From: Eric Luehrsen Date: Thu, 9 Aug 2018 01:21:17 +0000 (-0400) Subject: unbound: log openssl-1.0.2 lacks TLS host verification X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=1cccacf359ab99ec26bfc66ebd0e0a27053bfcef;p=feed%2Fpackages.git unbound: log openssl-1.0.2 lacks TLS host verification ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do host cert verification. DNS over TLS connects, but hosts are unverified. A patch for log err is added with a noitce in README.md. (see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658) Also, squash some minor robustness and TLS usability fixes. Signed-off-by: Eric Luehrsen --- diff --git a/net/unbound/Makefile b/net/unbound/Makefile index b2c6d31f4e..72c4bfc48b 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.7.3 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index d22d566814..812d9a6076 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -166,11 +166,9 @@ config zone ``` ## HOW TO: TLS Over DNS -Unbound has the ability to be client and server in TLS mode. UCI can configure Unbound to be a client forwarding queries in TLS mode for selected domains. (Server is more complex to setup and needs to be done manually). This may be desired for privacy against stealth market tracking in some cases. Some public DNS servers seem to advertise help in this quest. +Unbound can use TLS as a client or server. UCI supports Unbound as a forwarding client with TLS. Servers are more complex and need manual configuration. This may be desired for privacy against stealth tracking. Some public DNS servers seem to advertise help in this quest. If your looking for a better understanding, then some information can be found at [Cloudflare](https://www.cloudflare.com/) DNS [1.1.1.1](https://1.1.1.1/). The following is a generic example. You can mix providers by using complete server specificaiton to override the zones common port and certificate domain index. -Unbound will make TLS connections without validation unless you install the 'ca-bundle' package. Do **not** however forget to maintain the certification bundle. The validation chain otherwise will expire and connections will go dead. Unbound makes and breaks TCP connections per connection. To reduce the lag from TLS handshaking it may help to use more cache memory `resource`, increase record exirations `ttl_min`, enable `aggressive` searching, or manually enable prefetch options. - -The following is a generic example. If your looking for a better understanding, then some information can be found at [Cloudflare](https://www.cloudflare.com/) DNS [1.1.1.1](https://1.1.1.1/) for one place. +**NOTICE:** Unbound requires openssl-1.1.0 to verify host certificates. OpenWrt at present is configured with openssl-1.0.2. Connections will be over TLS, but theoretically, certificates may not be from a trusted source. See report [Unbound #658](https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658). When this is resolved, it will be recommended again to install `ca-bundle`, maintain it, and be sure to include the TLS certificate domain index with the host addresses. **/etc/config/unbound**: ``` @@ -179,10 +177,14 @@ config zone # question: do you want to recurse when TLS fails or not? option fallback '0' option tls_index 'dns.example.net' + option tls_port '853' option tls_upstream '1' option zone_type 'forward_zone' + # these servers assume a common TLS port/index list server '192.0.2.53' list server '2001:db8::53' + # this alternate server is fully specified inline + list server '192.0.2.153@443#dns.alternate.example.org' list zone_name '.' ``` diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh index 7ab77592dc..8eb1d03c6b 100644 --- a/net/unbound/files/dnsmasq.sh +++ b/net/unbound/files/dnsmasq.sh @@ -80,7 +80,7 @@ create_host_record() { case $ip in - fe80:*|169.254.*) + fe[89ab][0-9a-f]:*|169.254.*) debug_ip="$ip@$host" ;; diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh index c2ec7a06b0..4919a9973c 100644 --- a/net/unbound/files/iptools.sh +++ b/net/unbound/files/iptools.sh @@ -124,6 +124,20 @@ valid_subnet4() { ############################################################################## +valid_subnet_any() { + local subnet=$1 + local validip4=$( valid_subnet4 $subnet ) + local validip6=$( valid_subnet6 $subnet ) + + + if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then + echo "ok" + else + echo "not" + fi +} +############################################################################## + private_subnet() { case "$1" in 10"."*) echo "ok" ;; diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index ff827c4f04..c908399648 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -64,10 +64,9 @@ service_triggers() { if [ ! -f "$UB_TOTAL_CONF" -o -n "$UB_BOOT" ] ; then # Unbound is can be a bit heavy, so wait some on first start but any # interface coming up affects the trigger and delay so guarantee start - procd_add_raw_trigger "interface.*.up" 5000 /etc/init.d/unbound restart + procd_add_raw_trigger "interface.*.up" 3000 /etc/init.d/unbound restart elif [ -n "$triggers" ] ; then - PROCD_RELOAD_DELAY=2000 procd_add_reload_trigger "unbound" "dhcp" @@ -77,7 +76,6 @@ service_triggers() { done else - PROCD_RELOAD_DELAY=2000 procd_add_reload_trigger "unbound" "dhcp" fi } diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 49a0157886..0613312209 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -85,9 +85,8 @@ UB_LIST_ZONE_NAMES="" bundle_all_networks() { local cfg="$1" - local ifname ifdashname + local ifname ifdashname validip local subnet subnets subnets4 subnets6 - local validip4 validip6 network_get_subnets subnets4 "$cfg" network_get_subnets6 subnets6 "$cfg" @@ -99,11 +98,10 @@ bundle_all_networks() { if [ -n "$subnets" ] ; then for subnet in $subnets ; do - validip4=$( valid_subnet4 $subnet ) - validip6=$( valid_subnet6 $subnet ) + validip=$( valid_subnet_any $subnet ) - if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then + if [ "$validip" = "ok" ] ; then UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet" fi done @@ -375,8 +373,10 @@ unbound_control() { unbound_zone() { local cfg=$1 + local servers_ip="" + local servers_host="" local zone_sym zone_name zone_type zone_enabled zone_file - local tls_upstream fallback proivder + local tls_upstream fallback local server port tls_port tls_index tls_suffix url_dir if [ ! -f "$UB_ZONE_CONF" ] ; then @@ -464,17 +464,50 @@ unbound_zone() { if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then + for server in $UB_LIST_ZONE_SERVERS ; do + if [ "$( valid_subnet_any $server )" = "not" ] ; then + case $server in + *@[0-9]*) + # unique Unbound option for server host name + servers_host="$servers_host $server" + ;; + + *) + if [ "$tls_upstream" = "yes" ] ; then + servers_host="$servers_host $server${tls_port:+@${tls_port}}" + else + servers_host="$servers_host $server${port:+@${port}}" + fi + esac + + else + case $server in + *[0-9]@[0-9]*) + # unique Unbound option for server address + servers_ip="$servers_ip $server" + ;; + + *) + if [ "$tls_upstream" = "yes" ] ; then + servers_ip="$servers_ip $server$tls_suffix" + else + servers_ip="$servers_ip $server${port:+@${port}}" + fi + esac + fi + done + + for zonename in $UB_LIST_ZONE_NAMES ; do { # generate a forward-zone with or without tls echo "forward-zone:" echo " name: $zonename" - for server in $UB_LIST_ZONE_SERVERS ; do - if [ "$tls_upstream" = "yes" ] ; then - echo " forward-addr: $server${tls_suffix}" - else - echo " forward-addr: $server${port:+@${port}}" - fi + for server in $servers_host ; do + echo " forward-host: $server" + done + for server in $servers_ip ; do + echo " forward-addr: $server" done echo " forward-first: $fallback" echo " forward-tls-upstream: $tls_upstream" diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch deleted file mode 100644 index 94a5169b6c..0000000000 --- a/net/unbound/patches/001-conf.patch +++ /dev/null @@ -1,81 +0,0 @@ -diff --git a/doc/example.conf.in b/doc/example.conf.in -index be83bda..7317b23 100644 ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -15,6 +15,76 @@ server: - # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 - -+ ############################################################################ -+ # MEMORY CONTROL EXAMPLE -+ # In the example config settings below memory usage is reduced. Some ser- -+ # vice levels are lower, notable very large data and a high TCP load are -+ # no longer supported ... are exceptional for the DNS. -+ # (http://unbound.net/documentation/unbound.conf.html) -+ ############################################################################ -+ -+ # Self jail Unbound with user "unbound" to /var/lib/unbound -+ # The script /etc/init.d/unbound will setup the location -+ username: "unbound" -+ directory: "/var/lib/unbound" -+ chroot: "/var/lib/unbound" -+ -+ # The pid file is created before privleges drop so no concern -+ pidfile: "/var/run/unbound.pid" -+ -+ # no threads and no memory slabs for threads -+ num-threads: 1 -+ msg-cache-slabs: 1 -+ rrset-cache-slabs: 1 -+ infra-cache-slabs: 1 -+ key-cache-slabs: 1 -+ -+ # don't be picky about interfaces but consider your firewall -+ interface: 0.0.0.0 -+ interface: ::0 -+ access-control: 0.0.0.0/0 allow -+ access-control: ::0/0 allow -+ -+ # this limits TCP service but uses less buffers -+ outgoing-num-tcp: 1 -+ incoming-num-tcp: 1 -+ -+ # use somewhat higher port numbers versus possible NAT issue -+ outgoing-port-permit: "10240-65335" -+ -+ # uses less memory but less performance -+ outgoing-range: 60 -+ num-queries-per-thread: 30 -+ -+ # exclude large responses -+ msg-buffer-size: 8192 -+ -+ # tiny memory cache -+ infra-cache-numhosts: 200 -+ msg-cache-size: 100k -+ rrset-cache-size: 100k -+ key-cache-size: 100k -+ neg-cache-size: 10k -+ -+ # gentle on recursion -+ target-fetch-policy: "2 1 0 0 0 0" -+ harden-large-queries: yes -+ harden-short-bufsize: yes -+ -+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust- -+ # -anchor-file:" The init script will copy root key to /var/lib/unbound. -+ # See package documentation for crontab entry to copy RFC5011 results back. -+ #module-config: "validator iterator" -+ #auto-trust-anchor-file: "/var/lib/unbound/root.key" -+ -+ # DNSSEC needs real time to validate signatures. If your device does not -+ # have power off clock (reboot), then you may need this work around. -+ #domain-insecure: "pool.ntp.org" -+ -+ ############################################################################ -+ # Resume Stock example.conf.in -+ ############################################################################ -+ - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # statistics-interval: 0 diff --git a/net/unbound/patches/100-example-conf-in.patch b/net/unbound/patches/100-example-conf-in.patch new file mode 100644 index 0000000000..5559a4870f --- /dev/null +++ b/net/unbound/patches/100-example-conf-in.patch @@ -0,0 +1,81 @@ +Index: doc/example.conf.in +=================================================================== +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -15,6 +15,76 @@ server: + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + ++ ############################################################################ ++ # MEMORY CONTROL EXAMPLE ++ # In the example config settings below memory usage is reduced. Some ser- ++ # vice levels are lower, notable very large data and a high TCP load are ++ # no longer supported ... are exceptional for the DNS. ++ # (http://unbound.net/documentation/unbound.conf.html) ++ ############################################################################ ++ ++ # Self jail Unbound with user "unbound" to /var/lib/unbound ++ # The script /etc/init.d/unbound will setup the location ++ username: "unbound" ++ directory: "/var/lib/unbound" ++ chroot: "/var/lib/unbound" ++ ++ # The pid file is created before privleges drop so no concern ++ pidfile: "/var/run/unbound.pid" ++ ++ # no threads and no memory slabs for threads ++ num-threads: 1 ++ msg-cache-slabs: 1 ++ rrset-cache-slabs: 1 ++ infra-cache-slabs: 1 ++ key-cache-slabs: 1 ++ ++ # don't be picky about interfaces but consider your firewall ++ interface: 0.0.0.0 ++ interface: ::0 ++ access-control: 0.0.0.0/0 allow ++ access-control: ::0/0 allow ++ ++ # this limits TCP service but uses less buffers ++ outgoing-num-tcp: 1 ++ incoming-num-tcp: 1 ++ ++ # use somewhat higher port numbers versus possible NAT issue ++ outgoing-port-permit: "10240-65335" ++ ++ # uses less memory but less performance ++ outgoing-range: 60 ++ num-queries-per-thread: 30 ++ ++ # exclude large responses ++ msg-buffer-size: 8192 ++ ++ # tiny memory cache ++ infra-cache-numhosts: 200 ++ msg-cache-size: 100k ++ rrset-cache-size: 100k ++ key-cache-size: 100k ++ neg-cache-size: 10k ++ ++ # gentle on recursion ++ target-fetch-policy: "2 1 0 0 0 0" ++ harden-large-queries: yes ++ harden-short-bufsize: yes ++ ++ # DNSSEC enable by removing comments on "module-config:" and "auto-trust- ++ # -anchor-file:" The init script will copy root key to /var/lib/unbound. ++ # See package documentation for crontab entry to copy RFC5011 results back. ++ #module-config: "validator iterator" ++ #auto-trust-anchor-file: "/var/lib/unbound/root.key" ++ ++ # DNSSEC needs real time to validate signatures. If your device does not ++ # have power off clock (reboot), then you may need this work around. ++ #domain-insecure: "pool.ntp.org" ++ ++ ############################################################################ ++ # Resume Stock example.conf.in ++ ############################################################################ ++ + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # statistics-interval: 0 diff --git a/net/unbound/patches/200-openssl-log-err.patch b/net/unbound/patches/200-openssl-log-err.patch new file mode 100644 index 0000000000..b1ddd5daf3 --- /dev/null +++ b/net/unbound/patches/200-openssl-log-err.patch @@ -0,0 +1,48 @@ +Index: daemon/remote.c +=================================================================== +--- a/daemon/remote.c ++++ b/daemon/remote.c +@@ -1950,6 +1950,11 @@ + return NULL; + } + } else { ++#ifndef HAVE_SSL_SET1_HOST ++ if(auth_name) ++ log_err("no name verification functionality in " ++ "ssl library, ignored name for %s", todo); ++#endif + /* add address */ + if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, + auth_name)) { +Index: iterator/iter_fwd.c +=================================================================== +--- a/iterator/iter_fwd.c ++++ b/iterator/iter_fwd.c +@@ -239,6 +239,11 @@ + s->name, p->str); + return 0; + } ++#ifndef HAVE_SSL_SET1_HOST ++ if(tls_auth_name) ++ log_err("no name verification functionality in " ++ "ssl library, ignored name for %s", p->str); ++#endif + if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, + tls_auth_name)) { + log_err("out of memory"); +Index: iterator/iter_hints.c +=================================================================== +--- a/iterator/iter_hints.c ++++ b/iterator/iter_hints.c +@@ -252,6 +252,11 @@ + s->name, p->str); + return 0; + } ++#ifndef HAVE_SSL_SET1_HOST ++ if(auth_name) ++ log_err("no name verification functionality in " ++ "ssl library, ignored name for %s", p->str); ++#endif + if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, + auth_name)) { + log_err("out of memory");