mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

fix: usr: Fix nsupdate hang when processing a large update

Browse Source 
To mitigate DNS flood attacks over a single TCP connection, we throttle the connection when the other side does not read the data. Throttling should only occur on server-side sockets, but erroneously also happened for nsupdate, which acts as a client. When nsupdate started throttling the connection, it never attempts to read again. This has been fixed.
 
Closes #4910

Merge branch '4910-nsupdate-hangs-when-processing-large-update' into 'main'

See merge request isc-projects/bind9!9709
This commit is contained in:
Matthijs Mekking
2024-12-05 15:13:45 +00:00
parent 80a5745a1f aa24b77d8b
commit fa56e0d8b1
4 changed files with 52 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
bin/tests/system/nsupdate/ns3/many-updates.test.db Normal file
View File

@@ -0,0 +1,14 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
many-updates.test. 10 IN SOA many-updates.test. hostmaster.many-updates.test. 1 3600 900 2419200 3600
many-updates.test. 10 IN NS many-updates.test.
many-updates.test. 10 IN A 10.53.0.3

7
bin/tests/system/nsupdate/ns3/named.conf.in
View File

@@ -91,6 +91,13 @@ zone "too-big.test" {
file "too-big.test.db"; file "too-big.test.db";
}; };
zone "many-updates.test" {
type primary;
allow-update { any; };
file "many-updates.test.db";
};
/* Zone for testing CDS and CDNSKEY updates from other provider */ /* Zone for testing CDS and CDNSKEY updates from other provider */
zone "multisigner.test" { zone "multisigner.test" {
type primary; type primary;

20
bin/tests/system/nsupdate/tests.sh
View File

@@ -732,6 +732,26 @@ EOF
status=1 status=1
} }
n=$((n + 1))
ret=0
i=0
echo_i "check that nsupdate does not hang when processing a large number of updates interactively ($n)"
{
echo "server 10.53.0.3 ${PORT}"
echo "zone many-updates.test."
while [ $i -le 2000 ]; do
echo "update add host$i.many-updates.test. 3600 IN TXT \"host $i\""
i=$((i + 1))
done
echo "send"
} | $NSUPDATE
echo_i "query for host2000.many-updates.test ($n)"
retry_quiet 5 has_positive_response host2000.many-updates.test TXT 10.53.0.3 || ret=1
[ $ret = 0 ] || {
echo_i "failed"
status=1
}
n=$((n + 1)) n=$((n + 1))
ret=0 ret=0
echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)" echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)"

13
lib/isc/netmgr/tcp.c
View File

@@ -1208,12 +1208,17 @@ tcp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
} }
} }
isc_log_write(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, if (!sock->client && sock->reading) {
ISC_LOG_DEBUG(3),
"throttling TCP connection, the other side is not "
"reading the data, switching to uv_write()");
sock->reading_throttled = true; sock->reading_throttled = true;
isc__nm_stop_reading(sock); isc__nm_stop_reading(sock);
}
isc__nmsocket_log(sock, ISC_LOG_DEBUG(3),
"%sthe other side is not "
"reading the data, switching to uv_write()",
!sock->client && sock->reading
? "throttling TCP connection, "
: "");
r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, bufs, nbufs, r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, bufs, nbufs,
tcp_send_cb); tcp_send_cb);