241613 – dns/bind914: add option for using accf_dns (dnsready accept filter)

Bug 241613 - dns/bind914: add option for using accf_dns (dnsready accept filter)

Summary: dns/bind914: add option for using accf_dns (dnsready accept filter)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Mathieu Arnold

URL:	https://lists.isc.org/pipermail/bind-...
Keywords:

Depends on:
Blocks:

Reported:	2019-10-31 09:46 UTC by Eugene Grosbein
Modified:	2020-08-26 13:32 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (mat) eugen: maintainer-feedback?

Attachments
add ACCFDNS (931 bytes, patch) 2019-10-31 09:46 UTC, Eugene Grosbein	eugen: maintainer-approval?	Details \| Diff
files/extrapatch-interfacemgr.c (461 bytes, patch) 2019-10-31 09:47 UTC, Eugene Grosbein	eugen: maintainer-approval?	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eugene Grosbein freebsd_committer

2019-10-31 09:46:21 UTC

Created attachment 208727 [details]
add ACCFDNS

Let's add new option ACCFDNS to the port dns/bind914 that allows BIND to prefer accf_dns over accf_data, if accf_dns is available. The patch was submitted upstream by David Malone 7 years ago but ignored:

https://lists.isc.org/pipermail/bind-users/2012-October/088862.html

The option is disabled by default, so default built is not affected and PORTREVISION not changed.

Comment 1 Eugene Grosbein freebsd_committer

2019-10-31 09:47:43 UTC

Created attachment 208728 [details]
files/extrapatch-interfacemgr.c

Comment 2 Mathieu Arnold freebsd_committer

2019-11-12 15:42:50 UTC

I do not think this is a good idea.  DNS is hard, and I do not feel confident about anything else than BIND9 deciding if what it receives is a valid DNS packet.

Comment 3 Eugene Grosbein freebsd_committer

2019-11-12 16:43:36 UTC

The option is disabled by default, why don't we add it for users that know what they do?

Comment 4 Rene Ladan freebsd_committer

2020-04-30 11:05:38 UTC

Is this relevant for dns/bind916 too?

Comment 5 Eugene Grosbein freebsd_committer

2020-04-30 11:24:28 UTC

(In reply to Rene Ladan from comment #4)

It is relevant for bind916 even more, because this version disabled usage of dataready accept filter too. However, the patch needs correction. I can correct it if maintainer is willing to accept the idea.

Comment 6 Leo Vandewoestijne 2020-07-01 21:27:40 UTC

I've had the options always in my kernels, unsure if it truly was deployed by vendors. My guess about that turns out to be correct.

In the 9.14 case it looked like improvement.
But in the 9.16 case... why was accf_data dropped?
My thought is it maybe is better to patch this upstream, at ISC.

So, in the days that Paul Vixie still had an email address ending on isc.org he wrote "acceptfilter(9) is almost ideal. accf_dns(9) would be even better"
https://lists.isc.org/pipermail/bind-users/2007-August/067418.html
Makes me wonder even more: why was it never adopted / always ignored?

Comment 7 Mathieu Arnold freebsd_committer

2020-08-26 13:08:46 UTC

Committed to 9.11, 9.14 was removed, and in 9.16, the socket code was rewritten and the accept filters are no longer used. (They are in a #if 0 section of the code.)

Comment 8 commit-hook freebsd_committer

2020-08-26 13:32:46 UTC

A commit references this bug:

Author: mat
Date: Wed Aug 26 13:32:33 UTC 2020
New revision: 546284
URL: https://svnweb.freebsd.org/changeset/ports/546284

Log:
  Add an option to use the DNS accept filter if available.

  PR:		241613
  Submitted by:	eugen

Changes:
  head/dns/bind911/Makefile
  head/dns/bind911/files/extrapatch-interfacemgr.c