)
Kommentar i text 8691737 av Aaron C. Newman <aaron@newman-family.com>