Skip to content

"stale-answer-client-timeout" > 0 can cause crashes when prefetch is enabled

named can crash in the following scenario:

  1. Assume that stale-answer-client-timeout is set to a positive value and that in the course of resolving a cname.example/A query, the following records were cached:

    cname.example. CNAME a.example. ; TTL=10
a.example.     A     192.0.2.1  ; TTL=12

  2. 10 seconds pass, causing the relevant cache contents to become:

    cname.example. CNAME a.example. ; expired
a.example.     A     192.0.2.1  ; TTL=2

  3. The resolver is queried for cname.example/A again.

  4. cname.example/CNAME is expired, so recursion starts. As a part of this process, the DNS_FETCHOPT_TRYSTALE_ONTIMEOUT flag is set in client->query.fetchoptions.

  5. The authoritative response for cname.example/CNAME arrives before a.example/A expires from the cache.

  6. Query processing is restarted for a.example/A (the CNAME target).

  7. a.example/A is found in the cache with a positive TTL which falls below the default prefetch trigger (2 seconds).

  8. A prefetch for a.example/A is started with DNS_FETCHOPT_TRYSTALE_ONTIMEOUT still being set. This causes the "try stale" timer to be started for the prefetch query.

  9. No response to the prefetch query arrives before the "try stale" timeout fires.

  10. prefetch_done() is called and is passed an event of type DNS_EVENT_TRYSTALE.

  11. The REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); assertion fails, causing named to crash.

See: https://support.isc.org/Ticket/Display.html?id=18536

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information