net-dns/djbdns: new revision with configurable UDP response limit

This new revision allows the user to set TRUNCATELEN in the environment to a value between 512 (per the RFC) and 16384. This affects only the dnscache daemon and is useful in some cases to work around implementation bugs; for example, https://forum.mikrotik.com/viewtopic.php?t=200627 Thanks to Jaco Kroon for the patches. Closes: https://bugs.gentoo.org/916209 Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
author: Michael Orlitzky <mjo@gentoo.org> 2024-02-24 07:07:59 -0500
committer: Michael Orlitzky <mjo@gentoo.org> 2024-02-24 07:32:24 -0500
commit: 9c51d1e85c83c2c1af71f61cc2f003374ca902c9 (patch)
tree: cd71ca76b4288e506115a1a325aae43686e8d5ce /net-dns
parent: dev-libs/libisofs: QA, sync with other libburnia packages (diff)
download: gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.tar.gz
gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.tar.bz2
gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.zip
4 files changed, 359 insertions, 0 deletions
diff --git a/net-dns/djbdns/djbdns-1.05-r39.ebuild b/net-dns/djbdns/djbdns-1.05-r39.ebuild
new file mode 100644
index 000000000000..2801d37b2612
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r39.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit readme.gentoo-r1 toolchain-funcs
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="https://cr.yp.to/djbdns.html"
+IPV6_PATCH="test32"
+
+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
+	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+	ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )"
+
+SLOT="0"
+LICENSE="public-domain"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+RDEPEND="
+	acct-user/dnscache
+	acct-user/dnslog
+	acct-user/tinydns
+	sys-apps/ucspi-tcp
+	virtual/daemontools
+	selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack() {
+	# Unpack both djbdns and its man pages to separate directories.
+	default
+
+	# Now move the man pages under ${S} so that user patches can be
+	# applied to them as well in src_prepare().
+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+PATCHES=(
+	"${FILESDIR}/dnsroots.patch"
+	"${FILESDIR}/dnstracesort.patch"
+	"${FILESDIR}/string_length_255.patch"
+	"${FILESDIR}/srv_record_support.patch"
+	"${FILESDIR}/increase-cname-recustion-depth.patch"
+	"${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+	"${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+	"${FILESDIR}/AR-and-RANLIB-support.patch"
+	"${FILESDIR}/tinydns-softlimit.patch"
+	"${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch"
+)
+
+src_prepare() {
+	if use ipv6; then
+		PATCHES=(${PATCHES[@]}
+			# The big ipv6 patch.
+			"${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+			# Fix CVE2008-4392 (ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch"
+		)
+	else
+		PATCHES=(${PATCHES[@]}
+			# Fix CVE2008-4392 (no ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+			# Later versions of the ipv6 patch include this
+			"${FILESDIR}/${PV}-errno-r1.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch"
+		)
+	fi
+
+	default
+
+	# Change "head -X" to the posix-compatible "head -nX" within the
+	# Makefile. We do this with sed instead of a patch because the ipv6
+	# patch uses some of the surrounding lines; we'd need two versions
+	# of the patch.
+	sed -i Makefile \
+		-e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \
+		|| die 'failed to sed head in the Makefile'
+}
+
+src_compile() {
+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+	echo "/usr" > conf-home || die
+	emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB)
+}
+
+src_install() {
+	insinto /etc
+	doins dnsroots.global
+
+	into /usr
+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+	if use ipv6; then
+		dobin dnsip6 dnsip6q
+	fi
+
+	dodoc CHANGES README
+
+	doman man/*.[158]
+
+	readme.gentoo_create_doc
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+	http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+	tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+	2. dnscache-conf dnscache dnslog /var/dnscache $ip
+	3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+	4. rbldns-conf $username dnslog /var/rbldns $ip $base
+	5. walldns-conf $username dnslog /var/walldns $ip
+'
diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch
new file mode 100644
index 000000000000..0b022299ab1c
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch
@@ -0,0 +1,53 @@
+From 927121fa9afe047009a2502491d1c7000871b45c Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Wed, 25 Oct 2023 19:28:50 -0400
+Subject: [PATCH] dnscache.8,tinydns.8: document TRUNCATELEN hack for microtiks
+
+---
+ dnscache.8 | 9 +++++++++
+ tinydns.8  | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/dnscache.8 b/dnscache.8
+index 54fd357..38dab27 100644
+--- a/man/dnscache.8
++++ b/man/dnscache.8
+@@ -116,6 +116,15 @@ for other caches, not root servers.
+ It forwards queries to those caches the same way that a client does,
+ rather than contacting a chain of servers according to NS records.
+ 
++.B dnscache
++will use the value of
++.I $TRUNCATELEN
++as the cut-off for a UDP response. The standard value according to the
++RFC is 512 (bytes), but
++.I $TRUNCATELEN
++can be anywhere between 512 and 16384. This may be necessary to work
++around implementation bugs.
++
+ .SH Memory use
+ 
+ .B dnscache
+diff --git a/tinydns.8 b/tinydns.8
+index ff92edd..bc991dd 100644
+--- a/man/tinydns.8
++++ b/man/tinydns.8
+@@ -47,6 +47,15 @@ as specified by
+ a binary file created by
+ .BR tinydns-data (8).
+ 
++.B tinydns
++will use the value of
++.I $TRUNCATELEN
++as the cut-off for a UDP response. The standard value according to the
++RFC is 512 (bytes), but
++.I $TRUNCATELEN
++can be anywhere between 512 and 16384. This may be necessary to work
++around implementation bugs.
++
+ .SH Further details
+ 
+ .B tinydns
+-- 
+2.41.0
+
diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch
new file mode 100644
index 000000000000..9f16531a5441
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch
@@ -0,0 +1,83 @@
+From: Jaco Kroon <jaco@uls.co.za>
+Date: Tue, 24 Oct 2023 06:36:10 +0200
+Subject: [PATCH] dnscache: Enable larger truncation
+
+This variation conflicts with the IPv6 patch.
+
+This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627
+where Mikrotik doesn't fall back if the UDP response is truncated.
+
+This is done by enabling larger (configurable) than 512 byte responses on UDP
+such that Mikrotik doesn't have a need to revert to TCP.  Since it's impossible
+to truly know the maximum size of a DNS response trivially this is made
+configurable and the upper limit is arbitrarily capped to 16KB.
+
+Signed-off-by: Jaco Kroon <jaco@uls.co.za>
+diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c
+--- djbdns-1.05.o/dnscache.c	2024-02-23 08:05:00.037623680 +0200
++++ djbdns-1.05/dnscache.c	2024-02-23 08:18:26.320580927 +0200
+@@ -52,6 +52,7 @@
+ static char buf[1024];
+ uint64 numqueries = 0;
+ 
++static unsigned int truncate_len = 512;
+ 
+ static int udp53;
+ 
+@@ -77,7 +78,7 @@
+ {
+   if (!u[j].active) return;
+   response_id(u[j].id);
+-  if (response_len > 512) response_tc();
++  if (response_len > truncate_len) response_tc();
+   socket_send4(udp53,response,response_len,u[j].ip,u[j].port);
+   log_querydone(&u[j].active,response_len);
+   u[j].active = 0; --uactive;
+@@ -430,6 +431,15 @@
+   if (!cache_init(cachesize))
+     strerr_die3x(111,FATAL,"not enough memory for cache of size ",x);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
++
+   if (env_get("HIDETTL"))
+     response_hidettl();
+   if (env_get("FORWARDONLY"))
+diff -Nbrau djbdns-1.05.o/server.c djbdns-1.05/server.c
+--- djbdns-1.05.o/server.c	2001-02-11 23:11:45.000000000 +0200
++++ djbdns-1.05/server.c	2024-02-23 08:19:40.020855813 +0200
+@@ -83,6 +83,7 @@
+ {
+   char *x;
+   int udp53;
++  unsigned int truncate_len = 512;
+ 
+   x = env_get("IP");
+   if (!x)
+@@ -105,11 +106,19 @@
+ 
+   buffer_putsflush(buffer_2,starting);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
+   for (;;) {
+     len = socket_recv4(udp53,buf,sizeof buf,ip,&port);
+     if (len < 0) continue;
+     if (!doit()) continue;
+-    if (response_len > 512) response_tc();
++    if (response_len > truncate_len) response_tc();
+     socket_send4(udp53,response,response_len,ip,port);
+     /* may block for buffer space; if it fails, too bad */
+   }
diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch
new file mode 100644
index 000000000000..291ebe4f5c44
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch
@@ -0,0 +1,87 @@
+From: Jaco Kroon <jaco@uls.co.za>
+Date: Tue, 24 Oct 2023 06:36:10 +0200
+Subject: [PATCH] dnscache: Enable larger truncation
+
+This variation applies on top of the IPv6 patch.
+
+This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627
+where Mikrotik doesn't fall back if the UDP response is truncated.
+
+This is done by enabling larger (configurable) than 512 byte responses on UDP
+such that Mikrotik doesn't have a need to revert to TCP.  Since it's impossible
+to truly know the maximum size of a DNS response trivially this is made
+configurable and the upper limit is arbitrarily capped to 16KB.
+
+Signed-off-by: Jaco Kroon <jaco@uls.co.za>
+diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c
+--- a/dnscache.c	2023-10-20 00:34:15.788688135 +0200
++++ b/dnscache.c	2023-10-20 00:46:55.030355147 +0200
+@@ -58,6 +58,7 @@
+ static char buf[1024];
+ uint64 numqueries = 0;
+ 
++static unsigned int truncate_len = 512;
+ 
+ static int udp53;
+ 
+@@ -84,7 +85,7 @@
+ {
+   if (!u[j].active) return;
+   response_id(u[j].id);
+-  if (response_len > 512) response_tc();
++  if (response_len > truncate_len) response_tc();
+   socket_send6(udp53,response,response_len,u[j].ip,u[j].port,u[j].scope_id);
+   log_querydone(&u[j].active,response_len);
+   u[j].active = 0; --uactive;
+@@ -449,6 +450,15 @@
+   if (!cache_init(cachesize))
+     strerr_die3x(111,FATAL,"not enough memory for cache of size ",x);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
++
+   if (openreadclose("ignoreip",&sa,64) < 0) 
+     strerr_die2x(111,FATAL,"trouble reading ignoreip");
+   for(j = k = i = 0; i < sa.len; i++)
+Only in djbdns-1.05/: .dnscache.c.swp
+diff -bru djbdns-1.05.o/server.c djbdns-1.05/server.c
+--- djbdns-1.05.o/server.c	2023-10-20 00:34:15.778688116 +0200
++++ djbdns-1.05/server.c	2023-10-20 00:43:31.519954643 +0200
+@@ -94,6 +94,7 @@
+   int *udp53;
+   unsigned int off;
+   unsigned int cnt;
++  unsigned int truncate_len = 512;
+   iopause_fd *iop;
+ 
+   x = env_get("IP");
+@@ -154,6 +155,14 @@
+ 
+   buffer_putsflush(buffer_2,starting);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
+   for (;;) {
+     struct taia stamp;
+     struct taia deadline;
+@@ -168,7 +177,7 @@
+ 	len = socket_recv6(udp53[i],buf,sizeof buf,ip,&port,&ifid);
+ 	if (len < 0) continue;
+ 	if (!doit()) continue;
+-	if (response_len > 512) response_tc();
++	if (response_len > truncate_len) response_tc();
+ 	socket_send6(udp53[i],response,response_len,ip,port,ifid);
+ 	/* may block for buffer space; if it fails, too bad */
+       }
author	Michael Orlitzky <mjo@gentoo.org>	2024-02-24 07:07:59 -0500
committer	Michael Orlitzky <mjo@gentoo.org>	2024-02-24 07:32:24 -0500
commit	9c51d1e85c83c2c1af71f61cc2f003374ca902c9 (patch)
tree	cd71ca76b4288e506115a1a325aae43686e8d5ce /net-dns
parent	dev-libs/libisofs: QA, sync with other libburnia packages (diff)
download	gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.tar.gz gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.tar.bz2 gentoo-9c51d1e85c83c2c1af71f61cc2f003374ca902c9.zip