Hi guys, On Thu, Dec 20, 2018 at 10:53:21PM +0100, Jerome Magnin wrote: > Hi Vincent, > > On Thu, Dec 20, 2018 at 10:22:25PM +0100, Vincent Bernat wrote: > > ? 20 décembre 2018 17:14 +01, Willy Tarreau <w...@1wt.eu>: > > > > >> this is indeed a regression in haproxy. thanks for reporting it. > > >> attached patch should fix it. > > >> CC'ing Remi as the original author, and Baptiste, as DNS maintainer. > > > > > > Good catch, the patch looks obviously good, I've just merged it. > > > Thanks for fixing this one, Jérôme. > > > > Is it important enough for an 1.8.16? Is it important enough for > > distributors to release a fixed version? Why doesn't it affect most DNS > > implementations? > > the bug only triggers when the resolver used by haproxy sends back DNS > responses > with nothing after the Answers section, ie: no additional records. I'm > guessing > the use of DNSSEC hides the problem :-) I must get better with commit > messages.
I think we should indeed emit a new version. Not because I think the feature is important, but because the persons who upgrade to 1.8.15 and see their DNS fail might want to roll back to 1.8.14 which still had a number of bugs, including the DNS ones. Well, to be honest, if they are exposed to the 1.8.14 DNS bugs, then their whole infrastructure is vulnerable because quite frankly, making your LB adjust its farm based on spoofable public DNS responses is foolish and those who do this really deserve to run into problems to learn the basics of security the hard way... When you can spoof a response, there's much more fun playing with advertisements to route the traffic anywhere than trying to crash the process in my opinion! I predict that if there are any such deployments, we won't hear about them because their authors will be a bit ashamed and won't want to take the risk to expose their servers :-) Thus in the end the 1.8.15 regression only hits non-vulnerable users who didn't care about the previous bugs and that's really bad. Let's find a moment to work on this tomorrow. Cheers, Willy
