pdns-recursor backported patch

CVE-2018-14644.patch

+Description: CVE-2018-14644
+ A remote attacker sending a DNS query for a meta-type like OPT can lead to a
+ zone being wrongly cached as failing DNSSEC validation. It only arises if the
+ parent zone is signed, and all the authoritative servers for that parent zone
+ answer with FORMERR to a query for at least one of the meta-types. As a result,
+ subsequent queries from clients requesting DNSSEC validation will be answered
+ with a ServFail.
+
+---
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://downloads.powerdns.com/patches/2018-07/CVE-2018-14644-rec-4.0.8.patch
+Bug-Debian: https://bugs.debian.org/913162
+Last-Update: 2018-11-30
+
+Index: pdns-recursor-3.6.2/syncres.cc
+===================================================================
+--- pdns-recursor-3.6.2.orig/syncres.cc
++++ pdns-recursor-3.6.2/syncres.cc
+@@ -84,6 +84,18 @@ SyncRes::SyncRes(const struct timeval& n
+ /** everything begins here - this is the entry point just after receiving a packet */
+ int SyncRes::beginResolve(const string &qname, const QType &qtype, uint16_t qclass, vector<DNSResourceRecord>&ret)
+ {
++  /* rfc6895 section 3.1 + RRSIG and NSEC3 */
++  static std::set<uint16_t> metaTypes;
++  metaTypes.insert(QType::AXFR);
++  metaTypes.insert(QType::IXFR);
++  metaTypes.insert(QType::RRSIG);
++  metaTypes.insert(QType::NSEC3);
++  metaTypes.insert(QType::OPT);
++  metaTypes.insert(QType::TSIG);
++  metaTypes.insert(QType::TKEY);
++  metaTypes.insert(QType::MAILA);
++  metaTypes.insert(QType::MAILB);
++
+   s_queries++;
+   
+   if( (qtype.getCode() == QType::AXFR)) 
+@@ -121,7 +133,11 @@ int SyncRes::beginResolve(const string &
+     ret.push_back(rr);
+     return 0;
+   }
+-  
++
++   if (metaTypes.count(qtype.getCode())) {
++      return -1;
++  }
++
+   if(qclass==QClass::ANY)
+     qclass=QClass::IN;
+   else if(qclass!=QClass::IN)
+@@ -332,7 +348,7 @@ int SyncRes::asyncresolveWrapper(const C
+       }
+     }
+     else if(mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSPINGOK || mode == EDNSStatus::EDNSIGNORANT ) {
+-      if(res->d_rcode == RCode::FormErr)  {
++      if(!res->d_haveEDNS && (res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp)) {
+         //        cerr<<"Downgrading to EDNSNOPING because of FORMERR!"<<endl);
+         mode = EDNSStatus::EDNSNOPING;
+         continue;
+@@ -357,7 +373,7 @@ int SyncRes::asyncresolveWrapper(const C
+       }
+     }
+     else if(mode==EDNSStatus::EDNSNOPING) {
+-      if(res->d_rcode == RCode::FormErr) {
++      if(!res->d_haveEDNS && (res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp)) {
+         //                cerr<<"Downgrading to mode 4, FORMERR!"<<endl);
+         mode = EDNSStatus::NOEDNS;
+         continue;
+Index: pdns-recursor-3.6.2/qtype.hh
+===================================================================
+--- pdns-recursor-3.6.2.orig/qtype.hh
++++ pdns-recursor-3.6.2/qtype.hh
+@@ -82,7 +82,7 @@ public:
+ #undef DS
+   enum typeenum {A=1, NS=2, CNAME=5, SOA=6, MR=9, PTR=12, HINFO=13, MX=15, TXT=16, RP=17, AFSDB=18, SIG=24, KEY=25, AAAA=28, LOC=29, SRV=33, NAPTR=35, KX=36,
+ 		 CERT=37, A6=38, DNAME=39, OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51,
+-     TLSA=52, SPF=99, EUI48=108, EUI64=109, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
++     TLSA=52, SPF=99, EUI48=108, EUI64=109, TKEY=249, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
+   typedef pair<string,uint16_t> namenum;
+   static vector<namenum> names;
+ 
+@@ -156,6 +156,7 @@ private:
+       qtype_insert("SPF", 99);
+       qtype_insert("EUI48", 108);
+       qtype_insert("EUI64", 109);
++      qtype_insert("TKEY", 249);
+ //      qtype_insert("TSIG", 250);
+       qtype_insert("IXFR", 251);
+       qtype_insert("AXFR", 252);