1. kresd/y.qmail.jp/4
Kashpureff型の攻撃が簡単に防衛できることの証明(patch)を試みる。
lib/layer/iterate.c, rrcache.c を小修正 -- ToshinoriMaeno 2016-04-13 03:59:03
2. kresdの修正
- 外部名NSに付随するAレコードは信用できないので、すてる。」
- zone cut 情報に追加しない。
- additionalはrrcacheにも残さない。
- 残していい場合の判定が面倒だったので後回しにして、glueもキャッシュに入れないことにした。
- 本来ならこれで問題は起きないはずだが、net/comで名前解決しないことが起きるはず。 現実に起きて、これまでの想像が正しいことが確認できた。
- /etc/hostsに*.nstld.comなどのいくつかのホストを登録して、回避している。
- 本来ならこれで問題は起きないはずだが、net/comで名前解決しないことが起きるはず。 現実に起きて、これまでの想像が正しいことが確認できた。
- 残していい場合の判定が面倒だったので後回しにして、glueもキャッシュに入れないことにした。
Kresdには三種類の記憶機構がある。
- rrcache : rrsetを保持するもの
- zone cuts : cutを保持する
- pktcache : 返答(?)を保持している。用途ははっきりしない。
$ dig y.qmail.jp @127.0.0.3
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> y.qmail.jp @127.0.0.3 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14151 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;y.qmail.jp. IN A ;; Query time: 1028 msec ;; SERVER: 127.0.0.3#53(127.0.0.3) ;; WHEN: Wed Apr 13 20:09:33 JST 2016 ;; MSG SIZE rcvd: 39
> cachectl.clear() true > [plan] plan 'y.qmail.jp.' type 'A' [resl] => using root hints [resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: 'JP.' type: 'NS' [resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n: 'JP.' type: 'NS' [resl] optional: '193.0.14.129' score: 10 zone cut: '.' m12n: 'JP.' type: 'NS' [resl] optional: '192.58.128.30' score: 10 zone cut: '.' m12n: 'JP.' type: 'NS' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '202.12.27.33' rtt: 6 ms [resl] => querying: '203.119.40.1' score: 10 zone cut: 'jp.' m12n: 'QMaIL.jP.' type: 'NS' [resl] optional: '150.100.6.8' score: 10 zone cut: 'jp.' m12n: 'QMaIL.jP.' type: 'NS' [resl] optional: '192.50.43.53' score: 10 zone cut: 'jp.' m12n: 'QMaIL.jP.' type: 'NS' [resl] optional: '210.138.175.244' score: 10 zone cut: 'jp.' m12n: 'QMaIL.jP.' type: 'NS' [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [resl] <= server: '203.119.40.1' rtt: 6 ms [resl] => querying: '14.192.44.5' score: 10 zone cut: 'qmail.jp.' m12n: 'y.qmAIL.JP.' type: 'A' [iter] <= referral response, follow [ rc ] XX stash_glue skip [resl] <= server: '14.192.44.5' rtt: 10 ms [plan] plan 'qmaily.e-ontap.com.' type 'AAAA' [resl] => using root hints [resl] => querying: '199.7.83.42' score: 10 zone cut: '.' m12n: 'cOm.' type: 'NS' [resl] optional: '193.0.14.129' score: 10 zone cut: '.' m12n: 'cOm.' type: 'NS' [resl] optional: '192.58.128.30' score: 10 zone cut: '.' m12n: 'cOm.' type: 'NS' [resl] optional: '192.36.148.17' score: 10 zone cut: '.' m12n: 'cOm.' type: 'NS' [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '199.7.83.42' rtt: 156 ms [plan] plan 'm.gtld-servers.net.' type 'AAAA' [resl] => using root hints [resl] => querying: '193.0.14.129' score: 10 zone cut: '.' m12n: 'nET.' type: 'NS' [resl] optional: '192.58.128.30' score: 10 zone cut: '.' m12n: 'nET.' type: 'NS' [resl] optional: '192.36.148.17' score: 10 zone cut: '.' m12n: 'nET.' type: 'NS' [resl] optional: '198.97.190.53' score: 10 zone cut: '.' m12n: 'nET.' type: 'NS' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '193.0.14.129' rtt: 6 ms [resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n: 'gTLD-serVErs.neT.' type: 'NS' [resl] optional: '192.41.162.30' score: 10 zone cut: 'net.' m12n: 'gTLD-serVErs.neT.' type: 'NS' [resl] optional: '192.52.178.30' score: 10 zone cut: 'net.' m12n: 'gTLD-serVErs.neT.' type: 'NS' [resl] optional: '192.48.79.30' score: 10 zone cut: 'net.' m12n: 'gTLD-serVErs.neT.' type: 'NS' [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '192.55.83.30' rtt: 81 ms [plan] plan 'av4.nstld.com.' type 'AAAA' [resl] => unresolvable NS address, bailing out [plan] plan 'l.gtld-servers.net.' type 'AAAA' [resl] => unresolvable NS address, bailing out [plan] plan 'av3.nstld.com.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'k.gtld-servers.net.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'av2.nstld.com.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'j.gtld-servers.net.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'av1.nstld.com.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'i.gtld-servers.net.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => no valid NS left [plan] plan 'i.gtld-servers.net.' type 'A' [hint] <= answered from hints [iter] <= rcode: NOERROR [resl] => querying: '192.43.172.30' score: 10 zone cut: 'com.' m12n: 'nStld.COM.' type: 'NS' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '192.43.172.30' rtt: 6 ms [resl] => querying: '192.82.134.30' score: 10 zone cut: 'nstld.com.' m12n: 'av1.NSTld.coM.' type: 'AAAA' [resl] optional: '192.82.133.30' score: 10 zone cut: 'nstld.com.' m12n: 'av1.NSTld.coM.' type: 'AAAA' [resl] optional: '192.42.178.30' score: 10 zone cut: 'nstld.com.' m12n: 'av1.NSTld.coM.' type: 'AAAA' [resl] optional: '192.42.177.30' score: 10 zone cut: 'nstld.com.' m12n: 'av1.NSTld.coM.' type: 'AAAA' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= rcode: NOERROR [resl] <= server: '192.82.134.30' rtt: 6 ms [plan] plan 'av1.nstld.com.' type 'A' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'av1.nstld.com.' type 'AAAA' [ rc ] => satisfied from rrcache [iter] <= rcode: NOERROR [plan] plan 'av1.nstld.com.' type 'A' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'h.gtld-servers.net.' type 'AAAA' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'av1.nstld.com.' type 'AAAA' [ rc ] => satisfied from rrcache [iter] <= rcode: NOERROR [resl] => unresolvable NS address, bailing out [resl] => no valid NS left [plan] plan 'h.gtld-servers.net.' type 'A' [hint] <= answered from hints [iter] <= rcode: NOERROR [resl] => querying: '192.54.112.30' score: 10 zone cut: 'com.' m12n: 'nStld.COm.' type: 'NS' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '192.54.112.30' rtt: 256 ms [resl] => querying: '192.82.133.30' score: 10 zone cut: 'nstld.com.' m12n: 'aV1.nstlD.coM.' type: 'A' [resl] optional: '192.42.178.30' score: 10 zone cut: 'nstld.com.' m12n: 'aV1.nstlD.coM.' type: 'A' [resl] optional: '192.42.177.30' score: 10 zone cut: 'nstld.com.' m12n: 'aV1.nstlD.coM.' type: 'A' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= rcode: NOERROR [resl] <= server: '192.82.133.30' rtt: 6 ms [ rc ] => satisfied from rrcache [iter] <= rcode: NOERROR [resl] => querying: '192.42.177.30' score: 10 zone cut: 'gtld-servers.net.' m12n: 'j.gtLd-sErvers.neT.' type: 'AAAA' [iter] <= rcode: NOERROR [ pc ] => answer cached for TTL=900 [resl] <= server: '192.42.177.30' rtt: 109 ms [plan] plan 'j.gtld-servers.net.' type 'A' [hint] <= answered from hints [iter] <= rcode: NOERROR [resl] => querying: '192.48.79.30' score: 10 zone cut: 'com.' m12n: 'NstlD.cOM.' type: 'NS' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= referral response, follow [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [ rc ] XX stash_glue skip [resl] <= server: '192.48.79.30' rtt: 59 ms [resl] => querying: '192.42.178.30' score: 10 zone cut: 'nstld.com.' m12n: 'Av2.NsTld.coM.' type: 'AAAA' [resl] optional: '192.42.177.30' score: 10 zone cut: 'nstld.com.' m12n: 'Av2.NsTld.coM.' type: 'AAAA' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= rcode: NOERROR [resl] <= server: '192.42.178.30' rtt: 154 ms [plan] plan 'av2.nstld.com.' type 'A' [resl] => unresolvable NS address, bailing out [resl] => unresolvable NS address, bailing out [plan] plan 'av1.nstld.com.' type 'AAAA' [ rc ] => satisfied from rrcache [iter] <= rcode: NOERROR [plan] plan 'av1.nstld.com.' type 'A' [ rc ] => satisfied from rrcache [iter] <= rcode: NOERROR [resl] => querying: '192.42.177.30' score: 109 zone cut: 'nstld.com.' m12n: 'aV2.nstLd.coM.' type: 'A' [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] fetching glue for cut [iter] <= rcode: NOERROR [resl] <= server: '192.42.177.30' rtt: 115 ms [resl] => querying: '192.42.178.30' score: 154 zone cut: 'gtld-servers.net.' m12n: 'K.GTLd-SERVers.NeT.' type: 'AAAA' [iter] <= rcode: NOERROR [ pc ] => answer cached for TTL=900 [resl] <= server: '192.42.178.30' rtt: 168 ms [plan] plan 'k.gtld-servers.net.' type 'A' [hint] <= answered from hints [iter] <= rcode: NOERROR [resl] finished: 8, queries: 17, mempool: 49200 B